Merge pull request #2614 from Budibase/feature/onboarding-backend

Access controls for cloud, self, and regular budibase users

packages/auth/src/cache/user.js

@@ -6,8 +6,10 @@ const EXPIRY_SECONDS = 3600
 /**
  * The default populate user function
  */
-const populateFromDB = (userId, tenantId) => {
+const populateFromDB = async (userId, tenantId) => {
-  return getGlobalDB(tenantId).get(userId)
+  const user = await getGlobalDB(tenantId).get(userId)
+  user.budibaseAccess = true
+  return user
 }
 
 /**

packages/builder/src/pages/builder/_layout.svelte

@@ -6,16 +6,19 @@
   let loaded = false
 
   $: multiTenancyEnabled = $admin.multiTenancy
-  $: hasAdminUser = $admin?.checklist?.adminUser.checked
+  $: hasAdminUser = $admin?.checklist?.adminUser?.checked
   $: tenantSet = $auth.tenantSet
+  $: cloud = $admin.cloud
 
   onMount(async () => {
-    await admin.init()
     await auth.checkAuth()
+    await admin.init()
     loaded = true
   })
 
   $: {
+    // We should never see the org or admin user creation screens in the cloud
+    if (!cloud) {
       const apiReady = $admin.loaded && $auth.loaded
       // if tenant is not set go to it
       if (loaded && apiReady && multiTenancyEnabled && !tenantSet) {
@@ -26,11 +29,12 @@
         $redirect("./admin")
       }
     }
+  }
   // Redirect to log in at any time if the user isn't authenticated
   $: {
     if (
       loaded &&
-      hasAdminUser &&
+      (hasAdminUser || cloud) &&
       !$auth.user &&
       !$isActive("./auth") &&
       !$isActive("./invite")

packages/builder/src/pages/builder/auth/org.svelte

@@ -8,6 +8,7 @@
 
   let tenantId = get(auth).tenantSet ? get(auth).tenantId : ""
   $: multiTenancyEnabled = $admin.multiTenancy
+  $: cloud = $admin.cloud
 
   async function setOrg() {
     if (tenantId == null || tenantId === "") {
@@ -25,7 +26,7 @@
 
   onMount(async () => {
     await auth.checkQueryString()
-    if (!multiTenancyEnabled) {
+    if (!multiTenancyEnabled || cloud) {
       $goto("../")
     } else {
       admin.unload()

packages/builder/src/pages/builder/portal/_layout.svelte

@@ -60,7 +60,7 @@
     }
 
     // add link to account portal if the user has access
-    if ($auth?.user?.account) {
+    if ($auth?.user?.accountPortalAccess) {
       menu = menu.concat([
         {
           title: "Account",

packages/worker/src/api/controllers/global/users.js

@@ -197,10 +197,10 @@ exports.getSelf = async ctx => {
   // this will set the body
   await exports.find(ctx)
 
-  // append the account portal session information if present
+  // forward session information not found in db
-  if (ctx.user.account) {
   ctx.body.account = ctx.user.account
-  }
+  ctx.body.budibaseAccess = ctx.user.budibaseAccess
+  ctx.body.accountPortalAccess = ctx.user.accountPortalAccess
 }
 
 exports.updateSelf = async ctx => {

packages/worker/src/api/index.js

@@ -84,7 +84,10 @@ router
   .use(buildTenancyMiddleware(PUBLIC_ENDPOINTS, NO_TENANCY_ENDPOINTS))
   // for now no public access is allowed to worker (bar health check)
   .use((ctx, next) => {
-    if (!ctx.isAuthenticated && !ctx.publicEndpoint) {
+    if (ctx.publicEndpoint) {
+      return next()
+    }
+    if (!ctx.isAuthenticated || !ctx.user.budibaseAccess) {
       ctx.throw(403, "Unauthorized - no public worker access")
     }
     return next()