Merge branch 'feature/security-update' of github.com:Budibase/budibase into feature/page-refactor

packages/builder/cypress/support/commands.js

@@ -111,7 +111,7 @@ Cypress.Commands.add("addRow", values => {
   })
 })
 
-Cypress.Commands.add("createUser", (username, password, accessLevel) => {
+Cypress.Commands.add("createUser", (username, password, role) => {
   // Create User
   cy.contains("Users").click()
 
@@ -126,7 +126,7 @@ Cypress.Commands.add("createUser", (username, password, accessLevel) => {
       .type(username)
     cy.get("select")
       .first()
-      .select(accessLevel)
+      .select(role)
 
     // Save
     cy.get(".buttons")

packages/builder/src/builderStore/store/screenTemplates/utils/Screen.js

@@ -18,7 +18,7 @@ export class Screen extends BaseStructure {
       },
       routing: {
         route: "",
-        accessLevelId: "",
+        roleId: "",
       },
       name: "screen-id",
     }

packages/builder/src/components/start/CreateAppModal.svelte

@@ -56,9 +56,7 @@
       password: string().required(
         "Please enter a password for your first user."
       ),
-      accessLevelId: string().required(
-        "You need to select an access level for your user."
-      ),
+      roleId: string().required("You need to select a role for your user."),
     },
   ]
 
@@ -79,9 +77,7 @@
 
   if (hasKey) {
     validationSchemas.shift()
-    validationSchemas = validationSchemas
     steps.shift()
-    steps = steps
   }
 
   // Handles form navigation
@@ -166,7 +162,7 @@
         name: $createAppStore.values.username,
         username: $createAppStore.values.username,
         password: $createAppStore.values.password,
-        accessLevelId: $createAppStore.values.accessLevelId,
+        roleId: $createAppStore.values.roleId,
       }
       const userResp = await api.post(`/api/users`, user)
       const json = await userResp.json()

packages/builder/src/components/start/Steps/User.svelte

@@ -21,7 +21,7 @@
     placeholder="Password"
     type="password"
     error={blurred.password && validationErrors.password} />
-  <Select label="Access Level" secondary name="accessLevelId">
+  <Select label="Role" secondary name="roleId">
     <option value="ADMIN">Admin</option>
     <option value="POWER_USER">Power User</option>
   </Select>

packages/builder/src/components/userInterface/NewScreenModal.svelte

@@ -70,7 +70,7 @@
     draftScreen.props._instanceName = name
     draftScreen.props._component = baseComponent
     // TODO: need to fix this up correctly
-    draftScreen.routing = { route, accessLevelId: "ADMIN" }
+    draftScreen.routing = { route, roleId: "ADMIN" }
 
     await store.actions.screens.create(draftScreen)
     if (createLink) {

packages/builder/src/constants/index.js

@@ -10,7 +10,7 @@ export const FrontendTypes = {
 }
 
 // fields on the user table that cannot be edited
-export const UNEDITABLE_USER_FIELDS = ["username", "password", "accessLevelId"]
+export const UNEDITABLE_USER_FIELDS = ["username", "password", "roleId"]
 
 export const DEFAULT_LAYOUTS = {
   main: {

packages/server/.vscode/launch.json

@@ -52,9 +52,9 @@
       {
         "type": "node",
         "request": "launch",
-        "name": "Jest - Access Levels",
+        "name": "Jest - Roles",
         "program": "${workspaceFolder}/node_modules/.bin/jest",
-        "args": ["accesslevel.spec", "--runInBand"],
+        "args": ["role.spec", "--runInBand"],
         "console": "integratedTerminal",
         "internalConsoleOptions": "neverOpen",
         "disableOptimisticBPs": true,

packages/server/src/api/controllers/accesslevel.js

@@ -1,52 +0,0 @@
-const CouchDB = require("../../db")
-const {
-  BUILTIN_LEVELS,
-  AccessLevel,
-  getAccessLevel,
-} = require("../../utilities/security/accessLevels")
-const {
-  generateAccessLevelID,
-  getAccessLevelParams,
-} = require("../../db/utils")
-
-exports.fetch = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
-  const body = await db.allDocs(
-    getAccessLevelParams(null, {
-      include_docs: true,
-    })
-  )
-  const customAccessLevels = body.rows.map(row => row.doc)
-
-  const staticAccessLevels = [BUILTIN_LEVELS.ADMIN, BUILTIN_LEVELS.POWER]
-  ctx.body = [...staticAccessLevels, ...customAccessLevels]
-}
-
-exports.find = async function(ctx) {
-  ctx.body = await getAccessLevel(ctx.user.appId, ctx.params.levelId)
-}
-
-exports.save = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
-
-  let id = ctx.request.body._id || generateAccessLevelID()
-  const level = new AccessLevel(
-    id,
-    ctx.request.body.name,
-    ctx.request.body.inherits
-  )
-  if (ctx.request.body._rev) {
-    level._rev = ctx.request.body._rev
-  }
-  const result = await db.put(level)
-  level._rev = result.rev
-  ctx.body = level
-  ctx.message = `Access Level '${level.name}' created successfully.`
-}
-
-exports.destroy = async function(ctx) {
-  const db = new CouchDB(ctx.user.appId)
-  await db.remove(ctx.params.levelId, ctx.params.rev)
-  ctx.message = `Access Level ${ctx.params.id} deleted successfully`
-  ctx.status = 200
-}

packages/server/src/api/controllers/application.js

@@ -20,9 +20,9 @@ const {
   generateScreenID,
 } = require("../../db/utils")
 const {
-  BUILTIN_LEVEL_IDS,
+  BUILTIN_ROLE_IDS,
   AccessController,
-} = require("../../utilities/security/accessLevels")
+} = require("../../utilities/security/roles")
 const {
   downloadExtractComponentLibraries,
 } = require("../../utilities/createAppPackage")
@@ -56,10 +56,10 @@ async function getScreens(db) {
   ).rows.map(row => row.doc)
 }
 
