From bc6660fd0ee6a818ccaa5df14ae6c4e4bde2d205 Mon Sep 17 00:00:00 2001
From: mike12345567 <me@michaeldrury.co.uk>
Date: Thu, 27 May 2021 14:53:41 +0100
Subject: [PATCH] Updating permissions to allow roles other than builder/admin
 to use apps properly.

---
 packages/auth/src/security/permissions.js       | 3 ---
 packages/server/src/api/routes/application.js   | 5 ++---
 packages/server/src/middleware/currentapp.js    | 8 +++++---
 packages/server/src/utilities/workerRequests.js | 7 +++++--
 4 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/packages/auth/src/security/permissions.js b/packages/auth/src/security/permissions.js
index 3b03ccb8ee..03fa5fa562 100644
--- a/packages/auth/src/security/permissions.js
+++ b/packages/auth/src/security/permissions.js
@@ -17,7 +17,6 @@ const PermissionTypes = {
   BUILDER: "builder",
   VIEW: "view",
   QUERY: "query",
-  APP: "app",
 }
 
 function Permission(type, level) {
@@ -87,7 +86,6 @@ const BUILTIN_PERMISSIONS = {
       new Permission(PermissionTypes.QUERY, PermissionLevels.READ),
       new Permission(PermissionTypes.TABLE, PermissionLevels.READ),
       new Permission(PermissionTypes.VIEW, PermissionLevels.READ),
-      new Permission(PermissionTypes.APP, PermissionLevels.READ),
     ],
   },
   WRITE: {
@@ -120,7 +118,6 @@ const BUILTIN_PERMISSIONS = {
       new Permission(PermissionTypes.VIEW, PermissionLevels.ADMIN),
       new Permission(PermissionTypes.WEBHOOK, PermissionLevels.READ),
       new Permission(PermissionTypes.QUERY, PermissionLevels.ADMIN),
-      new Permission(PermissionTypes.APP, PermissionLevels.ADMIN),
     ],
   },
 }
diff --git a/packages/server/src/api/routes/application.js b/packages/server/src/api/routes/application.js
index 51ac4335fd..22cb617cfa 100644
--- a/packages/server/src/api/routes/application.js
+++ b/packages/server/src/api/routes/application.js
@@ -1,16 +1,15 @@
 const Router = require("@koa/router")
 const controller = require("../controllers/application")
 const authorized = require("../../middleware/authorized")
-const { BUILDER, PermissionTypes, PermissionLevels } = require("@budibase/auth/permissions")
+const { BUILDER } = require("@budibase/auth/permissions")
 
 const router = Router()
 
 router
   .get("/api/applications/:appId/definition", controller.fetchAppDefinition)
-  .get("/api/applications", authorized(PermissionTypes.APP, PermissionLevels.READ), controller.fetch)
+  .get("/api/applications", controller.fetch)
   .get(
     "/api/applications/:appId/appPackage",
-    authorized(PermissionTypes.APP, PermissionLevels.READ),
     controller.fetchAppPackage
   )
   .put("/api/applications/:appId", authorized(BUILDER), controller.update)
diff --git a/packages/server/src/middleware/currentapp.js b/packages/server/src/middleware/currentapp.js
index f808403bac..d3c72fe83a 100644
--- a/packages/server/src/middleware/currentapp.js
+++ b/packages/server/src/middleware/currentapp.js
@@ -1,7 +1,7 @@
 const { getAppId, setCookie, getCookie } = require("@budibase/auth").utils
 const { Cookies } = require("@budibase/auth").constants
 const { getRole } = require("@budibase/auth/roles")
-const { getGlobalUsers } = require("../utilities/workerRequests")
+const { getGlobalUsers, getGlobalSelf } = require("../utilities/workerRequests")
 const { BUILTIN_ROLE_IDS } = require("@budibase/auth/roles")
 const { generateUserMetadataID } = require("../db/utils")
 
@@ -25,10 +25,11 @@ module.exports = async (ctx, next) => {
     requestAppId != null &&
     (appCookie == null ||
       requestAppId !== appCookie.appId ||
-      appCookie.roleId === BUILTIN_ROLE_IDS.PUBLIC)
+      appCookie.roleId === BUILTIN_ROLE_IDS.PUBLIC ||
+      !appCookie.roleId)
   ) {
     // Different App ID means cookie needs reset, or if the same public user has logged in
-    const globalUser = await getGlobalUsers(ctx, requestAppId, ctx.user._id)
+    const globalUser = await getGlobalSelf(ctx, requestAppId)
     updateCookie = true
     appId = requestAppId
     // retrieving global user gets the right role
@@ -51,6 +52,7 @@ module.exports = async (ctx, next) => {
       // override userID with metadata one
       _id: userId,
       userId,
+      roleId,
       role: await getRole(appId, roleId),
     }
   }
diff --git a/packages/server/src/utilities/workerRequests.js b/packages/server/src/utilities/workerRequests.js
index 49e24e5d60..d111293256 100644
--- a/packages/server/src/utilities/workerRequests.js
+++ b/packages/server/src/utilities/workerRequests.js
@@ -119,16 +119,19 @@ exports.getGlobalUsers = async (ctx, appId = null, globalId = null) => {
   return users
 }
 
-exports.getGlobalSelf = async ctx => {
+exports.getGlobalSelf = async (ctx, appId = null) => {
   const endpoint = `/api/admin/users/self`
   const response = await fetch(
     checkSlashesInUrl(env.WORKER_URL + endpoint),
     request(ctx, { method: "GET" })
   )
-  const json = await response.json()
+  let json = await response.json()
   if (json.status !== 200 && response.status !== 200) {
     ctx.throw(400, "Unable to get self globally.")
   }
+  if (appId) {
+    json = getAppRole(appId, json)
+  }
   return json
 }