Merge pull request #13780 from Budibase/BUDI-8284/protect-writes-on-readonly-columns

Prevent write readonly view column

packages/server/src/api/routes/tests/viewV2.spec.ts

@@ -873,6 +873,27 @@ describe.each([
         expect(row.one).toBeUndefined()
         expect(row.two).toEqual("bar")
       })
+
+      it("can't persist readonly columns", async () => {
+        mocks.licenses.useViewReadonlyColumns()
+        const view = await config.api.viewV2.create({
+          tableId: table._id!,
+          name: generator.guid(),
+          schema: {
+            one: { visible: true, readonly: true },
+            two: { visible: true },
+          },
+        })
+        const row = await config.api.row.save(view.id, {
+          tableId: table!._id,
+          _viewId: view.id,
+          one: "foo",
+          two: "bar",
+        })
+
+        expect(row.one).toBeUndefined()
+        expect(row.two).toEqual("bar")
+      })
     })
 
     describe("patch", () => {
@@ -893,6 +914,33 @@ describe.each([
         expect(row.one).toEqual("foo")
         expect(row.two).toEqual("newBar")
       })
+
+      it("can't update readonly columns", async () => {
+        mocks.licenses.useViewReadonlyColumns()
+        const view = await config.api.viewV2.create({
+          tableId: table._id!,
+          name: generator.guid(),
+          schema: {
+            one: { visible: true, readonly: true },
+            two: { visible: true },
+          },
+        })
+        const newRow = await config.api.row.save(table._id!, {
+          one: "foo",
+          two: "bar",
+        })
+        await config.api.row.patch(view.id, {
+          tableId: table._id!,
+          _id: newRow._id!,
+          _rev: newRow._rev!,
+          one: "newFoo",
+          two: "newBar",
+        })
+
+        const row = await config.api.row.get(table._id!, newRow._id!)
+        expect(row.one).toEqual("foo")
+        expect(row.two).toEqual("newBar")
+      })
     })
 
     describe("destroy", () => {

packages/server/src/middleware/tests/trimViewRowInfo.spec.ts

@@ -144,8 +144,12 @@ describe("trimViewRowInfo middleware", () => {
       name: generator.guid(),
       tableId: table._id!,
       schema: {
-        name: {},
+        name: {
-        address: {},
+          visible: true,
+        },
+        address: {
+          visible: true,
+        },
       },
     })
 

packages/server/src/sdk/app/views/index.ts

@@ -104,7 +104,13 @@ export async function remove(viewId: string): Promise<ViewV2> {
 
 export function allowedFields(view: View | ViewV2) {
   return [
-    ...Object.keys(view?.schema || {}),
+    ...Object.keys(view?.schema || {}).filter(key => {
+      if (!isV2(view)) {
+        return true
+      }
+      const fieldSchema = view.schema![key]
+      return fieldSchema.visible && !fieldSchema.readonly
+    }),
     ...dbCore.CONSTANT_EXTERNAL_ROW_COLS,
     ...dbCore.CONSTANT_INTERNAL_ROW_COLS,
   ]