-function getUserAccessLevelId(ctx) {
-  return !ctx.user.accessLevel || !ctx.user.accessLevel._id
-    ? BUILTIN_LEVEL_IDS.PUBLIC
-    : ctx.user.accessLevel._id
+function getUserRoleId(ctx) {
+  return !ctx.user.role || !ctx.user.role._id
+    ? BUILTIN_ROLE_IDS.PUBLIC
+    : ctx.user.role._id
 }
 
 async function createInstance(template) {
@@ -111,11 +111,11 @@ exports.fetch = async function(ctx) {
 exports.fetchAppDefinition = async function(ctx) {
   const db = new CouchDB(ctx.params.appId)
   const layouts = await getLayouts(db)
-  const userAccessLevelId = getUserAccessLevelId(ctx)
+  const userRoleId = getUserRoleId(ctx)
   const accessController = new AccessController(ctx.params.appId)
   const screens = accessController.checkScreensAccess(
     await getScreens(db),
-    userAccessLevelId
+    userRoleId
   )
   ctx.body = {
     layouts,

packages/server/src/api/controllers/auth.js

@@ -32,7 +32,7 @@ exports.authenticate = async ctx => {
   if (await bcrypt.compare(password, dbUser.password)) {
     const payload = {
       userId: dbUser._id,
-      accessLevelId: dbUser.accessLevelId,
+      roleId: dbUser.roleId,
       version: app.version,
       permissions: dbUser.permissions || [],
     }

packages/server/src/api/controllers/role.js

@@ -0,0 +1,45 @@
+const CouchDB = require("../../db")
+const {
+  BUILTIN_ROLES,
+  Role,
+  getRole,
+} = require("../../utilities/security/roles")
+const { generateRoleID, getRoleParams } = require("../../db/utils")
+
+exports.fetch = async function(ctx) {
+  const db = new CouchDB(ctx.user.appId)
+  const body = await db.allDocs(
+    getRoleParams(null, {
+      include_docs: true,
+    })
+  )
+  const customRoles = body.rows.map(row => row.doc)
+
+  const staticRoles = [BUILTIN_ROLES.ADMIN, BUILTIN_ROLES.POWER]
+  ctx.body = [...staticRoles, ...customRoles]
+}
+
+exports.find = async function(ctx) {
+  ctx.body = await getRole(ctx.user.appId, ctx.params.roleId)
+}
+
+exports.save = async function(ctx) {
+  const db = new CouchDB(ctx.user.appId)
+
+  let id = ctx.request.body._id || generateRoleID()
+  const role = new Role(id, ctx.request.body.name, ctx.request.body.inherits)
+  if (ctx.request.body._rev) {
+    role._rev = ctx.request.body._rev
+  }
+  const result = await db.put(role)
+  role._rev = result.rev
+  ctx.body = role
+  ctx.message = `Role '${role.name}' created successfully.`
+}
+
+exports.destroy = async function(ctx) {
+  const db = new CouchDB(ctx.user.appId)
+  await db.remove(ctx.params.roleId, ctx.params.rev)
+  ctx.message = `Role ${ctx.params.id} deleted successfully`
+  ctx.status = 200
+}

packages/server/src/api/controllers/routing.js

@@ -1,8 +1,8 @@
 const { getRoutingInfo } = require("../../utilities/routing")
 const {
-  getUserAccessLevelHierarchy,
-  BUILTIN_LEVEL_IDS,
-} = require("../../utilities/security/accessLevels")
+  getUserRoleHierarchy,
+  BUILTIN_ROLE_IDS,
+} = require("../../utilities/security/roles")
 
 const URL_SEPARATOR = "/"
 
@@ -33,15 +33,15 @@ Routing.prototype.getScreensProp = function(fullpath) {
   return this.json[topLevel].subpaths[fullpath].screens
 }
 
-Routing.prototype.addScreenId = function(fullpath, accessLevel, screenId) {
-  this.getScreensProp(fullpath)[accessLevel] = screenId
+Routing.prototype.addScreenId = function(fullpath, roleId, screenId) {
+  this.getScreensProp(fullpath)[roleId] = screenId
 }
 
 /**
  * Gets the full routing structure by querying the routing view and processing the result into the tree.
  * @param {string} appId The application to produce the routing structure for.
  * @returns {Promise<object>} The routing structure, this is the full structure designed for use in the builder,
- * if the client routing is required then the updateRoutingStructureForUserLevel should be used.
+ * if the client routing is required then the updateRoutingStructureForUserRole should be used.
  */
 async function getRoutingStructure(appId) {
   const screenRoutes = await getRoutingInfo(appId)
@@ -49,8 +49,8 @@ async function getRoutingStructure(appId) {
 
   for (let screenRoute of screenRoutes) {
     let fullpath = screenRoute.routing.route
-    const accessLevel = screenRoute.routing.accessLevelId
-    routing.addScreenId(fullpath, accessLevel, screenRoute.id)
+    const roleId = screenRoute.routing.roleId
+    routing.addScreenId(fullpath, roleId, screenRoute.id)
   }
 
   return { routes: routing.json }
@@ -62,29 +62,26 @@ exports.fetch = async ctx => {
 
