diff --git a/packages/nocodb/src/lib/meta/api/orgTokenApis.ts b/packages/nocodb/src/lib/meta/api/orgTokenApis.ts index c20aa4e0f0..d14b6c8246 100644 --- a/packages/nocodb/src/lib/meta/api/orgTokenApis.ts +++ b/packages/nocodb/src/lib/meta/api/orgTokenApis.ts @@ -3,14 +3,20 @@ import { OrgUserRoles } from '../../../enums/OrgUserRoles'; import ApiToken from '../../models/ApiToken'; import { Tele } from '../../utils/Tele'; import { metaApiMetrics } from '../helpers/apiMetrics'; +import { NcError } from '../helpers/catchError'; import ncMetaAclMw from '../helpers/ncMetaAclMw'; import { PagedResponseImpl } from '../helpers/PagedResponse'; async function apiTokenList(req, res) { + let fk_user_id = req.user.id; + if (req.user.roles.includes(OrgUserRoles.SUPER)) { + fk_user_id = undefined; + } res.json( new PagedResponseImpl(await ApiToken.listWithCreatedBy(req.query), { ...req.query, count: await ApiToken.count(), + fk_user_id, }) ); } @@ -21,6 +27,14 @@ export async function apiTokenCreate(req: Request, res: Response) { } export async function apiTokenDelete(req: Request, res: Response) { + const fk_user_id = req['user'].id; + const apiToken = await ApiToken.getByToken(req.params.apiTokenId); + if ( + !req['user'].roles.includes(OrgUserRoles.SUPER) && + apiToken.fk_user_id !== fk_user_id + ) { + NcError.notFound('Token not found'); + } Tele.emit('evt', { evt_type: 'org:apiToken:deleted' }); res.json(await ApiToken.delete(req.params.token)); } @@ -31,7 +45,7 @@ router.get( '/api/v1/tokens', metaApiMetrics, ncMetaAclMw(apiTokenList, 'apiTokenList', { - allowedRoles: [OrgUserRoles.SUPER], + // allowedRoles: [OrgUserRoles.SUPER], blockApiTokenAccess: true, }) ); @@ -39,7 +53,7 @@ router.post( '/api/v1/tokens', metaApiMetrics, ncMetaAclMw(apiTokenCreate, 'apiTokenCreate', { - allowedRoles: [OrgUserRoles.SUPER], + // allowedRoles: [OrgUserRoles.SUPER], blockApiTokenAccess: true, }) ); @@ -47,7 +61,7 @@ router.delete( '/api/v1/tokens/:token', metaApiMetrics, ncMetaAclMw(apiTokenDelete, 'apiTokenDelete', { - allowedRoles: [OrgUserRoles.SUPER], + // allowedRoles: [OrgUserRoles.SUPER], blockApiTokenAccess: true, }) ); diff --git a/packages/nocodb/src/lib/models/ApiToken.ts b/packages/nocodb/src/lib/models/ApiToken.ts index 4db4e3f166..0be6429ae1 100644 --- a/packages/nocodb/src/lib/models/ApiToken.ts +++ b/packages/nocodb/src/lib/models/ApiToken.ts @@ -78,7 +78,11 @@ export default class ApiToken { } public static async listWithCreatedBy( - { limit = 10, offset = 0 }: { limit: number; offset: number }, + { + limit = 10, + offset = 0, + fk_user_id, + }: { limit: number; offset: number; fk_user_id?: string }, ncMeta = Noco.ncMeta ) { const queryBuilder = ncMeta @@ -103,6 +107,11 @@ export default class ApiToken { ) .as('created_by') ); + + if (fk_user_id) { + queryBuilder.where('fk_user_id', fk_user_id); + } + return queryBuilder; } }