Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make operations permissions required #7848

Merged
merged 8 commits into from
Aug 31, 2022
Merged

Make operations permissions required #7848

merged 8 commits into from
Aug 31, 2022

Conversation

Noviny
Copy link
Contributor

@Noviny Noviny commented Aug 25, 2022
edited by emmatown
Loading

When looking at operations permissions, we have observed that this can often be misconfigured.
We additionally don't want to rely on true or false defaults that may be confusing or unexpected to users.

As a result, we are changing access.operations on lists to be explicitly required.

The basic change is the following:

- list({
-   access?: {
-     operation?: {
-       query?: ({ session, context, listKey, operation }) => boolean,
-       create?: ({ session, context, listKey, operation }) => boolean,
-       update?: ({ session, context, listKey, operation }) => boolean,
-       delete?: ({ session, context, listKey, operation }) => boolean,
-     }
-     ...
-   },
-   ...
- })
+ list({
+   access: {
+     operation: {
+       query: ({ session, context, listKey, operation }) => boolean,
+       create: ({ session, context, listKey, operation }) => boolean,
+       update: ({ session, context, listKey, operation }) => boolean,
+       delete: ({ session, context, listKey, operation }) => boolean,
+     }
+     ...
+   },
+   ...
+ })

To make this a bit easier however, we are adding two new options.

list({
  access: ({ session, context, listKey, operation }) => boolean
  ...
})

allows you to set all access controls at once, and

list({
  access: {
    operations: ({ session, context, listKey, operation }) => boolean,
    ...
  },
  ...
});

allows you to set all operations access controls for a list at once.

New exports

We are providing three new helper exports to help out with this change so you can have code that reads well:

import { allowAll, denyAll, allOperations } from "@keystone-6/core/access"

These functions should allow quickly applying access controls to lists. For example, to get the existing default access controls, you could do:

list({
  access: allowAll,
  ...
});

or

list({
  access: allowAll,
  ...
});
list({
  access: { operations: allowAll },
  ...
});

If you were setting access for create operations, you can quickly update to:

list({
  access: { operations: { ...allOperations(allowAll), create: myCustomCreateAccessCheck } },
  ...
});

@vercel
Copy link

vercel bot commented Aug 25, 2022
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated
keystone-next-docs ✅ Ready (Inspect) Visit Preview Aug 31, 2022 at 7:49AM (UTC)

@changeset-bot

This comment was marked as resolved.

Sign in to view
@Noviny
Copy link
Contributor Author

Noviny commented Aug 25, 2022
edited
Loading

Commit history should be a good guide here in understanding actual changes vs updating all our various configs to comply with the change.

TODO:

  • update docs to reflect the new reality
  • changeset

@codesandbox-ci
Copy link

codesandbox-ci bot commented Aug 25, 2022
edited
Loading

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit 18c9db2:

Sandbox Source
@keystone-6/sandbox Configuration

@vercel vercel bot temporarily deployed to Preview August 30, 2022 06:02 Inactive
@Noviny Noviny marked this pull request as ready for review August 30, 2022 11:36
@vercel vercel bot temporarily deployed to Preview August 30, 2022 12:02 Inactive
@vercel vercel bot temporarily deployed to Preview August 31, 2022 06:35 Inactive
@vercel vercel bot temporarily deployed to Preview August 31, 2022 06:43 Inactive
@vercel vercel bot temporarily deployed to Preview August 31, 2022 06:52 Inactive
@dcousens dcousens force-pushed the make-permisssions-required branch 2 times, most recently from 91b9e92 to ecadf21 Compare August 31, 2022 07:32
@dcousens dcousens changed the title Make operations permisssions required Make operations permissions required Aug 31, 2022
@vercel vercel bot temporarily deployed to Preview August 31, 2022 07:35 Inactive
@dcousens dcousens enabled auto-merge (squash) August 31, 2022 07:46
@vercel vercel bot temporarily deployed to Preview August 31, 2022 07:49 Inactive
@dcousens dcousens merged commit 7ae3bb7 into main Aug 31, 2022
@dcousens dcousens deleted the make-permisssions-required branch August 31, 2022 07:54
@keystonejs-release-bot keystonejs-release-bot mentioned this pull request Aug 31, 2022
Merged
@dcousens dcousens mentioned this pull request Oct 6, 2022
Merged
@jlarmstrongiv jlarmstrongiv mentioned this pull request Oct 20, 2022
Closed
@dcousens dcousens mentioned this pull request Jan 23, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@emmatown emmatown emmatown left review comments

@dcousens dcousens dcousens approved these changes

Assignees

@Noviny Noviny

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Noviny @dcousens @emmatown