 exports.clientFetch = async ctx => {
   const routing = await getRoutingStructure(ctx.appId)
-  let accessLevelId = ctx.user.accessLevel._id
+  let roleId = ctx.user.role._id
   // builder is a special case, always return the full routing structure
-  if (accessLevelId === BUILTIN_LEVEL_IDS.BUILDER) {
-    accessLevelId = BUILTIN_LEVEL_IDS.ADMIN
+  if (roleId === BUILTIN_ROLE_IDS.BUILDER) {
+    roleId = BUILTIN_ROLE_IDS.ADMIN
   }
-  const accessLevelIds = await getUserAccessLevelHierarchy(
-    ctx.appId,
-    accessLevelId
-  )
+  const roleIds = await getUserRoleHierarchy(ctx.appId, roleId)
   for (let topLevel of Object.values(routing.routes)) {
     for (let subpathKey of Object.keys(topLevel.subpaths)) {
       let found = false
       const subpath = topLevel.subpaths[subpathKey]
-      const accessLevelOptions = Object.keys(subpath.screens)
-      if (accessLevelOptions.length === 1 && !accessLevelOptions[0]) {
-        subpath.screenId = subpath.screens[accessLevelOptions[0]]
-        subpath.accessLevelId = BUILTIN_LEVEL_IDS.BASIC
+      const roleOptions = Object.keys(subpath.screens)
+      if (roleOptions.length === 1 && !roleOptions[0]) {
+        subpath.screenId = subpath.screens[roleOptions[0]]
+        subpath.roleId = BUILTIN_ROLE_IDS.BASIC
         found = true
       } else {
-        for (let levelId of accessLevelIds) {
-          if (accessLevelOptions.indexOf(levelId) !== -1) {
-            subpath.screenId = subpath.screens[levelId]
-            subpath.accessLevelId = levelId
+        for (let roleId of roleIds) {
+          if (roleOptions.indexOf(roleId) !== -1) {
+            subpath.screenId = subpath.screens[roleId]
+            subpath.roleId = roleId
             found = true
             break
           }

packages/server/src/api/controllers/screen.js

@@ -1,6 +1,6 @@
 const CouchDB = require("../../db")
 const { getScreenParams, generateScreenID } = require("../../db/utils")
-const { AccessController } = require("../../utilities/security/accessLevels")
+const { AccessController } = require("../../utilities/security/roles")
 
 exports.fetch = async ctx => {
   const appId = ctx.user.appId
@@ -16,7 +16,7 @@ exports.fetch = async ctx => {
 
   ctx.body = await new AccessController(appId).checkScreensAccess(
     screens,
-    ctx.user.accessLevel._id
+    ctx.user.role._id
   )
 }
 

packages/server/src/api/controllers/user.js

@@ -1,9 +1,7 @@
 const CouchDB = require("../../db")
 const bcrypt = require("../../utilities/bcrypt")
 const { generateUserID, getUserParams, ViewNames } = require("../../db/utils")
-const {
-  BUILTIN_LEVEL_ID_ARRAY,
-} = require("../../utilities/security/accessLevels")
+const { BUILTIN_ROLE_ID_ARRAY } = require("../../utilities/security/roles")
 const {
   BUILTIN_PERMISSION_NAMES,
 } = require("../../utilities/security/permissions")
@@ -20,21 +18,15 @@ exports.fetch = async function(ctx) {
 
 exports.create = async function(ctx) {
   const db = new CouchDB(ctx.user.appId)
-  const {
-    username,
-    password,
-    name,
-    accessLevelId,
-    permissions,
-  } = ctx.request.body
+  const { username, password, name, roleId, permissions } = ctx.request.body
 
   if (!username || !password) {
     ctx.throw(400, "Username and Password Required.")
   }
 
-  const accessLevel = await checkAccessLevel(db, accessLevelId)
+  const role = await checkRole(db, roleId)
 
-  if (!accessLevel) ctx.throw(400, "Invalid Access Level")
+  if (!role) ctx.throw(400, "Invalid Role")
 
   const user = {
     _id: generateUserID(username),
@@ -42,7 +34,7 @@ exports.create = async function(ctx) {
     password: await bcrypt.hash(password),
     name: name || username,
     type: "user",
-    accessLevelId,
+    roleId,
     permissions: permissions || [BUILTIN_PERMISSION_NAMES.POWER],
     tableId: ViewNames.USERS,
   }
@@ -97,14 +89,14 @@ exports.find = async function(ctx) {
   }
 }
 
-const checkAccessLevel = async (db, accessLevelId) => {
-  if (!accessLevelId) return
-  if (BUILTIN_LEVEL_ID_ARRAY.indexOf(accessLevelId) !== -1) {
+const checkRole = async (db, roleId) => {
+  if (!roleId) return
+  if (BUILTIN_ROLE_ID_ARRAY.indexOf(roleId) !== -1) {
     return {
-      _id: accessLevelId,
-      name: accessLevelId,
+      _id: roleId,
+      name: roleId,
       permissions: [],
     }
   }
-  return await db.get(accessLevelId)
+  return await db.get(roleId)
 }

packages/server/src/api/routes/accesslevel.js

@@ -1,18 +0,0 @@
-const Router = require("@koa/router")
-const controller = require("../controllers/accesslevel")
-const authorized = require("../../middleware/authorized")
-const { BUILDER } = require("../../utilities/security/permissions")
-
-const router = Router()
-
-router
-  .post("/api/accesslevels", authorized(BUILDER), controller.save)
-  .get("/api/accesslevels", authorized(BUILDER), controller.fetch)
-  .get("/api/accesslevels/:levelId", authorized(BUILDER), controller.find)
-  .delete(
-    "/api/accesslevels/:levelId/:rev",
-    authorized(BUILDER),
-    controller.destroy
-  )
-
-module.exports = router

packages/server/src/api/routes/index.js

@@ -10,7 +10,7 @@ const staticRoutes = require("./static")
 const componentRoutes = require("./component")
 const automationRoutes = require("./automation")
 const webhookRoutes = require("./webhook")
-const accesslevelRoutes = require("./accesslevel")
+const roleRoutes = require("./role")
 const deployRoutes = require("./deploy")
 const apiKeysRoutes = require("./apikeys")
 const templatesRoutes = require("./templates")
@@ -26,7 +26,7 @@ exports.mainRoutes = [
   automationRoutes,
   viewRoutes,
   componentRoutes,
-  accesslevelRoutes,
+  roleRoutes,
   apiKeysRoutes,
   templatesRoutes,
   analyticsRoutes,

