budibase/packages/server/src/utilities/security/permissions.js

const { flatten } = require("lodash")
const { cloneDeep } = require("lodash/fp")

const PermissionLevels = {
  READ: "read",
  WRITE: "write",
  EXECUTE: "execute",
  ADMIN: "admin",
}

// these are the global types, that govern the underlying default behaviour
const PermissionTypes = {
  TABLE: "table",
  USER: "user",
  AUTOMATION: "automation",
  WEBHOOK: "webhook",
  BUILDER: "builder",
  VIEW: "view",
  QUERY: "query",
}

function Permission(type, level) {
  this.level = level
  this.type = type
}

function levelToNumber(perm) {
  switch (perm) {
    // not everything has execute privileges
    case PermissionLevels.EXECUTE:
      return 0
    case PermissionLevels.READ:
      return 1
    case PermissionLevels.WRITE:
      return 2
    case PermissionLevels.ADMIN:
      return 3
    default:
      return -1
  }
}

/**
 * Given the specified permission level for the user return the levels they are allowed to carry out.
 * @param {string} userPermLevel The permission level of the user.
 * @return {string[]} All the permission levels this user is allowed to carry out.
 */
function getAllowedLevels(userPermLevel) {
  switch (userPermLevel) {
    case PermissionLevels.EXECUTE:
      return [PermissionLevels.EXECUTE]
    case PermissionLevels.READ:
      return [PermissionLevels.EXECUTE, PermissionLevels.READ]
    case PermissionLevels.WRITE:
    case PermissionLevels.ADMIN:
      return [
        PermissionLevels.READ,
        PermissionLevels.WRITE,
        PermissionLevels.EXECUTE,
      ]
    default:
      return []
  }
}

exports.BUILTIN_PERMISSION_IDS = {
  PUBLIC: "public",
  READ_ONLY: "read_only",
  WRITE: "write",
  ADMIN: "admin",
  POWER: "power",
}

const BUILTIN_PERMISSIONS = {
  PUBLIC: {
    _id: exports.BUILTIN_PERMISSION_IDS.PUBLIC,
    name: "Public",
    permissions: [
      new Permission(PermissionTypes.WEBHOOK, PermissionLevels.EXECUTE),
    ],
  },
  READ_ONLY: {
    _id: exports.BUILTIN_PERMISSION_IDS.READ_ONLY,
    name: "Read only",
    permissions: [
      new Permission(PermissionTypes.QUERY, PermissionLevels.READ),
      new Permission(PermissionTypes.TABLE, PermissionLevels.READ),
      new Permission(PermissionTypes.VIEW, PermissionLevels.READ),
    ],
  },
  WRITE: {
    _id: exports.BUILTIN_PERMISSION_IDS.WRITE,
    name: "Read/Write",
    permissions: [
      new Permission(PermissionTypes.QUERY, PermissionLevels.WRITE),
      new Permission(PermissionTypes.TABLE, PermissionLevels.WRITE),
      new Permission(PermissionTypes.VIEW, PermissionLevels.READ),
    ],
  },
  POWER: {
    _id: exports.BUILTIN_PERMISSION_IDS.POWER,
    name: "Power",
    permissions: [
      new Permission(PermissionTypes.TABLE, PermissionLevels.WRITE),
      new Permission(PermissionTypes.USER, PermissionLevels.READ),
      new Permission(PermissionTypes.AUTOMATION, PermissionLevels.EXECUTE),
      new Permission(PermissionTypes.VIEW, PermissionLevels.READ),
      new Permission(PermissionTypes.WEBHOOK, PermissionLevels.READ),
    ],
  },
  ADMIN: {
    _id: exports.BUILTIN_PERMISSION_IDS.ADMIN,
    name: "Admin",
    permissions: [
      new Permission(PermissionTypes.TABLE, PermissionLevels.ADMIN),
      new Permission(PermissionTypes.USER, PermissionLevels.ADMIN),
      new Permission(PermissionTypes.AUTOMATION, PermissionLevels.ADMIN),
      new Permission(PermissionTypes.VIEW, PermissionLevels.ADMIN),
      new Permission(PermissionTypes.WEBHOOK, PermissionLevels.READ),
      new Permission(PermissionTypes.QUERY, PermissionLevels.ADMIN),
    ],
  },
}

exports.getBuiltinPermissions = () => {
  return cloneDeep(BUILTIN_PERMISSIONS)
}

