CodeMirror/budibase
1
0
Fork 0
mirror of synced 2024-06-01 18:20:18 +12:00
Code Issues Projects Releases Wiki Activity

Formatting and adding routing checks to push the user out of admin menus when they are not an admin.

Browse source
This commit is contained in:
mike12345567 2021-05-21 17:12:25 +01:00
parent 3c650fad56
commit a39b633c90
9 changed files with 50 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
packages/builder/src/pages/builder/portal/manage/auth/_layout.svelte
View file

@ -1,5 +1,12 @@
<script>
import { redirect } from "@roxi/routify"
import { Page } from "@budibase/bbui"
import { auth } from "../../../../../stores/portal"
// only admins allowed here
if (!$auth.isAdmin) {
$redirect("../../../portal")
}
</script>
<Page>

9
packages/builder/src/pages/builder/portal/manage/email/_layout.svelte
View file

@ -1,5 +1,12 @@
<script>
import { email } from "stores/portal"
import { redirect } from "@roxi/routify"
import { auth, email } from "stores/portal"
// only admins allowed here
if (!$auth.isAdmin) {
$redirect("../../../portal")
}
email.templates.fetch()
</script>

8
packages/builder/src/pages/builder/portal/manage/users/[userId].svelte
View file

@ -129,10 +129,10 @@
<div class="field">
<Label size="L">Administration access</Label>
<Toggle
text=""
value={$userFetch?.data?.admin?.global}
on:change={toggleAdminAccess}
disabled={toggleDisabled}
text=""
value={$userFetch?.data?.admin?.global}
on:change={toggleAdminAccess}
disabled={toggleDisabled}
/>
</div>
{/if}

7
packages/builder/src/pages/builder/portal/manage/users/_layout.svelte
View file

@ -1,5 +1,12 @@
<script>
import { Page } from "@budibase/bbui"
import { auth } from "../../../../../stores/portal"
import { redirect } from "@roxi/routify"
// only admins allowed here
if (!$auth.isAdmin) {
$redirect("../../../portal")
}
</script>
<Page>

2
packages/builder/src/pages/builder/portal/settings/index.svelte
View file

@ -1,4 +1,4 @@
<script>
import { goto } from "@roxi/routify"
$goto("./general")
$goto("./organisation")
</script>

8
packages/builder/src/pages/builder/portal/settings/organisation.svelte
View file

@ -11,10 +11,16 @@
Dropzone,
notifications,
} from "@budibase/bbui"
import { organisation } from "stores/portal"
import { auth, organisation } from "stores/portal"
import { post } from "builderStore/api"
import analytics from "analytics"
import { writable } from "svelte/store"
import { redirect } from "@roxi/routify"
// only admins allowed here
if (!$auth.isAdmin) {
$redirect("../../portal")
}
const values = writable({
analytics: !analytics.disabled(),

11
packages/builder/src/stores/portal/auth.js
View file

@ -5,19 +5,27 @@ export function createAuthStore() {
const user = writable(null)
const store = derived(user, $user => {
let initials = null
let isAdmin = false
let isBuilder = false
if ($user) {
if ($user.firstName) {
initials = $user.firstName[0]
if ($user.lastName) {
initials += $user.lastName[0]
}
} else {
} else if ($user.email) {
initials = $user.email[0]
} else {
initials = "Unknown"
}
isAdmin = !!$user.admin?.global
isBuilder = !!$user.builder?.global
}
return {
user: $user,
initials,
isAdmin,
isBuilder,
}
})
@ -29,6 +37,7 @@ export function createAuthStore() {
user.set(null)
} else {
const json = await response.json()
console.log(json)
user.set(json)
}
},

3
packages/worker/src/api/routes/admin/users.js
View file

@ -56,7 +56,6 @@ router
)
.get("/api/admin/users", adminOnly, controller.fetch)
.delete("/api/admin/users/:id", adminOnly, controller.destroy)
.get("/api/admin/users/:id", adminOnly, controller.find)
.get("/api/admin/roles/:appId")
.post(
"/api/admin/users/invite",
@ -77,5 +76,7 @@ router
)
.post("/api/admin/users/init", controller.adminUser)
.get("/api/admin/users/self", controller.getSelf)
// admin endpoint but needs to come at end (blocks other endpoints otherwise)
.get("/api/admin/users/:id", adminOnly, controller.find)
module.exports = router

5
packages/worker/src/middleware/adminOnly.js
View file

@ -1,5 +1,8 @@
module.exports = async (ctx, next) => {
if (!ctx.internal && (!ctx.user || !ctx.user.admin || !ctx.user.admin.global)) {
if (
!ctx.internal &&
(!ctx.user || !ctx.user.admin || !ctx.user.admin.global)
) {
ctx.throw(403, "Admin user only endpoint.")
}
return next()