packages/server/src/api/routes/role.js

@@ -0,0 +1,14 @@
+const Router = require("@koa/router")
+const controller = require("../controllers/role")
+const authorized = require("../../middleware/authorized")
+const { BUILDER } = require("../../utilities/security/permissions")
+
+const router = Router()
+
+router
+  .post("/api/roles", authorized(BUILDER), controller.save)
+  .get("/api/roles", authorized(BUILDER), controller.fetch)
+  .get("/api/roles/:roleId", authorized(BUILDER), controller.find)
+  .delete("/api/roles/:roleId/:rev", authorized(BUILDER), controller.destroy)
+
+module.exports = router

packages/server/src/api/routes/routing.js

@@ -5,9 +5,10 @@ const controller = require("../controllers/routing")
 
 const router = Router()
 
-// gets the full structure, not just the correct screen ID for your access level
 router
+  // gets correct structure for user role
   .get("/api/routing/client", controller.clientFetch)
+  // gets the full structure, not just the correct screen ID for user role
   .get("/api/routing", authorized(BUILDER), controller.fetch)
 
 module.exports = router

packages/server/src/api/routes/screen.js

@@ -14,7 +14,7 @@ function generateSaveValidation() {
     name: Joi.string().required(),
     routing: Joi.object({
       route: Joi.string().required(),
-      accessLevelId: Joi.string().required().allow(""),
+      roleId: Joi.string().required().allow(""),
     }).required().unknown(true),
     props: Joi.object({
       _id: Joi.string().required(),

packages/server/src/api/routes/tests/couchTestUtils.js

@@ -1,8 +1,6 @@
 const CouchDB = require("../../../db")
 const supertest = require("supertest")
-const {
-  BUILTIN_LEVEL_IDS,
-} = require("../../../utilities/security/accessLevels")
+const { BUILTIN_ROLE_IDS } = require("../../../utilities/security/roles")
 const {
   BUILTIN_PERMISSION_NAMES,
 } = require("../../../utilities/security/permissions")
@@ -26,7 +24,7 @@ exports.supertest = async () => {
 exports.defaultHeaders = appId => {
   const builderUser = {
     userId: "BUILDER",
-    accessLevelId: BUILTIN_LEVEL_IDS.BUILDER,
+    roleId: BUILTIN_ROLE_IDS.BUILDER,
   }
 
   const builderToken = jwt.sign(builderUser, env.JWT_SECRET)
@@ -128,7 +126,7 @@ exports.createUser = async (
       name: "Bill",
       username,
       password,
-      accessLevelId: BUILTIN_LEVEL_IDS.POWER,
+      roleId: BUILTIN_ROLE_IDS.POWER,
     })
   return res.body
 }
@@ -184,13 +182,13 @@ const createUserWithPermissions = async (
       name: username,
       username,
       password,
-      accessLevelId: BUILTIN_LEVEL_IDS.POWER,
+      roleId: BUILTIN_ROLE_IDS.POWER,
       permissions,
     })
 
   const anonUser = {
     userId: "ANON",
-    accessLevelId: BUILTIN_LEVEL_IDS.PUBLIC,
+    roleId: BUILTIN_ROLE_IDS.PUBLIC,
     appId: appId,
     version: packageJson.version,
   }

packages/server/src/api/routes/tests/role.spec.js

@@ -6,12 +6,12 @@ const {
   defaultHeaders
 } = require("./couchTestUtils")
 const {
-  BUILTIN_LEVEL_IDS,
-} = require("../../../utilities/security/accessLevels")
+  BUILTIN_ROLE_IDS,
+} = require("../../../utilities/security/roles")
 
-const accessLevelBody = { name: "user", inherits: BUILTIN_LEVEL_IDS.BASIC }
+const roleBody = { name: "user", inherits: BUILTIN_ROLE_IDS.BASIC }
 
-describe("/accesslevels", () => {
+describe("/roles", () => {
   let server
   let request
   let appId
@@ -35,15 +35,15 @@ describe("/accesslevels", () => {
 
   describe("create", () => {
 
-    it("returns a success message when level is successfully created", async () => {
+    it("returns a success message when role is successfully created", async () => {
       const res = await request
-        .post(`/api/accesslevels`)
-        .send(accessLevelBody)
+        .post(`/api/roles`)
+        .send(roleBody)
         .set(defaultHeaders(appId))
         .expect('Content-Type', /json/)
         .expect(200)
 
-      expect(res.res.statusMessage).toEqual("Access Level 'user' created successfully.")
+      expect(res.res.statusMessage).toEqual("Role 'user' created successfully.")
       expect(res.body._id).toBeDefined()
       expect(res.body._rev).toBeDefined()
     })
@@ -52,57 +52,57 @@ describe("/accesslevels", () => {
 
   describe("fetch", () => {
 
-    it("should list custom levels, plus 2 default levels", async () => {
+    it("should list custom roles, plus 2 default roles", async () => {
       const createRes = await request
-        .post(`/api/accesslevels`)
-        .send(accessLevelBody)
+        .post(`/api/roles`)
+        .send(roleBody)
         .set(defaultHeaders(appId))
         .expect('Content-Type', /json/)
         .expect(200)
 
-      const customLevel = createRes.body
+      const customRole = createRes.body
 
       const res = await request
-        .get(`/api/accesslevels`)
+        .get(`/api/roles`)
         .set(defaultHeaders(appId))
         .expect('Content-Type', /json/)
         .expect(200)
 
       expect(res.body.length).toBe(3)
 
