Merge pull request #14707 from Budibase/row-action/set-table-permission

Row action/set table permission

packages/server/src/api/controllers/rowAction/crud.ts

@@ -1,6 +1,7 @@
 import {
   CreateRowActionRequest,
   Ctx,
+  RowActionPermissions,
   RowActionResponse,
   RowActionsResponse,
   UpdateRowActionRequest,
@@ -18,25 +19,26 @@ async function getTable(ctx: Ctx) {
 
 export async function find(ctx: Ctx<void, RowActionsResponse>) {
   const table = await getTable(ctx)
+  const tableId = table._id!
 
-  if (!(await sdk.rowActions.docExists(table._id!))) {
+  if (!(await sdk.rowActions.docExists(tableId))) {
     ctx.body = {
       actions: {},
     }
     return
   }
 
-  const { actions } = await sdk.rowActions.getAll(table._id!)
+  const { actions } = await sdk.rowActions.getAll(tableId)
   const result: RowActionsResponse = {
     actions: Object.entries(actions).reduce<Record<string, RowActionResponse>>(
       (acc, [key, action]) => ({
         ...acc,
         [key]: {
           id: key,
-          tableId: table._id!,
+          tableId,
           name: action.name,
           automationId: action.automationId,
-          allowedViews: flattenAllowedViews(action.permissions.views),
+          allowedSources: flattenAllowedSources(tableId, action.permissions),
         },
       }),
       {}
@@ -49,17 +51,18 @@ export async function create(
   ctx: Ctx<CreateRowActionRequest, RowActionResponse>
 ) {
   const table = await getTable(ctx)
+  const tableId = table._id!
 
-  const createdAction = await sdk.rowActions.create(table._id!, {
+  const createdAction = await sdk.rowActions.create(tableId, {
     name: ctx.request.body.name,
   })
 
   ctx.body = {
-    tableId: table._id!,
+    tableId,
     id: createdAction.id,
     name: createdAction.name,
     automationId: createdAction.automationId,
-    allowedViews: undefined,
+    allowedSources: flattenAllowedSources(tableId, createdAction.permissions),
   }
   ctx.status = 201
 }
@@ -68,18 +71,19 @@ export async function update(
   ctx: Ctx<UpdateRowActionRequest, RowActionResponse>
 ) {
   const table = await getTable(ctx)
+  const tableId = table._id!
   const { actionId } = ctx.params
 
-  const action = await sdk.rowActions.update(table._id!, actionId, {
+  const action = await sdk.rowActions.update(tableId, actionId, {
     name: ctx.request.body.name,
   })
 
   ctx.body = {
-    tableId: table._id!,
+    tableId,
     id: action.id,
     name: action.name,
     automationId: action.automationId,
-    allowedViews: undefined,
+    allowedSources: flattenAllowedSources(tableId, action.permissions),
   }
 }
 
@@ -91,52 +95,89 @@ export async function remove(ctx: Ctx<void, void>) {
   ctx.status = 204
 }
 
+export async function setTablePermission(ctx: Ctx<void, RowActionResponse>) {
+  const table = await getTable(ctx)
+  const tableId = table._id!
+  const { actionId } = ctx.params
+
+  const action = await sdk.rowActions.setTablePermission(tableId, actionId)
+  ctx.body = {
+    tableId,
+    id: action.id,
+    name: action.name,
+    automationId: action.automationId,
+    allowedSources: flattenAllowedSources(tableId, action.permissions),
+  }
+}
+
+export async function unsetTablePermission(ctx: Ctx<void, RowActionResponse>) {
+  const table = await getTable(ctx)
+  const tableId = table._id!
+  const { actionId } = ctx.params
+
+  const action = await sdk.rowActions.unsetTablePermission(tableId, actionId)
+
+  ctx.body = {
+    tableId,
+    id: action.id,
+    name: action.name,
+    automationId: action.automationId,
+    allowedSources: flattenAllowedSources(tableId, action.permissions),
+  }
+}
+
 export async function setViewPermission(ctx: Ctx<void, RowActionResponse>) {
   const table = await getTable(ctx)
+  const tableId = table._id!
   const { actionId, viewId } = ctx.params
 
   const action = await sdk.rowActions.setViewPermission(
-    table._id!,
+    tableId,
     actionId,
     viewId
   )
   ctx.body = {
-    tableId: table._id!,
+    tableId,
     id: action.id,
     name: action.name,
     automationId: action.automationId,
-    allowedViews: flattenAllowedViews(action.permissions.views),
+    allowedSources: flattenAllowedSources(tableId, action.permissions),
   }
 }
 
 export async function unsetViewPermission(ctx: Ctx<void, RowActionResponse>) {
   const table = await getTable(ctx)
+  const tableId = table._id!
   const { actionId, viewId } = ctx.params
 
   const action = await sdk.rowActions.unsetViewPermission(
-    table._id!,
+    tableId,
     actionId,
     viewId
   )
 
   ctx.body = {
-    tableId: table._id!,
+    tableId,
     id: action.id,
     name: action.name,
     automationId: action.automationId,
-    allowedViews: flattenAllowedViews(action.permissions.views),
+    allowedSources: flattenAllowedSources(tableId, action.permissions),
   }
 }
 
-function flattenAllowedViews(
-  permissions: Record<string, { runAllowed: boolean }>
+function flattenAllowedSources(
+  tableId: string,
+  permissions: RowActionPermissions
 ) {
-  const allowedPermissions = Object.entries(permissions || {})
-    .filter(([_, p]) => p.runAllowed)
-    .map(([viewId]) => viewId)
-  if (!allowedPermissions.length) {
-    return undefined
+  const allowedPermissions = []
+  if (permissions.table.runAllowed) {
+    allowedPermissions.push(tableId)
   }
+  allowedPermissions.push(
+    ...Object.keys(permissions.views || {}).filter(
+      viewId => permissions.views[viewId].runAllowed
+    )
+  )
 
   return allowedPermissions
 }

packages/server/src/api/routes/rowAction.ts

@@ -51,6 +51,16 @@ router
     authorized(BUILDER),
     rowActionController.remove
   )
+  .post(
+    "/api/tables/:tableId/actions/:actionId/permissions",
+    authorized(BUILDER),
+    rowActionController.setTablePermission
+  )
+  .delete(
+    "/api/tables/:tableId/actions/:actionId/permissions",
+    authorized(BUILDER),
+    rowActionController.unsetTablePermission
+  )
   .post(
     "/api/tables/:tableId/actions/:actionId/permissions/:viewId",
     authorized(BUILDER),