Browse Source

Merge branch 'develop' into feat/pnpm

pull/5903/head
Wing-Kam Wong 1 year ago
parent
commit
6c740e8de4
  1. 4
      packages/nc-gui/middleware/auth.global.ts
  2. 2
      packages/nc-lib-gui/package.json
  3. 2
      packages/nocodb-sdk/package.json
  4. 4
      packages/nocodb/package.json
  5. 267
      packages/nocodb/src/helpers/initAdminFromEnv.ts
  6. 11
      packages/nocodb/src/middlewares/extract-ids/extract-ids.middleware.ts
  7. 2
      packages/nocodb/src/models/User.ts
  8. 1
      packages/nocodb/src/services/api-docs/swagger/getSwaggerColumnMetas.ts
  9. 6
      packages/nocodb/src/services/api-docs/swagger/templates/paths.ts
  10. 17
      packages/nocodb/src/strategies/authtoken.strategy/authtoken.strategy.ts

4
packages/nc-gui/middleware/auth.global.ts

@ -85,7 +85,7 @@ export default defineNuxtRouteMiddleware(async (to, from) => {
}
} else {
/** If page is limited to certain users verify the user have the roles */
if (to.meta.allowedRoles && to.meta.allowedRoles.every((role) => !allRoles.value[role])) {
if (to.meta.allowedRoles && to.meta.allowedRoles.every((role) => !allRoles.value?.[role])) {
message.error("You don't have enough permission to access the page.")
return navigateTo('/')
}
@ -94,7 +94,7 @@ export default defineNuxtRouteMiddleware(async (to, from) => {
if (to.params.projectId && from.params.projectId !== to.params.projectId) {
const user = await api.auth.me({ project_id: to.params.projectId as string })
if (user?.roles?.user) {
if (user?.roles?.guest) {
message.error("You don't have enough permission to access the project.")
return navigateTo('/')

2
packages/nc-lib-gui/package.json

@ -1,6 +1,6 @@
{
"name": "nc-lib-gui",
"version": "0.111.2",
"version": "0.111.3",
"description": "NocoDB GUI",
"author": {
"name": "NocoDB",

2
packages/nocodb-sdk/package.json

@ -1,6 +1,6 @@
{
"name": "nocodb-sdk",
"version": "0.111.2",
"version": "0.111.3",
"description": "NocoDB SDK",
"main": "build/main/index.js",
"typings": "build/main/index.d.ts",

4
packages/nocodb/package.json

@ -1,6 +1,6 @@
{
"name": "nocodb",
"version": "0.111.2",
"version": "0.111.3",
"description": "NocoDB Backend",
"main": "dist/bundle.js",
"author": {
@ -129,7 +129,7 @@
"mysql2": "^3.2.0",
"nanoid": "^3.1.20",
"nc-help": "^0.2.88",
"nc-lib-gui": "0.111.2",
"nc-lib-gui": "0.111.3",
"nc-plugin": "^0.1.3",
"ncp": "^2.0.0",
"nestjs-kafka": "^1.0.6",