-      const adminLevel = res.body.find(r => r._id === BUILTIN_LEVEL_IDS.ADMIN)
-      expect(adminLevel.inherits).toEqual(BUILTIN_LEVEL_IDS.POWER)
-      expect(adminLevel).toBeDefined()
+      const adminRole = res.body.find(r => r._id === BUILTIN_ROLE_IDS.ADMIN)
+      expect(adminRole.inherits).toEqual(BUILTIN_ROLE_IDS.POWER)
+      expect(adminRole).toBeDefined()
 
-      const powerUserLevel = res.body.find(r => r._id === BUILTIN_LEVEL_IDS.POWER)
-      expect(powerUserLevel.inherits).toEqual(BUILTIN_LEVEL_IDS.BASIC)
-      expect(powerUserLevel).toBeDefined()
+      const powerUserRole = res.body.find(r => r._id === BUILTIN_ROLE_IDS.POWER)
+      expect(powerUserRole.inherits).toEqual(BUILTIN_ROLE_IDS.BASIC)
+      expect(powerUserRole).toBeDefined()
 
-      const customLevelFetched = res.body.find(r => r._id === customLevel._id)
-      expect(customLevelFetched.inherits).toEqual(BUILTIN_LEVEL_IDS.BASIC)
-      expect(customLevelFetched).toBeDefined()
+      const customRoleFetched = res.body.find(r => r._id === customRole._id)
+      expect(customRoleFetched.inherits).toEqual(BUILTIN_ROLE_IDS.BASIC)
+      expect(customRoleFetched).toBeDefined()
     })
     
   });
 
   describe("destroy", () => {
-    it("should delete custom access level", async () => {
+    it("should delete custom roles", async () => {
       const createRes = await request
-        .post(`/api/accesslevels`)
+        .post(`/api/roles`)
         .send({ name: "user" })
         .set(defaultHeaders(appId))
         .expect('Content-Type', /json/)
         .expect(200)
 
-      const customLevel = createRes.body
+      const customRole = createRes.body
 
       await request
-        .delete(`/api/accesslevels/${customLevel._id}/${customLevel._rev}`)
+        .delete(`/api/roles/${customRole._id}/${customRole._rev}`)
         .set(defaultHeaders(appId))
         .expect(200)
 
       await request
-        .get(`/api/accesslevels/${customLevel._id}`)
+        .get(`/api/roles/${customRole._id}`)
         .set(defaultHeaders(appId))
         .expect(404)
     })

packages/server/src/api/routes/tests/user.spec.js

@@ -9,8 +9,8 @@ const {
   BUILTIN_PERMISSION_NAMES,
 } = require("../../../utilities/security/permissions")
 const {
-  BUILTIN_LEVEL_IDS,
-} = require("../../../utilities/security/accessLevels")
+  BUILTIN_ROLE_IDS,
+} = require("../../../utilities/security/roles")
 
 describe("/users", () => {
   let request
@@ -67,7 +67,7 @@ describe("/users", () => {
       const res = await request
         .post(`/api/users`)
         .set(defaultHeaders(appId))
-        .send({ name: "Bill", username: "bill", password: "bills_password", accessLevelId: BUILTIN_LEVEL_IDS.POWER })
+        .send({ name: "Bill", username: "bill", password: "bills_password", roleId: BUILTIN_ROLE_IDS.POWER })
         .expect(200)
         .expect('Content-Type', /json/)
 
@@ -79,7 +79,7 @@ describe("/users", () => {
       await testPermissionsForEndpoint({
         request,
         method: "POST",
-        body: { name: "brandNewUser", username: "brandNewUser", password: "yeeooo", accessLevelId: BUILTIN_LEVEL_IDS.POWER },
+        body: { name: "brandNewUser", username: "brandNewUser", password: "yeeooo", roleId: BUILTIN_ROLE_IDS.POWER },
         url: `/api/users`,
         appId: appId,
         permName1: BUILTIN_PERMISSION_NAMES.ADMIN,

packages/server/src/automations/steps/createUser.js

@@ -1,4 +1,4 @@
-const accessLevels = require("../../utilities/security/accessLevels")
+const roles = require("../../utilities/security/roles")
 const userController = require("../../api/controllers/user")
 const env = require("../../environment")
 const usage = require("../../utilities/usageQuota")
@@ -11,7 +11,7 @@ module.exports.definition = {
   type: "ACTION",
   stepId: "CREATE_USER",
   inputs: {
-    accessLevelId: accessLevels.BUILTIN_LEVEL_IDS.POWER,
+    roleId: roles.BUILTIN_ROLE_IDS.POWER,
   },
   schema: {
     inputs: {
@@ -25,14 +25,14 @@ module.exports.definition = {
           customType: "password",
           title: "Password",
         },
-        accessLevelId: {
+        roleId: {
           type: "string",
-          title: "Access Level",
-          enum: accessLevels.BUILTIN_LEVEL_ID_ARRAY,
-          pretty: accessLevels.BUILTIN_LEVEL_NAME_ARRAY,
+          title: "Role",
+          enum: roles.BUILTIN_ROLE_ID_ARRAY,
+          pretty: roles.BUILTIN_ROLE_NAME_ARRAY,
         },
       },
-      required: ["username", "password", "accessLevelId"],
+      required: ["username", "password", "roleId"],
     },
     outputs: {
       properties: {
@@ -59,13 +59,13 @@ module.exports.definition = {
 }
 
 module.exports.run = async function({ inputs, appId, apiKey }) {
-  const { username, password, accessLevelId } = inputs
+  const { username, password, roleId } = inputs
   const ctx = {
     user: {
       appId: appId,
     },
     request: {
-      body: { username, password, accessLevelId },
+      body: { username, password, roleId },
     },
   }
 

packages/server/src/constants/index.js

@@ -1,4 +1,4 @@
-const { BUILTIN_LEVEL_IDS } = require("../utilities/security/accessLevels")
+const { BUILTIN_ROLE_IDS } = require("../utilities/security/roles")
 
