Adding admin only endpoint, removing the ability to create/delete global users from the app server and adding a global self user update.

packages/server/src/api/controllers/row.js

@@ -167,11 +167,10 @@ exports.save = async function (ctx) {
     table,
   })
 
-  // TODO remove special user case in future
+  if (row.tableId === InternalTables.USER_METADATA && row._id) {
-  if (row.tableId === InternalTables.USER_METADATA) {
     // the row has been updated, need to put it into the ctx
     ctx.request.body = row
-    await userController.createMetadata(ctx)
+    await userController.updateMetadata(ctx)
     return
   }
 

packages/server/src/api/controllers/user.js

@@ -2,15 +2,10 @@ const CouchDB = require("../../db")
 const {
   generateUserMetadataID,
   getUserMetadataParams,
-  getGlobalIDFromUserMetadataID,
 } = require("../../db/utils")
 const { InternalTables } = require("../../db/utils")
-const { getRole, BUILTIN_ROLE_IDS } = require("@budibase/auth/roles")
+const { BUILTIN_ROLE_IDS } = require("@budibase/auth/roles")
-const {
+const { getGlobalUsers } = require("../../utilities/workerRequests")
-  getGlobalUsers,
-  saveGlobalUser,
-  deleteGlobalUser,
-} = require("../../utilities/workerRequests")
 const { getFullUser } = require("../../utilities/users")
 
 exports.fetchMetadata = async function (ctx) {
@@ -38,38 +33,6 @@ exports.fetchMetadata = async function (ctx) {
   ctx.body = users
 }
 
-exports.createMetadata = async function (ctx) {
-  const appId = ctx.appId
-  const db = new CouchDB(appId)
-  const { roleId } = ctx.request.body
-
-  if (ctx.request.body._id) {
-    return exports.updateMetadata(ctx)
-  }
-
-  // check role valid
-  const role = await getRole(appId, roleId)
-  if (!role) ctx.throw(400, "Invalid Role")
-
-  const globalUser = await saveGlobalUser(ctx, appId, ctx.request.body)
-
-  const user = {
-    ...globalUser,
-    _id: generateUserMetadataID(globalUser._id),
-    type: "user",
-    tableId: InternalTables.USER_METADATA,
-  }
-
-  const response = await db.post(user)
-  // for automations to make it obvious was successful
-  ctx.status = 200
-  ctx.body = {
-    _id: response.id,
-    _rev: response.rev,
-    email: ctx.request.body.email,
-  }
-}
-
 exports.updateSelfMetadata = async function (ctx) {
   // overwrite the ID with current users
   ctx.request.body._id = ctx.user._id
@@ -85,14 +48,13 @@ exports.updateMetadata = async function (ctx) {
   const appId = ctx.appId
   const db = new CouchDB(appId)
   const user = ctx.request.body
-  const globalUser = await saveGlobalUser(ctx, appId, {
+  // make sure to always remove global user props
-    ...user,
+  delete user.password
-    _id: getGlobalIDFromUserMetadataID(user._id),
+  delete user.roles
-  })
+  delete user.builder
   const metadata = {
-    ...globalUser,
     tableId: InternalTables.USER_METADATA,
-    _id: user._id || generateUserMetadataID(globalUser._id),
+    _id: user._id,
     _rev: user._rev,
   }
   ctx.body = await db.put(metadata)
@@ -100,7 +62,6 @@ exports.updateMetadata = async function (ctx) {
 
 exports.destroyMetadata = async function (ctx) {
   const db = new CouchDB(ctx.appId)
-  await deleteGlobalUser(ctx, getGlobalIDFromUserMetadataID(ctx.params.id))
   try {
     const dbUser = await db.get(ctx.params.id)
     await db.remove(dbUser._id, dbUser._rev)
@@ -108,7 +69,7 @@ exports.destroyMetadata = async function (ctx) {
     // error just means the global user has no config in this app
   }
   ctx.body = {
-    message: `User ${ctx.params.id} deleted.`,
+    message: `User metadata ${ctx.params.id} deleted.`,
   }
 }
 

