Browse Source

feat(api): show tokens only belongs to the user for non-super admin user

Signed-off-by: Pranav C <pranavxc@gmail.com>
pull/4134/head
Pranav C 2 years ago
parent
commit
77230b96c2
  1. 20
      packages/nocodb/src/lib/meta/api/orgTokenApis.ts
  2. 11
      packages/nocodb/src/lib/models/ApiToken.ts

20
packages/nocodb/src/lib/meta/api/orgTokenApis.ts

@ -3,14 +3,20 @@ import { OrgUserRoles } from '../../../enums/OrgUserRoles';
import ApiToken from '../../models/ApiToken'; import ApiToken from '../../models/ApiToken';
import { Tele } from '../../utils/Tele'; import { Tele } from '../../utils/Tele';
import { metaApiMetrics } from '../helpers/apiMetrics'; import { metaApiMetrics } from '../helpers/apiMetrics';
import { NcError } from '../helpers/catchError';
import ncMetaAclMw from '../helpers/ncMetaAclMw'; import ncMetaAclMw from '../helpers/ncMetaAclMw';
import { PagedResponseImpl } from '../helpers/PagedResponse'; import { PagedResponseImpl } from '../helpers/PagedResponse';
async function apiTokenList(req, res) { async function apiTokenList(req, res) {
let fk_user_id = req.user.id;
if (req.user.roles.includes(OrgUserRoles.SUPER)) {
fk_user_id = undefined;
}
res.json( res.json(
new PagedResponseImpl(await ApiToken.listWithCreatedBy(req.query), { new PagedResponseImpl(await ApiToken.listWithCreatedBy(req.query), {
...req.query, ...req.query,
count: await ApiToken.count(), count: await ApiToken.count(),
fk_user_id,
}) })
); );
} }
@ -21,6 +27,14 @@ export async function apiTokenCreate(req: Request, res: Response) {
} }
export async function apiTokenDelete(req: Request, res: Response) { export async function apiTokenDelete(req: Request, res: Response) {
const fk_user_id = req['user'].id;
const apiToken = await ApiToken.getByToken(req.params.apiTokenId);
if (
!req['user'].roles.includes(OrgUserRoles.SUPER) &&
apiToken.fk_user_id !== fk_user_id
) {
NcError.notFound('Token not found');
}
Tele.emit('evt', { evt_type: 'org:apiToken:deleted' }); Tele.emit('evt', { evt_type: 'org:apiToken:deleted' });
res.json(await ApiToken.delete(req.params.token)); res.json(await ApiToken.delete(req.params.token));
} }
@ -31,7 +45,7 @@ router.get(
'/api/v1/tokens', '/api/v1/tokens',
metaApiMetrics, metaApiMetrics,
ncMetaAclMw(apiTokenList, 'apiTokenList', { ncMetaAclMw(apiTokenList, 'apiTokenList', {
allowedRoles: [OrgUserRoles.SUPER], // allowedRoles: [OrgUserRoles.SUPER],
blockApiTokenAccess: true, blockApiTokenAccess: true,
}) })
); );
@ -39,7 +53,7 @@ router.post(
'/api/v1/tokens', '/api/v1/tokens',
metaApiMetrics, metaApiMetrics,
ncMetaAclMw(apiTokenCreate, 'apiTokenCreate', { ncMetaAclMw(apiTokenCreate, 'apiTokenCreate', {
allowedRoles: [OrgUserRoles.SUPER], // allowedRoles: [OrgUserRoles.SUPER],
blockApiTokenAccess: true, blockApiTokenAccess: true,
}) })
); );
@ -47,7 +61,7 @@ router.delete(
'/api/v1/tokens/:token', '/api/v1/tokens/:token',
metaApiMetrics, metaApiMetrics,
ncMetaAclMw(apiTokenDelete, 'apiTokenDelete', { ncMetaAclMw(apiTokenDelete, 'apiTokenDelete', {
allowedRoles: [OrgUserRoles.SUPER], // allowedRoles: [OrgUserRoles.SUPER],
blockApiTokenAccess: true, blockApiTokenAccess: true,
}) })
); );

11
packages/nocodb/src/lib/models/ApiToken.ts

@ -78,7 +78,11 @@ export default class ApiToken {
} }
public static async listWithCreatedBy( public static async listWithCreatedBy(
{ limit = 10, offset = 0 }: { limit: number; offset: number }, {
limit = 10,
offset = 0,
fk_user_id,
}: { limit: number; offset: number; fk_user_id?: string },
ncMeta = Noco.ncMeta ncMeta = Noco.ncMeta
) { ) {
const queryBuilder = ncMeta const queryBuilder = ncMeta
@ -103,6 +107,11 @@ export default class ApiToken {
) )
.as('created_by') .as('created_by')
); );
if (fk_user_id) {
queryBuilder.where('fk_user_id', fk_user_id);
}
return queryBuilder; return queryBuilder;
} }
} }

Loading…
Cancel
Save