New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(security): secure segments queries #495
Conversation
refresh_rendering_cache if rendering_cache_expired? | ||
|
||
# NOTICE: In this case we need to check that that query is allowed | ||
if @collection_list_parameters[:segmentQuery].present? | ||
return false unless segment_query_allowed? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Relevant code.
def segment_query_allowed? | ||
segments_queries_permissions = get_segments_in_permissions | ||
|
||
return false unless segments_queries_permissions | ||
|
||
# NOTICE: @query_request_info matching an existing segment query | ||
return segments_queries_permissions.include? @collection_list_parameters[:segmentQuery] | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Relevant code for checking query segments allowed
# [7.0.0-beta.3](v7.0.0-beta.2...v7.0.0-beta.3) (2021-07-02) ### Features * **security:** secure segments queries ([#495](#495)) ([571f889](571f889))
🎉 This PR is included in version 7.0.0-beta.3 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
# [7.0.0](v6.6.2...v7.0.0) (2021-07-20) ### Bug Fixes * **dependency:** now using forestadmin-jsonapi-serializers instead of the jsonapi-serializers gem ([#475](#475)) ([3feea36](3feea36)) ### chore * **force-release:** now using forestadmin-jsonapi-serializers instead of the jsonapi-serializers gem ([#464](#464)) ([00ee2a4](00ee2a4)) ### Features * **scopes:** enforce scopes restrictions on a wider range of requests ([#488](#488)) ([66825a3](66825a3)) * smart action hooks now have access to the http request ([#499](#499)) ([5cd4a0e](5cd4a0e)) * **hooks:** developers can dynamically add or remove smart actions fields ([#465](#465)) ([970f3d8](970f3d8)) * **security:** secure segments queries ([#495](#495)) ([571f889](571f889)) ### BREAKING CHANGES * record is no longer send to the hook midleware & values option on smart action is no longer supported * **hooks:** fields parameters on hook function is no longer a map of field, it is now an array. change hook is no longer choosen by the field name, field need to have hook defined inside it definition by addin a props hook. * **dependency:** Switch from jsonapi-serializers to forestadmin-jsonapi-serializers to serialize data to the JSONAPI format, mainly to avoid conflict with the jsonapi-serializer library * **force-release:** Switch from jsonapi-serializers to forestadmin-jsonapi-serializers to serialize data to the JSONAPI format, mainly to avoid conflict with the jsonapi-serializer library
🎉 This PR is included in version 7.0.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
Pull Request checklist: