New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FOUR-14018: Unauthorized Users Can View Screens, Data Connectors, and Decision Tables #6185
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The fix is correct, after click on the links in the breadcrumb for users without permissions, a unauthorized is showed. Users can view their own assets in a project
Screen.Recording.2024-02-08.at.11.25.33.mov
Screen.Recording.2024-02-08.at.11.31.20.mov
Another issue was discovered while reviewing. The ellipsis menu for the assets in a project does not show the edit and configure for a user without permissions applied like "Edit screen". After sync with @estebangallego this is going to be addressed in a separated ticket:
Screen.Recording.2024-02-08.at.11.34.51.mov
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another issue detected is the icons in the left bar continue showing when the user does not have permissions. After sync with @estebangallego this issue is going to be addressed in another ticket.
Screen.Recording.2024-02-08.at.11.37.35.mov
Thank you @agustinbusso! A ticket FOUR-14092 has been created regarding this observation |
Quality Gate passedKudos, no new issues were introduced! 0 New issues |
Issue & Reproduction Steps
Users without the appropriate permissions can see a list of screens, data connectors, and decision tables.
Steps to Reproduce:
At this moment, we're able to see a list of Screens, DataConnector and Decision Tables
Solution
Modify the $allowedEndpoints array to explicitly include the specific endpoint corresponding to the current user's own assets. This will grant the user permission to modify their assets while continuing to restrict access to the system's other assets.
How to Test
Please follow the 'Steps to Reproduce' and verify that in steps 7 and 8, the user encounters an 'unauthorized' page, confirming that access is correctly restricted.
Related Tickets & Packages
ci:next
Code Review Checklist