From 77230b96c2e9bd103be1b965d595dd3940c4cb70 Mon Sep 17 00:00:00 2001
From: Pranav C <pranavxc@gmail.com>
Date: Sat, 22 Oct 2022 00:52:13 +0530
Subject: [PATCH] feat(api): show tokens only belongs to the user for non-super
 admin user

Signed-off-by: Pranav C <pranavxc@gmail.com>
---
 .../nocodb/src/lib/meta/api/orgTokenApis.ts   | 20 ++++++++++++++++---
 packages/nocodb/src/lib/models/ApiToken.ts    | 11 +++++++++-
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/packages/nocodb/src/lib/meta/api/orgTokenApis.ts b/packages/nocodb/src/lib/meta/api/orgTokenApis.ts
index c20aa4e0f0..d14b6c8246 100644
--- a/packages/nocodb/src/lib/meta/api/orgTokenApis.ts
+++ b/packages/nocodb/src/lib/meta/api/orgTokenApis.ts
@@ -3,14 +3,20 @@ import { OrgUserRoles } from '../../../enums/OrgUserRoles';
 import ApiToken from '../../models/ApiToken';
 import { Tele } from '../../utils/Tele';
 import { metaApiMetrics } from '../helpers/apiMetrics';
+import { NcError } from '../helpers/catchError';
 import ncMetaAclMw from '../helpers/ncMetaAclMw';
 import { PagedResponseImpl } from '../helpers/PagedResponse';
 
 async function apiTokenList(req, res) {
+  let fk_user_id = req.user.id;
+  if (req.user.roles.includes(OrgUserRoles.SUPER)) {
+    fk_user_id = undefined;
+  }
   res.json(
     new PagedResponseImpl(await ApiToken.listWithCreatedBy(req.query), {
       ...req.query,
       count: await ApiToken.count(),
+      fk_user_id,
     })
   );
 }
@@ -21,6 +27,14 @@ export async function apiTokenCreate(req: Request, res: Response) {
 }
 
 export async function apiTokenDelete(req: Request, res: Response) {
+  const fk_user_id = req['user'].id;
+  const apiToken = await ApiToken.getByToken(req.params.apiTokenId);
+  if (
+    !req['user'].roles.includes(OrgUserRoles.SUPER) &&
+    apiToken.fk_user_id !== fk_user_id
+  ) {
+    NcError.notFound('Token not found');
+  }
   Tele.emit('evt', { evt_type: 'org:apiToken:deleted' });
   res.json(await ApiToken.delete(req.params.token));
 }
@@ -31,7 +45,7 @@ router.get(
   '/api/v1/tokens',
   metaApiMetrics,
   ncMetaAclMw(apiTokenList, 'apiTokenList', {
-    allowedRoles: [OrgUserRoles.SUPER],
+    // allowedRoles: [OrgUserRoles.SUPER],
     blockApiTokenAccess: true,
   })
 );
@@ -39,7 +53,7 @@ router.post(
   '/api/v1/tokens',
   metaApiMetrics,
   ncMetaAclMw(apiTokenCreate, 'apiTokenCreate', {
-    allowedRoles: [OrgUserRoles.SUPER],
+    // allowedRoles: [OrgUserRoles.SUPER],
     blockApiTokenAccess: true,
   })
 );
@@ -47,7 +61,7 @@ router.delete(
   '/api/v1/tokens/:token',
   metaApiMetrics,
   ncMetaAclMw(apiTokenDelete, 'apiTokenDelete', {
-    allowedRoles: [OrgUserRoles.SUPER],
+    // allowedRoles: [OrgUserRoles.SUPER],
     blockApiTokenAccess: true,
   })
 );
diff --git a/packages/nocodb/src/lib/models/ApiToken.ts b/packages/nocodb/src/lib/models/ApiToken.ts
index 4db4e3f166..0be6429ae1 100644
--- a/packages/nocodb/src/lib/models/ApiToken.ts
+++ b/packages/nocodb/src/lib/models/ApiToken.ts
@@ -78,7 +78,11 @@ export default class ApiToken {
   }
 
   public static async listWithCreatedBy(
-    { limit = 10, offset = 0 }: { limit: number; offset: number },
+    {
+      limit = 10,
+      offset = 0,
+      fk_user_id,
+    }: { limit: number; offset: number; fk_user_id?: string },
     ncMeta = Noco.ncMeta
   ) {
     const queryBuilder = ncMeta
@@ -103,6 +107,11 @@ export default class ApiToken {
           )
           .as('created_by')
       );
+
+    if (fk_user_id) {
+      queryBuilder.where('fk_user_id', fk_user_id);
+    }
+
     return queryBuilder;
   }
 }