exports.getBuiltinPermissionByID = (id) => {
  const perms = Object.values(BUILTIN_PERMISSIONS)
  return perms.find((perm) => perm._id === id)
}

exports.doesHaveResourcePermission = (
  permissions,
  permLevel,
  { resourceId, subResourceId }
) => {
  // set foundSub to not subResourceId, incase there is no subResource
  let foundMain = false,
    foundSub = false
  for (let [resource, level] of Object.entries(permissions)) {
    const levels = getAllowedLevels(level)
    if (resource === resourceId && levels.indexOf(permLevel) !== -1) {
      foundMain = true
    }
    if (
      subResourceId &&
      resource === subResourceId &&
      levels.indexOf(permLevel) !== -1
    ) {
      foundSub = true
    }
    // this will escape if foundMain only when no sub resource
    if (foundMain && foundSub) {
      break
    }
  }
  return foundMain || foundSub
}

exports.doesHaveBasePermission = (permType, permLevel, permissionIds) => {
  const builtins = Object.values(BUILTIN_PERMISSIONS)
  let permissions = flatten(
    builtins
      .filter((builtin) => permissionIds.indexOf(builtin._id) !== -1)
      .map((builtin) => builtin.permissions)
  )
  for (let permission of permissions) {
    if (
      permission.type === permType &&
      getAllowedLevels(permission.level).indexOf(permLevel) !== -1
    ) {
      return true
    }
  }
  return false
}

exports.higherPermission = (perm1, perm2) => {
  return levelToNumber(perm1) > levelToNumber(perm2) ? perm1 : perm2
}

exports.isPermissionLevelHigherThanRead = (level) => {
  return levelToNumber(level) > 1
}

// utility as a lot of things need simply the builder permission
exports.BUILDER = PermissionTypes.BUILDER
exports.PermissionTypes = PermissionTypes
exports.PermissionLevels = PermissionLevels
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00			`const { flatten } = require("lodash")`
Fixing an issue with RBAC, there was a mutable issue where a server builtin resource was getting updated, fixed this by not exposing the mutable structure, instead exposing a function which provides a new object everytime. 2021-02-13 09:34:54 +13:00			`const { cloneDeep } = require("lodash/fp")`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00
			`const PermissionLevels = {`
			`READ: "read",`
			`WRITE: "write",`
			`EXECUTE: "execute",`
			`ADMIN: "admin",`
			`}`

Initial work towards rbac. 2021-02-06 04:58:25 +13:00			`// these are the global types, that govern the underlying default behaviour`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00			`const PermissionTypes = {`
			`TABLE: "table",`
			`USER: "user",`
			`AUTOMATION: "automation",`
			`WEBHOOK: "webhook",`
			`BUILDER: "builder",`
			`VIEW: "view",`
switching between queries 2021-01-07 01:28:51 +13:00			`QUERY: "query",`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00			`}`

			`function Permission(type, level) {`
			`this.level = level`
			`this.type = type`
			`}`

Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-12 02:29:15 +13:00			`function levelToNumber(perm) {`
			`switch (perm) {`
			`// not everything has execute privileges`
			`case PermissionLevels.EXECUTE:`
			`return 0`
			`case PermissionLevels.READ:`
			`return 1`
			`case PermissionLevels.WRITE:`
			`return 2`
			`case PermissionLevels.ADMIN:`
			`return 3`
			`default:`
			`return -1`
			`}`
			`}`

WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00			`/**`
			`* Given the specified permission level for the user return the levels they are allowed to carry out.`
			`* @param {string} userPermLevel The permission level of the user.`
			`* @return {string[]} All the permission levels this user is allowed to carry out.`
			`*/`
			`function getAllowedLevels(userPermLevel) {`
			`switch (userPermLevel) {`
			`case PermissionLevels.EXECUTE:`
			`return [PermissionLevels.EXECUTE]`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`case PermissionLevels.READ:`
			`return [PermissionLevels.EXECUTE, PermissionLevels.READ]`
			`case PermissionLevels.WRITE:`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00			`case PermissionLevels.ADMIN:`
			`return [`
			`PermissionLevels.READ,`
			`PermissionLevels.WRITE,`
			`PermissionLevels.EXECUTE,`
			`]`
			`default:`
			`return []`
			`}`
			`}`