 const AuthTypes = {
   APP: "app",
@@ -24,14 +24,14 @@ const USERS_TABLE_SCHEMA = {
       fieldName: "username",
       name: "username",
     },
-    accessLevelId: {
-      fieldName: "accessLevelId",
-      name: "accessLevelId",
+    roleId: {
+      fieldName: "roleId",
+      name: "roleId",
       type: "options",
       constraints: {
         type: "string",
         presence: false,
-        inclusion: Object.keys(BUILTIN_LEVEL_IDS),
+        inclusion: Object.keys(BUILTIN_ROLE_IDS),
       },
     },
   },

packages/server/src/constants/screens.js

@@ -1,4 +1,4 @@
-const { BUILTIN_LEVEL_IDS } = require("../utilities/security/accessLevels")
+const { BUILTIN_ROLE_IDS } = require("../utilities/security/roles")
 
 exports.HOME_SCREEN = {
   description: "",
@@ -97,7 +97,7 @@ exports.HOME_SCREEN = {
   },
   routing: {
     route: "/",
-    accessLevelId: BUILTIN_LEVEL_IDS.BASIC,
+    roleId: BUILTIN_ROLE_IDS.BASIC,
   },
   name: "home-screen",
 }

packages/server/src/db/utils.js

@@ -10,7 +10,7 @@ const DocumentTypes = {
   AUTOMATION: "au",
   LINK: "li",
   APP: "app",
-  ACCESS_LEVEL: "ac",
+  ROLE: "role",
   WEBHOOK: "wh",
   INSTANCE: "inst",
   LAYOUT: "layout",
@@ -169,18 +169,18 @@ exports.getAppParams = (appId = null, otherProps = {}) => {
 }
 
 /**
- * Generates a new access level ID.
- * @returns {string} The new access level ID which the access level doc can be stored under.
+ * Generates a new role ID.
+ * @returns {string} The new role ID which the role doc can be stored under.
  */
-exports.generateAccessLevelID = () => {
-  return `${DocumentTypes.ACCESS_LEVEL}${SEPARATOR}${newid()}`
+exports.generateRoleID = () => {
+  return `${DocumentTypes.ROLE}${SEPARATOR}${newid()}`
 }
 
 /**
- * Gets parameters for retrieving an access level, this is a utility function for the getDocParams function.
+ * Gets parameters for retrieving a role, this is a utility function for the getDocParams function.
  */
-exports.getAccessLevelParams = (accessLevelId = null, otherProps = {}) => {
-  return getDocParams(DocumentTypes.ACCESS_LEVEL, accessLevelId, otherProps)
+exports.getRoleParams = (roleId = null, otherProps = {}) => {
+  return getDocParams(DocumentTypes.ROLE, roleId, otherProps)
 }
 
 /**

packages/server/src/middleware/authenticated.js

@@ -1,9 +1,6 @@
 const jwt = require("jsonwebtoken")
 const STATUS_CODES = require("../utilities/statusCodes")
-const {
-  getAccessLevel,
-  BUILTIN_LEVELS,
-} = require("../utilities/security/accessLevels")
+const { getRole, BUILTIN_ROLES } = require("../utilities/security/roles")
 const { AuthTypes } = require("../constants")
 const { getAppId, getCookieName, setCookie, isClient } = require("../utilities")
 
@@ -35,7 +32,7 @@ module.exports = async (ctx, next) => {
     ctx.appId = appId
     ctx.user = {
       appId,
-      accessLevel: BUILTIN_LEVELS.PUBLIC,
+      role: BUILTIN_ROLES.PUBLIC,
     }
     await next()
     return
@@ -49,7 +46,7 @@ module.exports = async (ctx, next) => {
     ctx.user = {
       ...jwtPayload,
       appId: appId,
-      accessLevel: await getAccessLevel(appId, jwtPayload.accessLevelId),
+      role: await getRole(appId, jwtPayload.roleId),
     }
   } catch (err) {
     ctx.throw(err.status || STATUS_CODES.FORBIDDEN, err.text)

packages/server/src/middleware/authorized.js

@@ -1,4 +1,4 @@
-const { BUILTIN_LEVEL_IDS } = require("../utilities/security/accessLevels")
+const { BUILTIN_ROLE_IDS } = require("../utilities/security/roles")
 const {
   PermissionTypes,
   doesHavePermission,
@@ -7,7 +7,7 @@ const env = require("../environment")
 const { apiKeyTable } = require("../db/dynamoClient")
 const { AuthTypes } = require("../constants")
 
-const ADMIN_ACCESS = [BUILTIN_LEVEL_IDS.ADMIN, BUILTIN_LEVEL_IDS.BUILDER]
+const ADMIN_ROLES = [BUILTIN_ROLE_IDS.ADMIN, BUILTIN_ROLE_IDS.BUILDER]
 
 const LOCAL_PASS = new RegExp(["webhooks/trigger", "webhooks/schema"].join("|"))
 
@@ -47,9 +47,9 @@ module.exports = (permType, permLevel = null) => async (ctx, next) => {
     ctx.throw(403, "User not found")
   }
 