packages/server/src/api/routes/user.js

@@ -25,12 +25,6 @@ router
     authorized(PermissionTypes.USER, PermissionLevels.WRITE),
     controller.updateMetadata
   )
-  .post(
-    "/api/users/metadata",
-    authorized(PermissionTypes.USER, PermissionLevels.WRITE),
-    usage,
-    controller.createMetadata
-  )
   .post(
     "/api/users/metadata/self",
     authorized(PermissionTypes.USER, PermissionLevels.WRITE),

packages/server/src/automations/actions.js

@@ -3,7 +3,6 @@ const sendSmtpEmail = require("./steps/sendSmtpEmail")
 const createRow = require("./steps/createRow")
 const updateRow = require("./steps/updateRow")
 const deleteRow = require("./steps/deleteRow")
-const createUser = require("./steps/createUser")
 const executeScript = require("./steps/executeScript")
 const executeQuery = require("./steps/executeQuery")
 const outgoingWebhook = require("./steps/outgoingWebhook")
@@ -20,7 +19,6 @@ const BUILTIN_ACTIONS = {
   CREATE_ROW: createRow.run,
   UPDATE_ROW: updateRow.run,
   DELETE_ROW: deleteRow.run,
-  CREATE_USER: createUser.run,
   OUTGOING_WEBHOOK: outgoingWebhook.run,
   EXECUTE_SCRIPT: executeScript.run,
   EXECUTE_QUERY: executeQuery.run,
@@ -31,7 +29,6 @@ const BUILTIN_DEFINITIONS = {
   CREATE_ROW: createRow.definition,
   UPDATE_ROW: updateRow.definition,
   DELETE_ROW: deleteRow.definition,
-  CREATE_USER: createUser.definition,
   OUTGOING_WEBHOOK: outgoingWebhook.definition,
   EXECUTE_SCRIPT: executeScript.definition,
   EXECUTE_QUERY: executeQuery.definition,

packages/server/src/automations/steps/createUser.js

@@ -1,90 +0,0 @@
-const roles = require("@budibase/auth/roles")
-const userController = require("../../api/controllers/user")
-const env = require("../../environment")
-const usage = require("../../utilities/usageQuota")
-
-module.exports.definition = {
-  description: "Create a new user",
-  tagline: "Create user {{inputs.email}}",
-  icon: "ri-user-add-line",
-  name: "Create User",
-  type: "ACTION",
-  stepId: "CREATE_USER",
-  inputs: {
-    roleId: roles.BUILTIN_ROLE_IDS.POWER,
-  },
-  schema: {
-    inputs: {
-      properties: {
-        email: {
-          type: "string",
-          customType: "email",
-          title: "Email",
-        },
-        password: {
-          type: "string",
-          title: "Password",
-        },
-        roleId: {
-          type: "string",
-          title: "Role",
-          enum: roles.BUILTIN_ROLE_ID_ARRAY,
-          pretty: roles.BUILTIN_ROLE_NAME_ARRAY,
-        },
-      },
-      required: ["email", "password", "roleId"],
-    },
-    outputs: {
-      properties: {
-        id: {
-          type: "string",
-          description: "The identifier of the new user",
-        },
-        revision: {
-          type: "string",
-          description: "The revision of the new user",
-        },
-        response: {
-          type: "object",
-          description: "The response from the user table",
-        },
-        success: {
-          type: "boolean",
-          description: "Whether the action was successful",
-        },
-      },
-      required: ["id", "revision", "success"],
-    },
-  },
-}
-
-module.exports.run = async function ({ inputs, appId, apiKey, emitter }) {
-  const { email, password, roleId } = inputs
-  const ctx = {
-    appId,
-    request: {
-      body: { email, password, roleId },
-    },
-    eventEmitter: emitter,
-  }
-
-  try {
-    if (env.isProd()) {
-      await usage.update(apiKey, usage.Properties.USER, 1)
-    }
-    await userController.createMetadata(ctx)
-    return {
-      response: ctx.body,
-      // internal property not returned through the API
-      id: ctx.body._id,
-      revision: ctx.body._rev,
-      success: ctx.status === 200,
-    }
-  } catch (err) {
-    console.error(err)
-    return {
-      success: false,
-      response: err,
-    }
-  }
-}