Changing the role system to have permissions integrated rather than the permissions being per user. 2020-12-03 06:08:25 +13:00			`exports.BUILTIN_PERMISSION_IDS = {`
Flipping RBAC implementation to use levels -> role for resource perms API and resource -> level -> role for full fetch (please note full fetch will only work for resources that have a custom permission in the system somewhere, everything else simply defaults to standard. 2021-02-12 07:13:09 +13:00			`PUBLIC: "public",`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00			`READ_ONLY: "read_only",`
			`WRITE: "write",`
Tests failing but starting to progress. 2020-11-13 06:06:55 +13:00			`ADMIN: "admin",`
			`POWER: "power",`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00			`}`

Fixing an issue with RBAC, there was a mutable issue where a server builtin resource was getting updated, fixed this by not exposing the mutable structure, instead exposing a function which provides a new object everytime. 2021-02-13 09:34:54 +13:00			`const BUILTIN_PERMISSIONS = {`
Flipping RBAC implementation to use levels -> role for resource perms API and resource -> level -> role for full fetch (please note full fetch will only work for resources that have a custom permission in the system somewhere, everything else simply defaults to standard. 2021-02-12 07:13:09 +13:00			`PUBLIC: {`
			`_id: exports.BUILTIN_PERMISSION_IDS.PUBLIC,`
			`name: "Public",`
			`permissions: [`
Linting. 2021-02-12 22:55:37 +13:00			`new Permission(PermissionTypes.WEBHOOK, PermissionLevels.EXECUTE),`
Flipping RBAC implementation to use levels -> role for resource perms API and resource -> level -> role for full fetch (please note full fetch will only work for resources that have a custom permission in the system somewhere, everything else simply defaults to standard. 2021-02-12 07:13:09 +13:00			`],`
			`},`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00			`READ_ONLY: {`
Changing the role system to have permissions integrated rather than the permissions being per user. 2020-12-03 06:08:25 +13:00			`_id: exports.BUILTIN_PERMISSION_IDS.READ_ONLY,`
			`name: "Read only",`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00			`permissions: [`
type safe schema validation 2021-01-12 10:01:21 +13:00			`new Permission(PermissionTypes.QUERY, PermissionLevels.READ),`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00			`new Permission(PermissionTypes.TABLE, PermissionLevels.READ),`
			`new Permission(PermissionTypes.VIEW, PermissionLevels.READ),`
			`],`
			`},`
			`WRITE: {`
Changing the role system to have permissions integrated rather than the permissions being per user. 2020-12-03 06:08:25 +13:00			`_id: exports.BUILTIN_PERMISSION_IDS.WRITE,`
			`name: "Read/Write",`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00			`permissions: [`
type safe schema validation 2021-01-12 10:01:21 +13:00			`new Permission(PermissionTypes.QUERY, PermissionLevels.WRITE),`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00			`new Permission(PermissionTypes.TABLE, PermissionLevels.WRITE),`
			`new Permission(PermissionTypes.VIEW, PermissionLevels.READ),`
			`],`
			`},`
Tests failing but starting to progress. 2020-11-13 06:06:55 +13:00			`POWER: {`
Changing the role system to have permissions integrated rather than the permissions being per user. 2020-12-03 06:08:25 +13:00			`_id: exports.BUILTIN_PERMISSION_IDS.POWER,`
			`name: "Power",`
Tests failing but starting to progress. 2020-11-13 06:06:55 +13:00			`permissions: [`
			`new Permission(PermissionTypes.TABLE, PermissionLevels.WRITE),`
			`new Permission(PermissionTypes.USER, PermissionLevels.READ),`
			`new Permission(PermissionTypes.AUTOMATION, PermissionLevels.EXECUTE),`
			`new Permission(PermissionTypes.VIEW, PermissionLevels.READ),`
			`new Permission(PermissionTypes.WEBHOOK, PermissionLevels.READ),`
			`],`
			`},`
			`ADMIN: {`
Changing the role system to have permissions integrated rather than the permissions being per user. 2020-12-03 06:08:25 +13:00			`_id: exports.BUILTIN_PERMISSION_IDS.ADMIN,`
			`name: "Admin",`
Tests failing but starting to progress. 2020-11-13 06:06:55 +13:00			`permissions: [`
			`new Permission(PermissionTypes.TABLE, PermissionLevels.ADMIN),`
			`new Permission(PermissionTypes.USER, PermissionLevels.ADMIN),`
			`new Permission(PermissionTypes.AUTOMATION, PermissionLevels.ADMIN),`
			`new Permission(PermissionTypes.VIEW, PermissionLevels.ADMIN),`
			`new Permission(PermissionTypes.WEBHOOK, PermissionLevels.READ),`
type safe schema validation 2021-01-12 10:01:21 +13:00			`new Permission(PermissionTypes.QUERY, PermissionLevels.ADMIN),`
Tests failing but starting to progress. 2020-11-13 06:06:55 +13:00			`],`
			`},`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00			`}`