267
packages/nocodb/src/helpers/initAdminFromEnv.ts

@ -62,7 +62,7 @@ export default async function initAdminFromEnv(_ncMeta = Noco.ncMeta) {
salt,
);
const email_verification_token = uuidv4();
const roles = 'user,super';
const roles = 'org-level-creator,super';
// if super admin not present
if (await User.isFirst(ncMeta)) {
@ -78,6 +78,7 @@ export default async function initAdminFromEnv(_ncMeta = Noco.ncMeta) {
salt,
password,
email_verification_token,
token_version: randomTokenString(),
roles,
},
ncMeta,
@ -89,122 +90,153 @@ export default async function initAdminFromEnv(_ncMeta = Noco.ncMeta) {
salt,
);
const email_verification_token = uuidv4();
const superUser = await ncMeta.metaGet2(null, null, MetaTable.USERS, {
roles: 'user,super',
});
// TODO improve this
const superUsers = await ncMeta.metaList2(null, null, MetaTable.USERS);
if (!superUser?.id) {
const existingUserWithNewEmail = await User.getByEmail(email, ncMeta);
if (existingUserWithNewEmail?.id) {
// clear cache
await NocoCache.delAll(
CacheScope.USER,
`${existingUserWithNewEmail.email}___*`,
);
await NocoCache.del(
`${CacheScope.USER}:${existingUserWithNewEmail.id}`,
);
await NocoCache.del(
`${CacheScope.USER}:${existingUserWithNewEmail.email}`,
);
let superUserPresent = false;
// Update email and password of super admin account
await User.update(
existingUserWithNewEmail.id,
{
salt,
email,
password,
email_verification_token,
token_version: randomTokenString(),
refresh_token: null,
roles,
},
ncMeta,
);
} else {
T.emit('evt', {
evt_type: 'project:invite',
count: 1,
});
for (const user of superUsers) {
if (!user.roles?.includes('super')) continue;
await User.insert(
{
email,
salt,
password,
email_verification_token,
roles,
},
ncMeta,
);
}
} else if (email !== superUser.email) {
// update admin email and password and migrate projects
// if user already present and associated with some project
superUserPresent = true;
// check user account already present with the new admin email
const existingUserWithNewEmail = await User.getByEmail(email, ncMeta);
if (email !== user.email) {
// update admin email and password and migrate projects
// if user already present and associated with some project
if (existingUserWithNewEmail?.id) {
// get all project access belongs to the existing account
// and migrate to the admin account
const existingUserProjects = await ncMeta.metaList2(
null,
null,
MetaTable.PROJECT_USERS,
{
condition: { fk_user_id: existingUserWithNewEmail.id },
},
// check user account already present with the new admin email
const existingUserWithNewEmail = await User.getByEmail(
email,
ncMeta,
);
for (const existingUserProject of existingUserProjects) {
const userProject = await ProjectUser.get(
existingUserProject.project_id,
superUser.id,
ncMeta,
if (existingUserWithNewEmail?.id) {
// get all project access belongs to the existing account
// and migrate to the admin account
const existingUserProjects = await ncMeta.metaList2(
null,
null,
MetaTable.PROJECT_USERS,
{
condition: { fk_user_id: existingUserWithNewEmail.id },
},
);
// if admin user already have access to the project
// then update role based on the highest access level
if (userProject) {
if (
rolesLevel[userProject.roles] >
rolesLevel[existingUserProject.roles]
) {
await ProjectUser.update(
userProject.project_id,
superUser.id,
existingUserProject.roles,
for (const existingUserProject of existingUserProjects) {
const userProject = await ProjectUser.get(
existingUserProject.project_id,
user.id,
ncMeta,
);
// if admin user already have access to the project
// then update role based on the highest access level
if (userProject) {
if (
rolesLevel[userProject.roles] >
rolesLevel[existingUserProject.roles]
) {
await ProjectUser.update(
userProject.project_id,
user.id,
existingUserProject.roles,
ncMeta,
);
}
} else {
// if super doesn't have access then add the access
await ProjectUser.insert(
{
...existingUserProject,
fk_user_id: user.id,
},
ncMeta,
);
}
} else {
// if super doesn't have access then add the access
await ProjectUser.insert(
{
...existingUserProject,
fk_user_id: superUser.id,
},
// delete the old project access entry from DB
await ProjectUser.delete(
existingUserProject.project_id,
existingUserProject.fk_user_id,
ncMeta,
);
}
// delete the old project access entry from DB
await ProjectUser.delete(
existingUserProject.project_id,
existingUserProject.fk_user_id,
// delete existing user
await ncMeta.metaDelete(
null,
null,
MetaTable.USERS,
existingUserWithNewEmail.id,
);
// clear cache
await NocoCache.delAll(
CacheScope.USER,
`${existingUserWithNewEmail.email}___*`,
);
await NocoCache.del(
`${CacheScope.USER}:${existingUserWithNewEmail.id}`,
);
await NocoCache.del(
`${CacheScope.USER}:${existingUserWithNewEmail.email}`,
);
// Update email and password of super admin account
await User.update(
user.id,
{
salt,
email,
password,
email_verification_token,
token_version: randomTokenString(),
refresh_token: null,
},
ncMeta,
);
} else {
// if no user present with the new admin email update the email and password
await User.update(
user.id,
{
salt,
email,
password,
email_verification_token,
token_version: randomTokenString(),
refresh_token: null,
},
ncMeta,
);
}
// delete existing user
await ncMeta.metaDelete(
null,
null,
MetaTable.USERS,
existingUserWithNewEmail.id,
} else {
const newPasswordHash = await promisify(bcrypt.hash)(
process.env.NC_ADMIN_PASSWORD,
user.salt,
);
if (newPasswordHash !== user.password) {
// if email's are same and passwords are different
// then update the password and token version
await User.update(
user.id,
{
salt,
password,
email_verification_token,
token_version: randomTokenString(),
refresh_token: null,
},
ncMeta,
);
}
}
}
if (!superUserPresent) {
// check user account already present with the new admin email
const existingUserWithNewEmail = await User.getByEmail(email, ncMeta);
if (existingUserWithNewEmail?.id) {
// clear cache
await NocoCache.delAll(
CacheScope.USER,
@ -217,9 +249,9 @@ export default async function initAdminFromEnv(_ncMeta = Noco.ncMeta) {
`${CacheScope.USER}:${existingUserWithNewEmail.email}`,
);
// Update email and password of super admin account
// Update password and roles of existing user
await User.update(
superUser.id,
existingUserWithNewEmail.id,
{
salt,
email,
@ -227,52 +259,37 @@ export default async function initAdminFromEnv(_ncMeta = Noco.ncMeta) {
email_verification_token,
token_version: randomTokenString(),
refresh_token: null,
roles,
},
ncMeta,
);
} else {
// if email's are not different update the password and hash
await User.update(
superUser.id,
{
salt,
email,
password,
email_verification_token,
token_version: randomTokenString(),
refresh_token: null,
},
ncMeta,
);
}
} else {
const newPasswordHash = await promisify(bcrypt.hash)(
process.env.NC_ADMIN_PASSWORD,
superUser.salt,
);
// no super user present and no user present with the new admin email
T.emit('evt', {
evt_type: 'project:invite',
count: 1,
});
if (newPasswordHash !== superUser.password) {
// if email's are same and passwords are different
// then update the password and token version
await User.update(
superUser.id,
await User.insert(
{
email,
salt,
password,
email_verification_token,
token_version: randomTokenString(),
refresh_token: null,
roles,
},
ncMeta,
);
}
}
}
await ncMeta.commit();
} catch (e) {
console.log('Error occurred while updating/creating admin user');
console.log(e);
await ncMeta.rollback(e);
throw e;
}
}
}

