From 55c7751dbbc6f96f66cc1b8d35d7561f797b528c Mon Sep 17 00:00:00 2001
From: Andrew Kingston <andrew@kingston.dev>
Date: Thu, 19 Sep 2024 15:12:03 +0100
Subject: [PATCH] Move permission updates into SDK

---
 .../server/src/api/controllers/permission.ts  | 107 ++----------------
 .../server/src/sdk/app/permissions/index.ts   | 102 ++++++++++++++++-
 packages/server/src/sdk/app/views/index.ts    |   5 +-
 3 files changed, 111 insertions(+), 103 deletions(-)

diff --git a/packages/server/src/api/controllers/permission.ts b/packages/server/src/api/controllers/permission.ts
index b75af88067..55b942686f 100644
--- a/packages/server/src/api/controllers/permission.ts
+++ b/packages/server/src/api/controllers/permission.ts
@@ -3,7 +3,6 @@ import {
   UserCtx,
   Database,
   Role,
-  PermissionLevel,
   GetResourcePermsResponse,
   ResourcePermissionInfo,
   GetDependantResourcesResponse,
@@ -12,107 +11,15 @@ import {
   RemovePermissionRequest,
   RemovePermissionResponse,
 } from "@budibase/types"
-import { getRoleParams } from "../../db/utils"
 import {
   CURRENTLY_SUPPORTED_LEVELS,
   getBasePermissions,
 } from "../../utilities/security"
-import { removeFromArray } from "../../utilities"
 import sdk from "../../sdk"
-
-export const enum PermissionUpdateType {
-  REMOVE = "remove",
-  ADD = "add",
-}
+import { PermissionUpdateType } from "../../sdk/app/permissions"
 
 const SUPPORTED_LEVELS = CURRENTLY_SUPPORTED_LEVELS
 
-// utility function to stop this repetition - permissions always stored under roles
-async function getAllDBRoles(db: Database) {
-  const body = await db.allDocs<Role>(
-    getRoleParams(null, {
-      include_docs: true,
-    })
-  )
-  return body.rows.map(row => row.doc!)
-}
-
-export async function updatePermissionOnRole(
-  {
-    roleId,
-    resourceId,
-    level,
-  }: { roleId: string; resourceId: string; level: PermissionLevel },
-  updateType: PermissionUpdateType
-) {
-  const db = context.getAppDB()
-  const remove = updateType === PermissionUpdateType.REMOVE
-  const isABuiltin = roles.isBuiltin(roleId)
-  const dbRoleId = roles.getDBRoleID(roleId)
-  const dbRoles = await getAllDBRoles(db)
-  const docUpdates: Role[] = []
-
-  // the permission is for a built in, make sure it exists
-  if (isABuiltin && !dbRoles.some(role => role._id === dbRoleId)) {
-    const builtin = roles.getBuiltinRoles()[roleId]
-    builtin._id = roles.getDBRoleID(builtin._id!)
-    dbRoles.push(builtin)
-  }
-
-  // now try to find any roles which need updated, e.g. removing the
-  // resource from another role and then adding to the new role
-  for (let role of dbRoles) {
-    let updated = false
-    const rolePermissions: Record<string, PermissionLevel[]> = role.permissions
-      ? role.permissions
-      : {}
-    // make sure its an array, also handle migrating
-    if (
-      !rolePermissions[resourceId] ||
-      !Array.isArray(rolePermissions[resourceId])
-    ) {
-      rolePermissions[resourceId] =
-        typeof rolePermissions[resourceId] === "string"
-          ? [rolePermissions[resourceId] as unknown as PermissionLevel]
-          : []
-    }
-    // handle the removal/updating the role which has this permission first
-    // the updating (role._id !== dbRoleId) is required because a resource/level can
-    // only be permitted in a single role (this reduces hierarchy confusion and simplifies
-    // the general UI for this, rather than needing to show everywhere it is used)
-    if (
-      (role._id !== dbRoleId || remove) &&
-      rolePermissions[resourceId].indexOf(level) !== -1
-    ) {
-      removeFromArray(rolePermissions[resourceId], level)
-      updated = true
-    }
-    // handle the adding, we're on the correct role, at it to this
-    if (!remove && role._id === dbRoleId) {
-      const set = new Set(rolePermissions[resourceId])
-      rolePermissions[resourceId] = [...set.add(level)]
-      updated = true
-    }
-    // handle the update, add it to bulk docs to perform at end
-    if (updated) {
-      role.permissions = rolePermissions
-      docUpdates.push(role)
-    }
-  }
-
-  const response = await db.bulkDocs(docUpdates)
-  return response.map(resp => {
-    const version = docUpdates.find(role => role._id === resp.id)?.version
-    const _id = roles.getExternalRoleID(resp.id, version)
-    return {
-      _id,
-      rev: resp.rev,
-      error: resp.error,
-      reason: resp.reason,
-    }
-  })
-}
-
 export function fetchBuiltin(ctx: UserCtx) {
   ctx.body = Object.values(permissions.getBuiltinPermissions())
 }
@@ -124,7 +31,7 @@ export function fetchLevels(ctx: UserCtx) {
 