Fixing an issue with RBAC, there was a mutable issue where a server builtin resource was getting updated, fixed this by not exposing the mutable structure, instead exposing a function which provides a new object everytime. 2021-02-13 09:34:54 +13:00			`exports.getBuiltinPermissions = () => {`
			`return cloneDeep(BUILTIN_PERMISSIONS)`
			`}`

lint:fix 2021-05-03 19:31:09 +12:00			`exports.getBuiltinPermissionByID = (id) => {`
Fixing an issue with RBAC, there was a mutable issue where a server builtin resource was getting updated, fixed this by not exposing the mutable structure, instead exposing a function which provides a new object everytime. 2021-02-13 09:34:54 +13:00			`const perms = Object.values(BUILTIN_PERMISSIONS)`
lint:fix 2021-05-03 19:31:09 +12:00			`return perms.find((perm) => perm._id === id)`
WIP - storing progress on RBAC changes. 2021-02-11 23:24:37 +13:00			`}`

Making use of the resourceId in the middleware package. 2021-02-09 06:52:22 +13:00			`exports.doesHaveResourcePermission = (`
			`permissions,`
			`permLevel,`
			`{ resourceId, subResourceId }`
			`) => {`
			`// set foundSub to not subResourceId, incase there is no subResource`
			`let foundMain = false,`
Fixing an issue discovered by test case. 2021-02-26 23:19:06 +13:00			`foundSub = false`
Making use of the resourceId in the middleware package. 2021-02-09 06:52:22 +13:00			`for (let [resource, level] of Object.entries(permissions)) {`
			`const levels = getAllowedLevels(level)`
			`if (resource === resourceId && levels.indexOf(permLevel) !== -1) {`
			`foundMain = true`
			`}`
			`if (`
			`subResourceId &&`
			`resource === subResourceId &&`
			`levels.indexOf(permLevel) !== -1`
			`) {`
			`foundSub = true`
			`}`
			`// this will escape if foundMain only when no sub resource`
			`if (foundMain && foundSub) {`
			`break`
			`}`
			`}`
Two character change, some API calls with sub resources and primary resources weren't working, should allow either the sub resource or the main resource to trigger allowance. 2021-02-26 23:06:02 +13:00			`return foundMain \|\| foundSub`
Making use of the resourceId in the middleware package. 2021-02-09 06:52:22 +13:00			`}`

			`exports.doesHaveBasePermission = (permType, permLevel, permissionIds) => {`
Fixing an issue with RBAC, there was a mutable issue where a server builtin resource was getting updated, fixed this by not exposing the mutable structure, instead exposing a function which provides a new object everytime. 2021-02-13 09:34:54 +13:00			`const builtins = Object.values(BUILTIN_PERMISSIONS)`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00			`let permissions = flatten(`
			`builtins`
lint:fix 2021-05-03 19:31:09 +12:00			`.filter((builtin) => permissionIds.indexOf(builtin._id) !== -1)`
			`.map((builtin) => builtin.permissions)`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00			`)`
			`for (let permission of permissions) {`
			`if (`
			`permission.type === permType &&`
			`getAllowedLevels(permission.level).indexOf(permLevel) !== -1`
			`) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`exports.higherPermission = (perm1, perm2) => {`
Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-12 02:29:15 +13:00			`return levelToNumber(perm1) > levelToNumber(perm2) ? perm1 : perm2`
			`}`

lint:fix 2021-05-03 19:31:09 +12:00			`exports.isPermissionLevelHigherThanRead = (level) => {`
Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-12 02:29:15 +13:00			`return levelToNumber(level) > 1`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`}`

WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-12 06:34:15 +13:00			`// utility as a lot of things need simply the builder permission`
			`exports.BUILDER = PermissionTypes.BUILDER`
			`exports.PermissionTypes = PermissionTypes`
			`exports.PermissionLevels = PermissionLevels`