Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: base all permission need no resourceId #1175

Merged
merged 1 commit into from
Dec 19, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion apps/nestjs-backend/src/features/auth/guard/permission.guard.ts
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,18 @@ export class PermissionGuard {
return true;
}

private async permissionBaseReadAll() {
const accessTokenId = this.cls.get('accessTokenId');
if (accessTokenId) {
const { scopes } = await this.permissionService.getAccessToken(accessTokenId);
return scopes.includes('base|read_all');
}
return true;
}

protected async resourcePermission(resourceId: string | undefined, permissions: Action[]) {
if (!resourceId) {
console.log('permissions', permissions);
throw new ForbiddenException('permission check ID does not exist');
}
const accessTokenId = this.cls.get('accessTokenId');
Expand Down Expand Up @@ -106,10 +116,13 @@ export class PermissionGuard {
if (permissions?.includes('instance|read')) {
return this.instancePermissionChecker('instance|read');
}
// space create permission check
if (permissions?.includes('space|create')) {
return await this.permissionCreateSpace();
}
if (permissions?.includes('base|read_all')) {
return await this.permissionBaseReadAll();
}

// resource permission check
return await this.resourcePermission(this.getResourceId(context), permissions);
}
Expand Down
28 changes: 28 additions & 0 deletions apps/nestjs-backend/test/access-token.e2e-spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import {
deleteSpace,
deleteBase,
getAccessToken,
GET_BASE_ALL,
} from '@teable/openapi';
import dayjs from 'dayjs';
import { createNewUserAxios } from './utils/axios-instance/new-user';
Expand Down Expand Up @@ -149,6 +150,7 @@ describe('OpenAPI AccessTokenController (e2e)', () => {
describe('validate accessToken permission', () => {
let tableReadToken: string;
let recordReadToken: string;
let baseReadAllToken: string;
const axios = createAxios();

beforeAll(async () => {
Expand All @@ -164,6 +166,12 @@ describe('OpenAPI AccessTokenController (e2e)', () => {
scopes: ['record|read'],
});
recordReadToken = recordReadTokenData.token;
const { data: baseReadAllTokenData } = await createAccessToken({
...defaultCreateRo,
name: 'base read all token',
scopes: ['base|read_all'],
});
baseReadAllToken = baseReadAllTokenData.token;
axios.defaults.baseURL = defaultAxios.defaults.baseURL;
});

Expand All @@ -187,6 +195,26 @@ describe('OpenAPI AccessTokenController (e2e)', () => {
expect(error?.status).toEqual(403);
});

it('get base list has not base|read_all permission', async () => {
const error = await getError(() =>
axios.get(urlBuilder(GET_BASE_ALL), {
headers: {
Authorization: `Bearer ${tableReadToken}`,
},
})
);
expect(error?.status).toEqual(403);
});

it('get base list has base|read_all permission', async () => {
const res = await axios.get(urlBuilder(GET_BASE_ALL), {
headers: {
Authorization: `Bearer ${baseReadAllToken}`,
},
});
expect(res.status).toEqual(200);
});

it('get record list has record|read permission', async () => {
const res = await axios.get(urlBuilder(GET_RECORDS_URL, { tableId: table.id }), {
headers: {
Expand Down
Loading