Browse Source

fix(gui): allow attachment upload if user have permission

re #4694

Signed-off-by: Pranav C <pranavxc@gmail.com>
pull/4700/head
Pranav C 2 years ago
parent
commit
0d9954af70
  1. 7
      packages/nocodb-sdk/src/lib/enums.ts
  2. 35
      packages/nocodb/src/lib/meta/api/attachmentApis.ts

7
packages/nocodb-sdk/src/lib/enums.ts

@ -3,3 +3,10 @@ export enum OrgUserRoles {
CREATOR = 'org-level-creator', CREATOR = 'org-level-creator',
VIEWER = 'org-level-viewer', VIEWER = 'org-level-viewer',
} }
export enum ProjectRoles {
OWNER = 'owner',
CREATOR = 'creator',
EDITOR = 'editor',
COMMENTER = 'commenter',
VIEWER = 'viewer',
}

35
packages/nocodb/src/lib/meta/api/attachmentApis.ts

@ -2,15 +2,41 @@
import { Request, Response, Router } from 'express'; import { Request, Response, Router } from 'express';
import multer from 'multer'; import multer from 'multer';
import { nanoid } from 'nanoid'; import { nanoid } from 'nanoid';
import { OrgUserRoles, ProjectRoles } from 'nocodb-sdk';
import path from 'path'; import path from 'path';
import slash from 'slash'; import slash from 'slash';
import Noco from '../../Noco';
import { MetaTable } from '../../utils/globals';
import mimetypes, { mimeIcons } from '../../utils/mimeTypes'; import mimetypes, { mimeIcons } from '../../utils/mimeTypes';
import { Tele } from 'nc-help'; import { Tele } from 'nc-help';
import ncMetaAclMw from '../helpers/ncMetaAclMw'; import extractProjectIdAndAuthenticate from '../helpers/extractProjectIdAndAuthenticate';
import catchError from '../helpers/catchError'; import catchError, { NcError } from '../helpers/catchError';
import NcPluginMgrv2 from '../helpers/NcPluginMgrv2'; import NcPluginMgrv2 from '../helpers/NcPluginMgrv2';
import { NC_ATTACHMENT_FIELD_SIZE } from '../../constants'; import { NC_ATTACHMENT_FIELD_SIZE } from '../../constants';
const isUploadAllowed = async (req: Request, _res: Response, next: any) => {
try {
// check user is super admin or creator
if (
req['user']?.roles?.includes(OrgUserRoles.SUPER_ADMIN) ||
req['user']?.roles?.includes(OrgUserRoles.CREATOR) ||
// if viewer then check at-least one project have editor or higher role
// todo: cache
!!(await Noco.ncMeta
.knex(MetaTable.PROJECT_USERS)
.where(function () {
this.where('roles', ProjectRoles.OWNER);
this.orWhere('roles', ProjectRoles.CREATOR);
this.orWhere('roles', ProjectRoles.EDITOR);
})
.andWhere('fk_user_id', req['user']?.id)
.first())
)
return next();
} catch {}
NcError.badRequest('Upload not allowed');
};
// const storageAdapter = new Local(); // const storageAdapter = new Local();
export async function upload(req: Request, res: Response) { export async function upload(req: Request, res: Response) {
const filePath = sanitizeUrlPath( const filePath = sanitizeUrlPath(
@ -156,11 +182,12 @@ router.post(
fieldSize: NC_ATTACHMENT_FIELD_SIZE, fieldSize: NC_ATTACHMENT_FIELD_SIZE,
}, },
}).any(), }).any(),
ncMetaAclMw(upload, 'upload') [extractProjectIdAndAuthenticate, isUploadAllowed, catchError(upload)]
); );
router.post( router.post(
'/api/v1/db/storage/upload-by-url', '/api/v1/db/storage/upload-by-url',
ncMetaAclMw(uploadViaURL, 'uploadViaURL')
[extractProjectIdAndAuthenticate, isUploadAllowed, catchError(uploadViaURL)]
); );
router.get(/^\/download\/(.+)$/, catchError(fileRead)); router.get(/^\/download\/(.+)$/, catchError(fileRead));

Loading…
Cancel
Save