From 62579fab4e4c7de1f08a4a2dae584d726fd3673e Mon Sep 17 00:00:00 2001 From: Adria Navarro Date: Mon, 21 Aug 2023 17:56:19 +0300 Subject: [PATCH] Check if resouce is allowed to change --- .../server/src/api/controllers/permission.ts | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/packages/server/src/api/controllers/permission.ts b/packages/server/src/api/controllers/permission.ts index 6fbc9d6209..8314f29398 100644 --- a/packages/server/src/api/controllers/permission.ts +++ b/packages/server/src/api/controllers/permission.ts @@ -1,11 +1,12 @@ -import { permissions, roles, context } from "@budibase/backend-core" +import { permissions, roles, context, HTTPError } from "@budibase/backend-core" +import { UserCtx, Database, Role, PermissionLevel } from "@budibase/types" import { getRoleParams } from "../../db/utils" import { CURRENTLY_SUPPORTED_LEVELS, getBasePermissions, } from "../../utilities/security" import { removeFromArray } from "../../utilities" -import { UserCtx, Database, Role } from "@budibase/types" +import sdk from "../../sdk" const PermissionUpdateType = { REMOVE: "remove", @@ -29,9 +30,21 @@ async function updatePermissionOnRole( roleId, resourceId, level, - }: { roleId: string; resourceId: string; level: string }, + }: { roleId: string; resourceId: string; level: PermissionLevel }, updateType: string ) { + const allowedAction = await sdk.permissions.resourceActionAllowed({ + resourceId, + level, + }) + + if (!allowedAction.allowed) { + throw new HTTPError( + `You are not allowed to '${allowedAction.level}' the resource type '${allowedAction.resourceType}'`, + 403 + ) + } + const db = context.getAppDB() const remove = updateType === PermissionUpdateType.REMOVE const isABuiltin = roles.isBuiltin(roleId)