Browse Source

feat(api): show tokens only belongs to the user for non-super admin user

Signed-off-by: Pranav C <pranavxc@gmail.com>
pull/4134/head
Pranav C 2 years ago
parent
commit
77230b96c2
  1. 20
      packages/nocodb/src/lib/meta/api/orgTokenApis.ts
  2. 11
      packages/nocodb/src/lib/models/ApiToken.ts

20
packages/nocodb/src/lib/meta/api/orgTokenApis.ts

@ -3,14 +3,20 @@ import { OrgUserRoles } from '../../../enums/OrgUserRoles';
import ApiToken from '../../models/ApiToken';
import { Tele } from '../../utils/Tele';
import { metaApiMetrics } from '../helpers/apiMetrics';
import { NcError } from '../helpers/catchError';
import ncMetaAclMw from '../helpers/ncMetaAclMw';
import { PagedResponseImpl } from '../helpers/PagedResponse';
async function apiTokenList(req, res) {
let fk_user_id = req.user.id;
if (req.user.roles.includes(OrgUserRoles.SUPER)) {
fk_user_id = undefined;
}
res.json(
new PagedResponseImpl(await ApiToken.listWithCreatedBy(req.query), {
...req.query,
count: await ApiToken.count(),
fk_user_id,
})
);
}
@ -21,6 +27,14 @@ export async function apiTokenCreate(req: Request, res: Response) {
}
export async function apiTokenDelete(req: Request, res: Response) {
const fk_user_id = req['user'].id;
const apiToken = await ApiToken.getByToken(req.params.apiTokenId);
if (
!req['user'].roles.includes(OrgUserRoles.SUPER) &&
apiToken.fk_user_id !== fk_user_id
) {
NcError.notFound('Token not found');
}
Tele.emit('evt', { evt_type: 'org:apiToken:deleted' });
res.json(await ApiToken.delete(req.params.token));
}
@ -31,7 +45,7 @@ router.get(
'/api/v1/tokens',
metaApiMetrics,
ncMetaAclMw(apiTokenList, 'apiTokenList', {
allowedRoles: [OrgUserRoles.SUPER],
// allowedRoles: [OrgUserRoles.SUPER],
blockApiTokenAccess: true,
})
);
@ -39,7 +53,7 @@ router.post(
'/api/v1/tokens',
metaApiMetrics,
ncMetaAclMw(apiTokenCreate, 'apiTokenCreate', {
allowedRoles: [OrgUserRoles.SUPER],
// allowedRoles: [OrgUserRoles.SUPER],
blockApiTokenAccess: true,
})
);
@ -47,7 +61,7 @@ router.delete(
'/api/v1/tokens/:token',
metaApiMetrics,
ncMetaAclMw(apiTokenDelete, 'apiTokenDelete', {
allowedRoles: [OrgUserRoles.SUPER],
// allowedRoles: [OrgUserRoles.SUPER],
blockApiTokenAccess: true,
})
);

11
packages/nocodb/src/lib/models/ApiToken.ts

@ -78,7 +78,11 @@ export default class ApiToken {
}
public static async listWithCreatedBy(
{ limit = 10, offset = 0 }: { limit: number; offset: number },
{
limit = 10,
offset = 0,
fk_user_id,
}: { limit: number; offset: number; fk_user_id?: string },
ncMeta = Noco.ncMeta
) {
const queryBuilder = ncMeta
@ -103,6 +107,11 @@ export default class ApiToken {
)
.as('created_by')
);
if (fk_user_id) {
queryBuilder.where('fk_user_id', fk_user_id);
}
return queryBuilder;
}
}

Loading…
Cancel
Save