11
packages/nocodb/src/middlewares/extract-ids/extract-ids.middleware.ts

@ -180,8 +180,8 @@ export class ExtractIdsMiddleware implements NestMiddleware, CanActivate {
}
function getUserRoleForScope(user: any, scope: string) {
if (scope === 'project' || scope === 'workspace') {
return user?.project_roles || user?.workspace_roles;
if (scope === 'project') {
return user?.project_roles;
} else if (scope === 'org') {
return user?.roles;
}
@ -220,6 +220,13 @@ export class AclMiddleware implements NestInterceptor {
NcError.forbidden('Unauthorized access');
}
// assign owner role to super admin for all projects
if (userScopeRole === OrgUserRoles.SUPER_ADMIN) {
req.user.project_roles = {
[ProjectRoles.OWNER]: true,
};
}
const roles: Record<string, boolean> = extractRolesObj(userScopeRole);
if (req?.user?.is_api_token && blockApiTokenAccess) {

2
packages/nocodb/src/models/User.ts

@ -87,7 +87,7 @@ export default class User implements UserType {
// check if the target email addr is in use or not
const targetUser = await this.getByEmail(updateObj.email, ncMeta);
if (targetUser.id !== id) {
if (targetUser && targetUser.id !== id) {
NcError.badRequest('email is in use');
}
} else {

1
packages/nocodb/src/services/api-docs/swagger/getSwaggerColumnMetas.ts

@ -36,6 +36,7 @@ export default async (
field.type = 'object';
break;
case UITypes.Rollup:
case UITypes.Links:
field.type = 'number';
break;
case UITypes.Attachment:

6
packages/nocodb/src/services/api-docs/swagger/templates/paths.ts

@ -1,4 +1,4 @@
import { ModelTypes, UITypes } from 'nocodb-sdk';
import { isLinksOrLTAR, ModelTypes, UITypes } from 'nocodb-sdk';
import {
columnNameParam,
columnNameQueryParam,
@ -670,7 +670,5 @@ function getPaginatedResponseType(type: string) {
};
}
function isRelationExist(columns: SwaggerColumn[]) {
return columns.some(
(c) => c.column.uidt === UITypes.LinkToAnotherRecord && !c.column.system,
);
return columns.some((c) => isLinksOrLTAR(c.column) && !c.column.system);
}

17
packages/nocodb/src/strategies/authtoken.strategy/authtoken.strategy.ts

@ -1,5 +1,6 @@
import { Injectable } from '@nestjs/common';
import { PassportStrategy } from '@nestjs/passport';
import { extractRolesObj, ProjectRoles } from 'nocodb-sdk';
import { Strategy } from 'passport-custom';
import { ApiToken, ProjectUser, User } from '~/models';
import { sanitiseUserObj } from '~/utils';
@ -16,9 +17,12 @@ export class AuthTokenStrategy extends PassportStrategy(Strategy, 'authtoken') {
return callback({ msg: 'Invalid token' });
}
user = {};
user = {
is_api_token: true,
};
if (!apiToken.fk_user_id) {
user.roles = 'editor';
user.project_roles = extractRolesObj(ProjectRoles.EDITOR);
return callback(null, user);
}
@ -29,17 +33,18 @@ export class AuthTokenStrategy extends PassportStrategy(Strategy, 'authtoken') {
Object.assign(user, {
id: dbUser.id,
roles: dbUser.roles,
roles: extractRolesObj(dbUser.roles),
});
dbUser.is_api_token = true;
if (req['ncProjectId']) {
const projectUser = await ProjectUser.get(
req['ncProjectId'],
dbUser.id,
);
user.roles = projectUser?.roles || dbUser.roles;
user.roles = user.roles === 'owner' ? 'owner,creator' : user.roles;
user.project_roles = extractRolesObj(projectUser?.roles);
if (user.project_roles.owner) {
user.project_roles.creator = true;
}
return callback(null, sanitiseUserObj(user));
}
}

Loading…
Cancel
Save