 export async function fetch(ctx: UserCtx) {
   const db = context.getAppDB()
-  const dbRoles: Role[] = await getAllDBRoles(db)
+  const dbRoles: Role[] = await sdk.permissions.getAllDBRoles(db)
   let permissions: any = {}
   // create an object with structure role ID -> resource ID -> level
   for (let role of dbRoles) {
@@ -186,12 +93,18 @@ export async function getDependantResources(
 
 export async function addPermission(ctx: UserCtx<void, AddPermissionResponse>) {
   const params: AddPermissionRequest = ctx.params
-  ctx.body = await updatePermissionOnRole(params, PermissionUpdateType.ADD)
+  ctx.body = await sdk.permissions.updatePermissionOnRole(
+    params,
+    PermissionUpdateType.ADD
+  )
 }
 
 export async function removePermission(
   ctx: UserCtx<void, RemovePermissionResponse>
 ) {
   const params: RemovePermissionRequest = ctx.params
-  ctx.body = await updatePermissionOnRole(params, PermissionUpdateType.REMOVE)
+  ctx.body = await sdk.permissions.updatePermissionOnRole(
+    params,
+    PermissionUpdateType.REMOVE
+  )
 }
diff --git a/packages/server/src/sdk/app/permissions/index.ts b/packages/server/src/sdk/app/permissions/index.ts
index a6e81652ee..5f8882399b 100644
--- a/packages/server/src/sdk/app/permissions/index.ts
+++ b/packages/server/src/sdk/app/permissions/index.ts
@@ -1,22 +1,34 @@
-import { db, roles } from "@budibase/backend-core"
+import { db, roles, context } from "@budibase/backend-core"
 import {
   PermissionLevel,
   PermissionSource,
   VirtualDocumentType,
+  Role,
+  Database,
 } from "@budibase/types"
-import { extractViewInfoFromID, isViewID } from "../../../db/utils"
+import {
+  extractViewInfoFromID,
+  isViewID,
+  getRoleParams,
+} from "../../../db/utils"
 import {
   CURRENTLY_SUPPORTED_LEVELS,
   getBasePermissions,
 } from "../../../utilities/security"
 import sdk from "../../../sdk"
 import { isV2 } from "../views"
+import { removeFromArray } from "../../../utilities"
 
 type ResourcePermissions = Record<
   string,
   { role: string; type: PermissionSource }
 >
 
