GeneralBots/botserver
2
1
Fork 0
Code Issues Pull requests Projects Releases 323 Packages Wiki Activity Actions

Add dynamic table check to all db_api handlers

Browse source 
- Added is_table_allowed_with_conn check to get_record_handler
- Added is_table_allowed_with_conn check to create_record_handler
- Added is_table_allowed_with_conn check to update_record_handler
- Added is_table_allowed_with_conn check to delete_record_handler
- Returns 404 with clear message if table doesn't exist
This commit is contained in:
Rodrigo Rodriguez (Pragmatismo) 2026-01-02 19:18:58 -03:00
parent 56265ee5d2
commit 65b2583add
1 changed files with 56 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
src/basic/keywords/db_api.rs
View file

@ -256,6 +256,20 @@ pub async fn get_record_handler(
.into_response(); .into_response();
}; };
// Check if table actually exists in database (supports dynamic tables from app_generator)
if !is_table_allowed_with_conn(&mut conn, &table_name) {
warn!("Table not found in database: {}", table_name);
return (
StatusCode::NOT_FOUND,
Json(RecordResponse {
success: false,
data: None,
message: Some(format!("Table '{}' not found", table_name)),
}),
)
.into_response();
}
// Check table-level read access // Check table-level read access
let access_info = let access_info =
match check_table_access(&mut conn, &table_name, &user_roles, AccessType::Read) { match check_table_access(&mut conn, &table_name, &user_roles, AccessType::Read) {
@ -358,6 +372,20 @@ pub async fn create_record_handler(
.into_response(); .into_response();
}; };
// Check if table actually exists in database (supports dynamic tables from app_generator)
if !is_table_allowed_with_conn(&mut conn, &table_name) {
warn!("Table not found in database: {}", table_name);
return (
StatusCode::NOT_FOUND,
Json(RecordResponse {
success: false,
data: None,
message: Some(format!("Table '{}' not found", table_name)),
}),
)
.into_response();
}
let access_info = let access_info =
match check_table_access(&mut conn, &table_name, &user_roles, AccessType::Write) { match check_table_access(&mut conn, &table_name, &user_roles, AccessType::Write) {
Ok(info) => info, Ok(info) => info,
@ -494,6 +522,20 @@ pub async fn update_record_handler(
} }
}; };
// Check if table actually exists in database (supports dynamic tables from app_generator)
if !is_table_allowed_with_conn(&mut conn, &table_name) {
warn!("Table not found in database: {}", table_name);
return (
StatusCode::NOT_FOUND,
Json(RecordResponse {
success: false,
data: None,
message: Some(format!("Table '{}' not found", table_name)),
}),
)
.into_response();
}
// Check table-level write access // Check table-level write access
let access_info = let access_info =
match check_table_access(&mut conn, &table_name, &user_roles, AccessType::Write) { match check_table_access(&mut conn, &table_name, &user_roles, AccessType::Write) {
@ -591,6 +633,20 @@ pub async fn delete_record_handler(
.into_response(); .into_response();
}; };
// Check if table actually exists in database (supports dynamic tables from app_generator)
if !is_table_allowed_with_conn(&mut conn, &table_name) {
warn!("Table not found in database: {}", table_name);
return (
StatusCode::NOT_FOUND,
Json(DeleteResponse {
success: false,
deleted: 0,
message: Some(format!("Table '{}' not found", table_name)),
}),
)
.into_response();
}
if let Err(e) = check_table_access(&mut conn, &table_name, &user_roles, AccessType::Write) { if let Err(e) = check_table_access(&mut conn, &table_name, &user_roles, AccessType::Write) {
return ( return (
StatusCode::FORBIDDEN, StatusCode::FORBIDDEN,