Merge pull request #11769 from Budibase/fix/BUDI-7258

Don't allow adding new users to user metadata table within apps
2024-07-21 06:05:52 +12:00 · 2023-09-19 16:02:40 +01:00 · 2023-09-19 16:02:40 +01:00 · 3588984af2
parent 51a43540dd e6378aad82
commit 3588984af2
3 changed files with 56 additions and 1 deletions
--- a/packages/server/src/api/controllers/row/index.ts
+++ b/packages/server/src/api/controllers/row/index.ts
@ -72,6 +72,11 @@ export const save = async (ctx: UserCtx<Row, Row>) => {
  const tableId = utils.getTableId(ctx)
  const body = ctx.request.body

+  // user metadata doesn't exist yet - don't allow creation
+  if (utils.isUserMetadataTable(tableId) && !body._rev) {
+    ctx.throw(400, "Cannot create new user entry.")
+  }
+
  // if it has an ID already then its a patch
  if (body && body._id) {
    return patch(ctx as UserCtx<PatchRowRequest, PatchRowResponse>)
--- a/packages/server/src/api/controllers/row/utils.ts
+++ b/packages/server/src/api/controllers/row/utils.ts
@ -146,3 +146,36 @@ export async function validate({
  }
  return { valid: Object.keys(errors).length === 0, errors }
 }
+
+// don't do a pure falsy check, as 0 is included
+// https://github.com/Budibase/budibase/issues/10118
+export function removeEmptyFilters(filters: SearchFilters) {
+  for (let filterField of NoEmptyFilterStrings) {
+    if (!filters[filterField]) {
+      continue
+    }
+
+    for (let filterType of Object.keys(filters)) {
+      if (filterType !== filterField) {
+        continue
+      }
+      // don't know which one we're checking, type could be anything
+      const value = filters[filterType] as unknown
+      if (typeof value === "object") {
+        for (let [key, value] of Object.entries(
+          filters[filterType] as object
+        )) {
+          if (value == null || value === "") {
+            // @ts-ignore
+            delete filters[filterField][key]
+          }
+        }
+      }
+    }
+  }
+  return filters
+}
+
+export function isUserMetadataTable(tableId: string) {
+  return tableId === InternalTables.USER_METADATA
+}
--- a/packages/server/src/api/routes/tests/row.spec.ts
+++ b/packages/server/src/api/routes/tests/row.spec.ts
@ -3,7 +3,7 @@ import { databaseTestProviders } from "../../../integrations/tests/utils"
 import tk from "timekeeper"
 import { outputProcessing } from "../../../utilities/rowProcessor"
 import * as setup from "./utilities"
-import { context, roles, tenancy } from "@budibase/backend-core"
+import { context, InternalTable, roles, tenancy } from "@budibase/backend-core"
 import { quotas } from "@budibase/pro"
 import {
  FieldType,
@ -1415,6 +1415,23 @@ describe.each([
        })
      })

+      isInternal &&
+        it("doesn't allow creating in user table", async () => {
+          const userTableId = InternalTable.USER_METADATA
+          const response = await config.api.row.save(
+            userTableId,
+            {
+              tableId: userTableId,
+              firstName: "Joe",
+              lastName: "Joe",
+              email: "joe@joe.com",
+              roles: {},
+            },
+            { expectStatus: 400 }
+          )
+          expect(response.message).toBe("Cannot create new user entry.")
+        })
+
      describe("permissions", () => {
        let viewId: string
        let tableId: string