+export const enum PermissionUpdateType {
+  REMOVE = "remove",
+  ADD = "add",
+}
+
 export async function getInheritablePermissions(
   resourceId: string
 ): Promise<ResourcePermissions | undefined> {
@@ -100,3 +112,89 @@ export async function getDependantResources(
 
   return
 }
+
+export async function updatePermissionOnRole(
+  {
+    roleId,
+    resourceId,
+    level,
+  }: { roleId: string; resourceId: string; level: PermissionLevel },
+  updateType: PermissionUpdateType
+) {
+  const db = context.getAppDB()
+  const remove = updateType === PermissionUpdateType.REMOVE
+  const isABuiltin = roles.isBuiltin(roleId)
+  const dbRoleId = roles.getDBRoleID(roleId)
+  const dbRoles = await getAllDBRoles(db)
+  const docUpdates: Role[] = []
+
+  // the permission is for a built in, make sure it exists
+  if (isABuiltin && !dbRoles.some(role => role._id === dbRoleId)) {
+    const builtin = roles.getBuiltinRoles()[roleId]
+    builtin._id = roles.getDBRoleID(builtin._id!)
+    dbRoles.push(builtin)
+  }
+
+  // now try to find any roles which need updated, e.g. removing the
+  // resource from another role and then adding to the new role
+  for (let role of dbRoles) {
+    let updated = false
+    const rolePermissions: Record<string, PermissionLevel[]> = role.permissions
+      ? role.permissions
+      : {}
+    // make sure its an array, also handle migrating
+    if (
+      !rolePermissions[resourceId] ||
+      !Array.isArray(rolePermissions[resourceId])
+    ) {
+      rolePermissions[resourceId] =
+        typeof rolePermissions[resourceId] === "string"
+          ? [rolePermissions[resourceId] as unknown as PermissionLevel]
+          : []
+    }
+    // handle the removal/updating the role which has this permission first
+    // the updating (role._id !== dbRoleId) is required because a resource/level can
+    // only be permitted in a single role (this reduces hierarchy confusion and simplifies
+    // the general UI for this, rather than needing to show everywhere it is used)
+    if (
+      (role._id !== dbRoleId || remove) &&
+      rolePermissions[resourceId].indexOf(level) !== -1
+    ) {
+      removeFromArray(rolePermissions[resourceId], level)
+      updated = true
+    }
+    // handle the adding, we're on the correct role, at it to this
+    if (!remove && role._id === dbRoleId) {
+      const set = new Set(rolePermissions[resourceId])
+      rolePermissions[resourceId] = [...set.add(level)]
+      updated = true
+    }
+    // handle the update, add it to bulk docs to perform at end
+    if (updated) {
+      role.permissions = rolePermissions
+      docUpdates.push(role)
+    }
+  }
+
+  const response = await db.bulkDocs(docUpdates)
+  return response.map(resp => {
+    const version = docUpdates.find(role => role._id === resp.id)?.version
+    const _id = roles.getExternalRoleID(resp.id, version)
+    return {
+      _id,
+      rev: resp.rev,
+      error: resp.error,
+      reason: resp.reason,
+    }
+  })
+}
+
+// utility function to stop this repetition - permissions always stored under roles
+export async function getAllDBRoles(db: Database) {
+  const body = await db.allDocs<Role>(
+    getRoleParams(null, {
+      include_docs: true,
+    })
+  )
+  return body.rows.map(row => row.doc!)
+}
diff --git a/packages/server/src/sdk/app/views/index.ts b/packages/server/src/sdk/app/views/index.ts
index c580bfde50..47af484ebc 100644
--- a/packages/server/src/sdk/app/views/index.ts
+++ b/packages/server/src/sdk/app/views/index.ts
@@ -23,10 +23,7 @@ import { isExternalTableID } from "../../../integrations/utils"
 import * as internal from "./internal"
 import * as external from "./external"
 import sdk from "../../../sdk"
-import {
-  updatePermissionOnRole,
-  PermissionUpdateType,
-} from "src/api/controllers/permission"
+import { updatePermissionOnRole, PermissionUpdateType } from "../permissions"
 
 function pickApi(tableId: any) {
   if (isExternalTableID(tableId)) {