-  const accessLevel = ctx.user.accessLevel
+  const role = ctx.user.role
   const permissions = ctx.user.permissions
-  if (ADMIN_ACCESS.indexOf(accessLevel._id) !== -1) {
+  if (ADMIN_ROLES.indexOf(role._id) !== -1) {
     return next()
   }
 

packages/server/src/utilities/builder/setBuilderToken.js

@@ -1,4 +1,4 @@
-const { BUILTIN_LEVEL_IDS } = require("../security/accessLevels")
+const { BUILTIN_ROLE_IDS } = require("../security/roles")
 const { BUILTIN_PERMISSION_NAMES } = require("../security/permissions")
 const env = require("../../environment")
 const CouchDB = require("../../db")
@@ -10,7 +10,7 @@ const APP_PREFIX = DocumentTypes.APP + SEPARATOR
 module.exports = async (ctx, appId, version) => {
   const builderUser = {
     userId: "BUILDER",
-    accessLevelId: BUILTIN_LEVEL_IDS.BUILDER,
+    roleId: BUILTIN_ROLE_IDS.BUILDER,
     permissions: [BUILTIN_PERMISSION_NAMES.ADMIN],
     version,
   }

packages/server/src/utilities/security/accessLevels.js

@@ -1,150 +0,0 @@
-const CouchDB = require("../../db")
-const { cloneDeep } = require("lodash/fp")
-
-const BUILTIN_IDS = {
-  ADMIN: "ADMIN",
-  POWER: "POWER_USER",
-  BASIC: "BASIC",
-  PUBLIC: "PUBLIC",
-  BUILDER: "BUILDER",
-}
-
-function AccessLevel(id, name, inherits) {
-  this._id = id
-  this.name = name
-  if (inherits) {
-    this.inherits = inherits
-  }
-}
-
-exports.BUILTIN_LEVELS = {
-  ADMIN: new AccessLevel(BUILTIN_IDS.ADMIN, "Admin", BUILTIN_IDS.POWER),
-  POWER: new AccessLevel(BUILTIN_IDS.POWER, "Power", BUILTIN_IDS.BASIC),
-  BASIC: new AccessLevel(BUILTIN_IDS.BASIC, "Basic", BUILTIN_IDS.PUBLIC),
-  PUBLIC: new AccessLevel(BUILTIN_IDS.PUBLIC, "Public"),
-  BUILDER: new AccessLevel(BUILTIN_IDS.BUILDER, "Builder"),
-}
-
-exports.BUILTIN_LEVEL_ID_ARRAY = Object.values(exports.BUILTIN_LEVELS).map(
-  level => level._id
-)
-
-exports.BUILTIN_LEVEL_NAME_ARRAY = Object.values(exports.BUILTIN_LEVELS).map(
-  level => level.name
-)
-
-function isBuiltin(accessLevel) {
-  return exports.BUILTIN_LEVEL_ID_ARRAY.indexOf(accessLevel) !== -1
-}
-
-/**
- * Gets the access level object, this is mainly useful for two purposes, to check if the level exists and
- * to check if the access level inherits any others.
- * @param {string} appId The app in which to look for the access level.
- * @param {string|null} accessLevelId The level ID to lookup.
- * @returns {Promise<AccessLevel|object|null>} The access level object, which may contain an "inherits" property.
- */
-exports.getAccessLevel = async (appId, accessLevelId) => {
-  if (!accessLevelId) {
-    return null
-  }
-  let accessLevel
-  if (isBuiltin(accessLevelId)) {
-    accessLevel = cloneDeep(
-      Object.values(exports.BUILTIN_LEVELS).find(
-        level => level._id === accessLevelId
-      )
-    )
-  } else {
-    const db = new CouchDB(appId)
-    accessLevel = await db.get(accessLevelId)
-  }
-  return accessLevel
-}
-
-/**
- * Returns an ordered array of the user's inherited access level IDs, this can be used
- * to determine if a user can access something that requires a specific access level.
- * @param {string} appId The ID of the application from which access levels should be obtained.
- * @param {string} userAccessLevelId The user's access level, this can be found in their access token.
- * @returns {Promise<string[]>} returns an ordered array of the access levels, with the first being their
- * highest level of access and the last being the lowest level.
- */
-exports.getUserAccessLevelHierarchy = async (appId, userAccessLevelId) => {
-  // special case, if they don't have a level then they are a public user
-  if (!userAccessLevelId) {
-    return [BUILTIN_IDS.PUBLIC]
-  }
-  let accessLevelIds = [userAccessLevelId]
-  let userAccess = await exports.getAccessLevel(appId, userAccessLevelId)
-  // check if inherited makes it possible
-  while (
-    userAccess &&
-    userAccess.inherits &&
-    accessLevelIds.indexOf(userAccess.inherits) === -1
-  ) {
-    accessLevelIds.push(userAccess.inherits)
-    // go to get the inherited incase it inherits anything
-    userAccess = await exports.getAccessLevel(appId, userAccess.inherits)
-  }
-  // add the user's actual level at the end (not at start as that stops iteration
-  return accessLevelIds
-}
-
-class AccessController {
-  constructor(appId) {
-    this.appId = appId
-    this.userHierarchies = {}
-  }
-
-  async hasAccess(tryingAccessLevelId, userAccessLevelId) {
-    // special cases, the screen has no access level, the access levels are the same or the user
-    // is currently in the builder
-    if (
-      tryingAccessLevelId == null ||
-      tryingAccessLevelId === "" ||
-      tryingAccessLevelId === userAccessLevelId ||
-      userAccessLevelId === BUILTIN_IDS.BUILDER
-    ) {
-      return true
-    }
-    let accessLevelIds = this.userHierarchies[userAccessLevelId]
-    if (!accessLevelIds) {
-      accessLevelIds = await exports.getUserAccessLevelHierarchy(
-        this.appId,
-        userAccessLevelId
-      )
-      this.userHierarchies[userAccessLevelId] = userAccessLevelId
-    }
-
-    return accessLevelIds.indexOf(tryingAccessLevelId) !== -1
-  }
-
-  async checkScreensAccess(screens, userAccessLevelId) {
-    let accessibleScreens = []
-    // don't want to handle this with Promise.all as this would mean all custom access levels would be
-    // retrieved at same time, it is likely a custom levels will be re-used and therefore want
-    // to work in sync for performance save
-    for (let screen of screens) {
-      const accessible = await this.checkScreenAccess(screen, userAccessLevelId)
-      if (accessible) {
-        accessibleScreens.push(accessible)
-      }
-    }
-    return accessibleScreens
-  }
-
-  async checkScreenAccess(screen, userAccessLevelId) {
-    const accessLevelId =
-      screen && screen.routing ? screen.routing.accessLevelId : null
-    if (await this.hasAccess(accessLevelId, userAccessLevelId)) {
-      return screen
-    }
-    return null
-  }
-}
-
-exports.AccessController = AccessController
-exports.BUILTIN_LEVEL_IDS = BUILTIN_IDS
-exports.isBuiltin = isBuiltin
-exports.AccessLevel = AccessLevel

