From 7a9a997d73e1b4d7f6b891fefe0fce3472db498c Mon Sep 17 00:00:00 2001
From: Adria Navarro <adria@budibase.com>
Date: Mon, 31 Jul 2023 10:38:31 +0200
Subject: [PATCH] Use middleware for checks

---
 packages/server/src/api/controllers/row/index.ts   |  8 --------
 packages/server/src/api/routes/row.ts              | 10 ++++++++++
 packages/server/src/middleware/guardViewRowInfo.ts | 12 ++++++++++++
 3 files changed, 22 insertions(+), 8 deletions(-)
 create mode 100644 packages/server/src/middleware/guardViewRowInfo.ts

diff --git a/packages/server/src/api/controllers/row/index.ts b/packages/server/src/api/controllers/row/index.ts
index 7c8af846b8..1bb9569c49 100644
--- a/packages/server/src/api/controllers/row/index.ts
+++ b/packages/server/src/api/controllers/row/index.ts
@@ -35,10 +35,6 @@ export async function patch(
   const tableId = utils.getTableId(ctx)
   const body = ctx.request.body
 
-  if (body._viewId) {
-    ctx.throw(400, "Table row endpoints cannot contain view info")
-  }
-
   // if it doesn't have an _id then its save
   if (body && !body._id) {
     return save(ctx)
@@ -69,10 +65,6 @@ export const save = async (ctx: UserCtx<Row, Row>) => {
   const tableId = utils.getTableId(ctx)
   const body = ctx.request.body
 
-  if (body._viewId) {
-    ctx.throw(400, "Table row endpoints cannot contain view info")
-  }
-
   // if it has an ID already then its a patch
   if (body && body._id) {
     return patch(ctx as UserCtx<PatchRowRequest, PatchRowResponse>)
diff --git a/packages/server/src/api/routes/row.ts b/packages/server/src/api/routes/row.ts
index a68a9065c7..179082d8de 100644
--- a/packages/server/src/api/routes/row.ts
+++ b/packages/server/src/api/routes/row.ts
@@ -4,6 +4,7 @@ import authorized from "../../middleware/authorized"
 import { paramResource, paramSubResource } from "../../middleware/resourceId"
 import { permissions } from "@budibase/backend-core"
 import { internalSearchValidator } from "./utils/validators"
+import guardViewRowInfo from "../../middleware/guardViewRowInfo"
 const { PermissionType, PermissionLevel } = permissions
 
 const router: Router = new Router()
@@ -174,6 +175,7 @@ router
     "/api/:tableId/rows",
     paramResource("tableId"),
     authorized(PermissionType.TABLE, PermissionLevel.WRITE),
+    guardViewRowInfo(),
     rowController.save
   )
   /**
@@ -188,6 +190,7 @@ router
     "/api/:tableId/rows",
     paramResource("tableId"),
     authorized(PermissionType.TABLE, PermissionLevel.WRITE),
+    guardViewRowInfo(),
     rowController.patch
   )
   /**
@@ -294,4 +297,11 @@ router
    * @apiSuccess {string} [_rev] If saving to an internal table a revision will also be returned.
    * @apiSuccess {object} body The contents of the row that was saved will be returned as well.
    */
+  .post(
+    "/api/v2/views/:viewId/rows",
+    paramResource("viewId"),
+    authorized(PermissionType.VIEW, PermissionLevel.WRITE),
+    rowController.views.save
+  )
+
 export default router
diff --git a/packages/server/src/middleware/guardViewRowInfo.ts b/packages/server/src/middleware/guardViewRowInfo.ts
new file mode 100644
index 0000000000..7a7413b760
--- /dev/null
+++ b/packages/server/src/middleware/guardViewRowInfo.ts
@@ -0,0 +1,12 @@
+import { Ctx, Row } from "@budibase/types"
+
+const checkNoViewData = async (ctx: Ctx<Row>) => {
+  if (ctx.request.body._viewId) {
+    ctx.throw(400, "Table row endpoints cannot contain view info")
+  }
+}
+
+export default () => async (ctx: any, next: any) => {
+  await checkNoViewData(ctx)
+  return next()
+}