feat(core): Implement project:viewer role
#9611
Conversation
They both test the same endoint but different features and just by reading the suites name it was not distinguishable.
n8n-assistant
bot
added
core
despairblue
force-pushed
the
pay-1423-add-new-project-viewer-role
branch
from
23921d4
to
e14d421
Compare
| @@ -275,7 +275,7 @@ export class CredentialsService { | |||
|
|
|||
| if (typeof projectId === 'string' && project === null) { | |||
| throw new BadRequestError( | |||
| "You don't have the permissions to save the workflow in this project.", | |||
| "You don't have the permissions to save the credential in this project.", | |||
| @@ -685,7 +685,7 @@ describe('POST /credentials', () => { | |||
| // | |||
| .expect(400, { | |||
| code: 400, | |||
| message: "You don't have the permissions to save the workflow in this project.", | |||
| message: "You don't have the permissions to save the credential in this project.", | |||
| expect(tp2Relations.find((p) => p.userId === ownerUser.id)?.role).toBe('project:editor'); | ||
| }); | ||
|
|
||
| test('should not add from a project adding user with an unlicensed role', async () => { |
There was a problem hiding this comment.
Yeah, I don't know what this means, but judging from the body this tests that you can't assign a role that isn't licensed.
I changed the title and amended the implementation to test editors and viewers.
There was a problem hiding this comment.
Make sure to ignore white space when reviewing this PR.
I combined all the PATCH suites into one describe block.
despairblue
force-pushed
the
pay-1423-add-new-project-viewer-role
branch
from
d58b228
to
fd41447
Compare
despairblue
force-pushed
the
pay-1423-add-new-project-viewer-role
branch
from
b954ce6
to
d3ab534
Compare
There was a problem hiding this comment.
Make sure to ignore white space when reviewing this PR.
I combined all the PATCH suites into one describe block.
| .get(`/credentials/${savedCredential.id}`); | ||
|
|
||
| expect(response.statusCode).toBe(200); | ||
| expect(response.body.data).toBeDefined(); |
There was a problem hiding this comment.
I'm wondering whether we should return this or not, as the UI only shows the fields if the credential:update scope exists, so the fields won't be visible in the UI, and returning the data is just more potential to leakage wdyt? Maybe we can remove the data attribute
There was a problem hiding this comment.
Now I'm thinking that this might be the top-level data and not the actual credential information, so it should be fine. I'll approve in this case.
There was a problem hiding this comment.
I amended the assertions, it now asserts that the viewer cannot see the data.data attribute.
2 flaky tests on run #5335 ↗︎
Details:
|
|||||||||||||||||||||||||||
| Test | Artifacts | |
|---|---|---|
| NDV > should not retrieve remote options when required params throw errors |
Screenshots
Video
|
|
24-ndv-paired-item.cy.ts • 1 flaky test
| Test | Artifacts | |
|---|---|---|
| NDV > resolves expression with default item when input node is not parent, while still pairing items |
Test Replay
Screenshots
Video
|
|
Review all test suite changes for PR #9611 ↗︎
|
✅ All Cypress E2E specs passed |
also making sure that the viewer cannot read credential data
|
✅ All Cypress E2E specs passed |
|
Got released with |
Summary
Add a project viewer role.
This role only allows the user to view workflows, credentials and executions within a project, but not to create or modify them.
Related tickets and issues
https://linear.app/n8n/issue/PAY-1423/add-new-project-viewer-role
Review / Merge checklist
(no-changelog)otherwise. (conventions)