packages/server/src/utilities/security/roles.js

@@ -0,0 +1,143 @@
+const CouchDB = require("../../db")
+const { cloneDeep } = require("lodash/fp")
+
+const BUILTIN_IDS = {
+  ADMIN: "ADMIN",
+  POWER: "POWER_USER",
+  BASIC: "BASIC",
+  PUBLIC: "PUBLIC",
+  BUILDER: "BUILDER",
+}
+
+function Role(id, name, inherits) {
+  this._id = id
+  this.name = name
+  if (inherits) {
+    this.inherits = inherits
+  }
+}
+
+exports.BUILTIN_ROLES = {
+  ADMIN: new Role(BUILTIN_IDS.ADMIN, "Admin", BUILTIN_IDS.POWER),
+  POWER: new Role(BUILTIN_IDS.POWER, "Power", BUILTIN_IDS.BASIC),
+  BASIC: new Role(BUILTIN_IDS.BASIC, "Basic", BUILTIN_IDS.PUBLIC),
+  PUBLIC: new Role(BUILTIN_IDS.PUBLIC, "Public"),
+  BUILDER: new Role(BUILTIN_IDS.BUILDER, "Builder"),
+}
+
+exports.BUILTIN_ROLE_ID_ARRAY = Object.values(exports.BUILTIN_ROLES).map(
+  level => level._id
+)
+
+exports.BUILTIN_ROLE_NAME_ARRAY = Object.values(exports.BUILTIN_ROLES).map(
+  level => level.name
+)
+
+function isBuiltin(role) {
+  return exports.BUILTIN_ROLE_ID_ARRAY.indexOf(role) !== -1
+}
+
+/**
+ * Gets the role object, this is mainly useful for two purposes, to check if the level exists and
+ * to check if the role inherits any others.
+ * @param {string} appId The app in which to look for the role.
+ * @param {string|null} roleId The level ID to lookup.
+ * @returns {Promise<Role|object|null>} The role object, which may contain an "inherits" property.
+ */
+exports.getRole = async (appId, roleId) => {
+  if (!roleId) {
+    return null
+  }
+  let role
+  if (isBuiltin(roleId)) {
+    role = cloneDeep(
+      Object.values(exports.BUILTIN_ROLES).find(role => role._id === roleId)
+    )
+  } else {
+    const db = new CouchDB(appId)
+    role = await db.get(roleId)
+  }
+  return role
+}
+
+/**
+ * Returns an ordered array of the user's inherited role IDs, this can be used
+ * to determine if a user can access something that requires a specific role.
+ * @param {string} appId The ID of the application from which roles should be obtained.
+ * @param {string} userRoleId The user's role ID, this can be found in their access token.
+ * @returns {Promise<string[]>} returns an ordered array of the roles, with the first being their
+ * highest level of access and the last being the lowest level.
+ */
+exports.getUserRoleHierarchy = async (appId, userRoleId) => {
+  // special case, if they don't have a role then they are a public user
+  if (!userRoleId) {
+    return [BUILTIN_IDS.PUBLIC]
+  }
+  let roleIds = [userRoleId]
+  let userRole = await exports.getRole(appId, userRoleId)
+  // check if inherited makes it possible
+  while (
+    userRole &&
+    userRole.inherits &&
+    roleIds.indexOf(userRole.inherits) === -1
+  ) {
+    roleIds.push(userRole.inherits)
+    // go to get the inherited incase it inherits anything
+    userRole = await exports.getRole(appId, userRole.inherits)
+  }
+  return roleIds
+}
+
+class AccessController {
+  constructor(appId) {
+    this.appId = appId
+    this.userHierarchies = {}
+  }
+
+  async hasAccess(tryingRoleId, userRoleId) {
+    // special cases, the screen has no role, the roles are the same or the user
+    // is currently in the builder
+    if (
+      tryingRoleId == null ||
+      tryingRoleId === "" ||
+      tryingRoleId === userRoleId ||
+      tryingRoleId === BUILTIN_IDS.BUILDER
+    ) {
+      return true
+    }
+    let roleIds = this.userHierarchies[userRoleId]
+    if (!roleIds) {
+      roleIds = await exports.getUserRoleHierarchy(this.appId, userRoleId)
+      this.userHierarchies[userRoleId] = userRoleId
+    }
+
+    return roleIds.indexOf(tryingRoleId) !== -1
+  }
+
+  async checkScreensAccess(screens, userRoleId) {
+    let accessibleScreens = []
+    // don't want to handle this with Promise.all as this would mean all custom roles would be
+    // retrieved at same time, it is likely a custom role will be re-used and therefore want
+    // to work in sync for performance save
+    for (let screen of screens) {
+      const accessible = await this.checkScreenAccess(screen, userRoleId)
+      if (accessible) {
+        accessibleScreens.push(accessible)
+      }
+    }
+    return accessibleScreens
+  }
+
+  async checkScreenAccess(screen, userRoleId) {
+    const roleId = screen && screen.routing ? screen.routing.roleId : null
+    if (await this.hasAccess(roleId, userRoleId)) {
+      return screen
+    }
+    return null
+  }
+}
+
+exports.AccessController = AccessController
+exports.BUILTIN_ROLE_IDS = BUILTIN_IDS
+exports.isBuiltin = isBuiltin
+exports.Role = Role