From 3576ca87be00e750f62af75e0473e05f3009754e Mon Sep 17 00:00:00 2001 From: Rory Powell Date: Wed, 15 Sep 2021 15:45:43 +0100 Subject: [PATCH] Access controls for cloud, self, and regular budibase users --- packages/auth/src/cache/user.js | 6 +++-- .../builder/src/pages/builder/_layout.svelte | 26 +++++++++++-------- .../builder/src/pages/builder/auth/org.svelte | 3 ++- .../src/pages/builder/portal/_layout.svelte | 2 +- .../src/api/controllers/global/users.js | 8 +++--- packages/worker/src/api/index.js | 5 +++- 6 files changed, 30 insertions(+), 20 deletions(-) diff --git a/packages/auth/src/cache/user.js b/packages/auth/src/cache/user.js index 669192a905..2b2693ca01 100644 --- a/packages/auth/src/cache/user.js +++ b/packages/auth/src/cache/user.js @@ -6,8 +6,10 @@ const EXPIRY_SECONDS = 3600 /** * The default populate user function */ -const populateFromDB = (userId, tenantId) => { - return getGlobalDB(tenantId).get(userId) +const populateFromDB = async (userId, tenantId) => { + const user = await getGlobalDB(tenantId).get(userId) + user.budibaseAccess = true + return user } /** diff --git a/packages/builder/src/pages/builder/_layout.svelte b/packages/builder/src/pages/builder/_layout.svelte index 0dbabb31d2..4b296854b6 100644 --- a/packages/builder/src/pages/builder/_layout.svelte +++ b/packages/builder/src/pages/builder/_layout.svelte @@ -6,31 +6,35 @@ let loaded = false $: multiTenancyEnabled = $admin.multiTenancy - $: hasAdminUser = $admin?.checklist?.adminUser.checked + $: hasAdminUser = $admin?.checklist?.adminUser?.checked $: tenantSet = $auth.tenantSet + $: cloud = $admin.cloud onMount(async () => { - await admin.init() await auth.checkAuth() + await admin.init() loaded = true }) $: { - const apiReady = $admin.loaded && $auth.loaded - // if tenant is not set go to it - if (loaded && apiReady && multiTenancyEnabled && !tenantSet) { - $redirect("./auth/org") - } - // Force creation of an admin user if one doesn't exist - else if (loaded && apiReady && !hasAdminUser) { - $redirect("./admin") + // We should never see the org or admin user creation screens in the cloud + if (!cloud) { + const apiReady = $admin.loaded && $auth.loaded + // if tenant is not set go to it + if (loaded && apiReady && multiTenancyEnabled && !tenantSet) { + $redirect("./auth/org") + } + // Force creation of an admin user if one doesn't exist + else if (loaded && apiReady && !hasAdminUser) { + $redirect("./admin") + } } } // Redirect to log in at any time if the user isn't authenticated $: { if ( loaded && - hasAdminUser && + (hasAdminUser || cloud) && !$auth.user && !$isActive("./auth") && !$isActive("./invite") diff --git a/packages/builder/src/pages/builder/auth/org.svelte b/packages/builder/src/pages/builder/auth/org.svelte index 785cf05914..fea8831935 100644 --- a/packages/builder/src/pages/builder/auth/org.svelte +++ b/packages/builder/src/pages/builder/auth/org.svelte @@ -8,6 +8,7 @@ let tenantId = get(auth).tenantSet ? get(auth).tenantId : "" $: multiTenancyEnabled = $admin.multiTenancy + $: cloud = $admin.cloud async function setOrg() { if (tenantId == null || tenantId === "") { @@ -25,7 +26,7 @@ onMount(async () => { await auth.checkQueryString() - if (!multiTenancyEnabled) { + if (!multiTenancyEnabled || cloud) { $goto("../") } else { admin.unload() diff --git a/packages/builder/src/pages/builder/portal/_layout.svelte b/packages/builder/src/pages/builder/portal/_layout.svelte index fa25fccde3..034481477e 100644 --- a/packages/builder/src/pages/builder/portal/_layout.svelte +++ b/packages/builder/src/pages/builder/portal/_layout.svelte @@ -60,7 +60,7 @@ } // add link to account portal if the user has access - if ($auth?.user?.account) { + if ($auth?.user?.accountPortalAccess) { menu = menu.concat([ { title: "Account", diff --git a/packages/worker/src/api/controllers/global/users.js b/packages/worker/src/api/controllers/global/users.js index 13959273cd..415808bf86 100644 --- a/packages/worker/src/api/controllers/global/users.js +++ b/packages/worker/src/api/controllers/global/users.js @@ -197,10 +197,10 @@ exports.getSelf = async ctx => { // this will set the body await exports.find(ctx) - // append the account portal session information if present - if (ctx.user.account) { - ctx.body.account = ctx.user.account - } + // forward session information not found in db + ctx.body.account = ctx.user.account + ctx.body.budibaseAccess = ctx.user.budibaseAccess + ctx.body.accountPortalAccess = ctx.user.accountPortalAccess } exports.updateSelf = async ctx => { diff --git a/packages/worker/src/api/index.js b/packages/worker/src/api/index.js index 03e782688e..e3cc6efbc4 100644 --- a/packages/worker/src/api/index.js +++ b/packages/worker/src/api/index.js @@ -84,7 +84,10 @@ router .use(buildTenancyMiddleware(PUBLIC_ENDPOINTS, NO_TENANCY_ENDPOINTS)) // for now no public access is allowed to worker (bar health check) .use((ctx, next) => { - if (!ctx.isAuthenticated && !ctx.publicEndpoint) { + if (ctx.publicEndpoint) { + return next() + } + if (!ctx.isAuthenticated || !ctx.user.budibaseAccess) { ctx.throw(403, "Unauthorized - no public worker access") } return next()