packages/worker/src/api/controllers/admin/users.js

@@ -96,6 +96,22 @@ exports.destroy = async ctx => {
   }
 }
 
+exports.self = async ctx => {
+  const db = new CouchDB(GLOBAL_DB)
+  const user = await db.get(ctx.user._id)
+  if (ctx.request.body.password) {
+    ctx.request.body.password = await hash(ctx.request.body.password)
+  }
+  const response = await db.put({
+    ...user,
+    ...ctx.request.body,
+  })
+  ctx.body = {
+    _id: response.id,
+    _rev: response.rev,
+  }
+}
+
 // called internally by app server user fetch
 exports.fetch = async ctx => {
   const db = new CouchDB(GLOBAL_DB)

packages/worker/src/api/routes/admin/configs.js

@@ -1,6 +1,7 @@
 const Router = require("@koa/router")
 const controller = require("../../controllers/admin/configs")
 const joiValidator = require("../../../middleware/joi-validator")
+const adminOnly = require("../../../middleware/adminOnly")
 const Joi = require("joi")
 const { Configs, ConfigUploads } = require("../../../constants")
 
@@ -76,6 +77,8 @@ function buildConfigGetValidation() {
   }).unknown(true).required())
 }
 
+router.use(adminOnly)
+
 router
   .post("/api/admin/configs", buildConfigSaveValidation(), controller.save)
   .delete("/api/admin/configs/:id", controller.destroy)

packages/worker/src/api/routes/admin/users.js

@@ -5,13 +5,12 @@ const Joi = require("joi")
 
 const router = Router()
 
-function buildUserSaveValidation() {
+function buildUserSaveValidation(isSelf = false) {
-  // prettier-ignore
+  let schema = {
-  return joiValidator.body(Joi.object({
-    _id: Joi.string(),
-    _rev: Joi.string(),
     email: Joi.string(),
     password: Joi.string().allow(null, ""),
+    firstName: Joi.string(),
+    lastName: Joi.string(),
     builder: Joi.object({
       global: Joi.boolean().optional(),
       apps: Joi.array().optional(),
@@ -21,7 +20,17 @@ function buildUserSaveValidation() {
       .pattern(/.*/, Joi.string())
       .required()
       .unknown(true)
-  }).required().unknown(true))
+  }
+  if (!isSelf) {
+    schema = {
+      ...schema,
+      _id: Joi.string(),
+      _rev: Joi.string(),
+    }
+  }
+  return joiValidator.body(Joi.object(schema)
+    .required()
+    .unknown(true))
 }
 
 function buildInviteValidation() {
@@ -39,10 +48,19 @@ function buildInviteAcceptValidation() {
   }).required().unknown(true))
 }
 
+function buildUpdateSelfValidation() {
+  // prettier-ignore
+  return joiValidator.body(Joi.object({
+    inviteCode: Joi.string().required(),
+    password: Joi.string().required(),
+  }).required().unknown(true))
+}
+
 router
   .post("/api/admin/users", buildUserSaveValidation(), controller.save)
   .get("/api/admin/users", controller.fetch)
   .post("/api/admin/users/init", controller.adminUser)
+  .post("/api/admin/users/self", buildUserSaveValidation(true), controller.self)
   .delete("/api/admin/users/:id", controller.destroy)
   .get("/api/admin/users/:id", controller.find)
   .get("/api/admin/roles/:appId")

packages/worker/src/middleware/adminOnly.js

@@ -0,0 +1,6 @@
+module.exports = async (ctx, next) => {
+  if (!ctx.user || !ctx.user.admin || !ctx.user.admin.global) {
+    ctx.throw(403, "Admin user only endpoint.")
+  }
+  return next()
+}