-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrate permissions into entityAncestry
endpoint in catalog-backend
#8853
Integrate permissions into entityAncestry
endpoint in catalog-backend
#8853
Conversation
🦋 Changeset detectedLatest commit: 48248e2 The changes in this PR will be included in the next version bump. This PR includes changesets to release 9 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
53ed9b6
to
cf60309
Compare
plugins/catalog-backend/src/service/AuthorizedEntitiesCatalog.ts
Outdated
Show resolved
Hide resolved
plugins/catalog-backend/src/service/AuthorizedEntitiesCatalog.ts
Outdated
Show resolved
Hide resolved
this.findUnauthorizedParents( | ||
rootEntityRef, | ||
ancestryResult.items, | ||
new Set(rootUnauthorizedEntityRefs), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could have created this set upfront once on line 100.
Should be possible to batch form a single set upfront I think?
// as a matter of fact i'm not entirely sure that there can ever exist a
// parent entity ref that is NOT already among the entities themselves
// so we may not even have to look at the parentEntityRefs here
const allRefs = lodash.uniq(
ancestryResult.items.flatMap(item => [
stringifyEntityRef(item.entity),
...item.parentEntityRefs,
])
);
// Batch check them all
const auth = await this.permissionApi.authorize(
allRefs.map(item => ({
permission: catalogEntityReadPermission,
resourceRef: item
})),
{ token: options?.authorizationToken },
);
const forbiddenRefs = new Set(
allRefs.filter((_, i) => auth[i].result === AuthorizeResult.DENY)
);
Feels like after this, we'd have to first check if rootEntityRef
was forbidden and then throw immediately, right?
And then filter the results by the forbidden filter, as well as their respective parent refs, in s single .filter.map chain
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The thing about this is that if one entity is denied but its parent is allowed, you'd get the parent back but not the entity itself. I'm recursing up the map in order to make sure any parents of a denied entity are not returned, regardless of whether that parent itself is allowed or not.
cf60309
to
fdc1482
Compare
Signed-off-by: Joon Park <joonp@spotify.com>
fdc1482
to
48248e2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's go!
Hey, I just made a Pull Request!
We call the underlying EntityCatalog's
entityAncestry
method from within the authorized service, and then batch authorize the resulting entities and filter out any unauthorized entities and their parents. Note: entityRefs to unauthorized parents may still appear within the returned results if the root child is authorized, but this was previously discussed as an acceptable tradeoff.✔️ Checklist
Signed-off-by
line in the message. (more info)