Merge pull request #16782 from Budibase/fix/role-publish

Fix role publishing

Author: mike12345567

packages/backend-core/src/constants/db.ts

@@ -1,4 +1,9 @@
-import { prefixed, DocumentType } from "@budibase/types"
+import {
+  prefixed,
+  DocumentType,
+  SEPARATOR,
+  InternalTable,
+} from "@budibase/types"
 
 export {
   SEPARATOR,
@@ -78,6 +83,7 @@ export const DEFAULT_INVENTORY_TABLE_ID = "ta_bb_inventory"
 export const DEFAULT_EXPENSES_TABLE_ID = "ta_bb_expenses"
 export const DEFAULT_EMPLOYEE_TABLE_ID = "ta_bb_employee"
 export { DEFAULT_BB_DATASOURCE_ID } from "@budibase/shared-core"
+export const USER_METADATA_PREFIX = `${DocumentType.ROW}${SEPARATOR}${InternalTable.USER_METADATA}${SEPARATOR}`
 
 export const enum DesignDocuments {
   SQLITE = SQLITE_DESIGN_DOC_ID,

packages/backend-core/src/db/Replication.ts

@@ -1,13 +1,15 @@
 import PouchDB from "pouchdb"
-import { getPouchDB, closePouchDB } from "./couch"
-import { DocumentType, Document } from "@budibase/types"
-import { DesignDocuments } from "../constants"
+import { closePouchDB, getPouchDB } from "./couch"
+import { Document, DocumentType } from "@budibase/types"
+import { DesignDocuments, SEPARATOR, USER_METADATA_PREFIX } from "../constants"
 
 enum ReplicationDirection {
   TO_PRODUCTION = "toProduction",
   TO_DEV = "toDev",
 }
 
+type DocumentWithID = Omit<Document, "_id"> & { _id: string }
+
 class Replication {
   source: PouchDB.Database
   target: PouchDB.Database
@@ -78,33 +80,38 @@ class Replication {
       tableSyncList = tablesToSync
     }
 
-    const isData = (_id?: string) =>
-      _id?.startsWith(DocumentType.ROW) || _id?.startsWith(DocumentType.LINK)
+    const startsWithID = (_id: string, documentType: string) => {
+      return _id?.startsWith(documentType + SEPARATOR)
+    }
+
+    const isData = (_id: string) =>
+      startsWithID(_id, DocumentType.ROW) ||
+      startsWithID(_id, DocumentType.LINK)
 
     return {
       ...opts,
-      filter: (doc: Document, params: any) => {
+      filter: (doc: DocumentWithID, params: any) => {
         if (!isCreation && doc._id === DesignDocuments.MIGRATIONS) {
           return false
         }
         // don't sync design documents
-        if (toDev && doc._id?.startsWith("_design")) {
+        if (toDev && doc._id.startsWith("_design")) {
           return false
         }
         // always replicate deleted documents
         if (doc._deleted) {
           return true
         }
-        if (
-          isData(doc._id) &&
-          (tableSyncList?.find(id => doc._id?.includes(id)) || syncAllTables)
-        ) {
+        // always sync users from dev
+        if (startsWithID(doc._id, USER_METADATA_PREFIX)) {
           return true
         }
         if (isData(doc._id)) {
-          return false
+          return (
+            !!tableSyncList?.find(id => doc._id.includes(id)) || syncAllTables
+          )
         }
-        if (doc._id?.startsWith(DocumentType.AUTOMATION_LOG)) {
+        if (startsWithID(doc._id, DocumentType.AUTOMATION_LOG)) {
           return false
         }
         if (doc._id === DocumentType.APP_METADATA) {

packages/server/src/api/controllers/deploy/index.ts

@@ -251,6 +251,9 @@ export const publishApp = async function (
         replication.appReplicateOpts({
           isCreation: !isPublished,
           tablesToSync,
+          // don't use checkpoints, this can stop data that was previous ignored
+          // getting written - if not seeding tables we don't need to worry about it
+          checkpoint: !seedProductionTables,
         })
       )
       // app metadata is excluded as it is likely to be in conflict

packages/server/src/api/routes/tests/application.spec.ts

@@ -17,6 +17,7 @@ import env from "../../../environment"
 import {
   type App,
   BuiltinPermissionID,
+  PermissionLevel,
   Screen,
   WorkspaceApp,
 } from "@budibase/types"
@@ -1101,6 +1102,47 @@ describe.each([false, true])(
           ).toBeUndefined()
         })
       })
+
+      it("should publish table permissions for custom roles correctly", async () => {
+        // Create a table for testing permissions
+        const table = await config.api.table.save(basicTable())
+        expect(table._id).toBeDefined()
+
+        // Create a custom role
+        const customRole = await config.api.roles.save({
+          name: "TestRole",
+          inherits: "PUBLIC",
+          permissionId: BuiltinPermissionID.READ_ONLY,
+          version: "name",
+        })
+        expect(customRole._id).toBeDefined()
+
+        // Add READ permission for the custom role on the table
+        await config.api.permission.add({
+          roleId: customRole._id!,
+          resourceId: table._id!,
+          level: PermissionLevel.READ,
+        })
+
+        // Verify permissions exist in development
+        const devPermissions = await config.api.permission.get(table._id!)
+        expect(devPermissions.permissions.read.role).toBe(customRole.name)
+
+        // Publish the application
+        await config.publish()
+
+        // Verify permissions are correctly published to production
+        await config.withProdApp(async () => {
+          const prodPermissions = await config.api.permission.get(table._id!)
+          expect(prodPermissions.permissions.read.role).toBe(customRole.name)
+
+          // Also verify the role itself exists in production
+          const roles = await config.api.roles.fetch()
+          const prodRole = roles.find(r => r.name === customRole.name)
+          expect(prodRole).toBeDefined()
+          expect(prodRole!.name).toBe("TestRole")
+        })
+      })
     })
 
     describe("manage client library version", () => {