-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(core): Implement project:viewer
role
#9611
Conversation
They both test the same endoint but different features and just by reading the suites name it was not distinguishable.
23921d4
to
e14d421
Compare
@@ -275,7 +275,7 @@ export class CredentialsService { | |||
|
|||
if (typeof projectId === 'string' && project === null) { | |||
throw new BadRequestError( | |||
"You don't have the permissions to save the workflow in this project.", | |||
"You don't have the permissions to save the credential in this project.", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unrelated fix
@@ -685,7 +685,7 @@ describe('POST /credentials', () => { | |||
// | |||
.expect(400, { | |||
code: 400, | |||
message: "You don't have the permissions to save the workflow in this project.", | |||
message: "You don't have the permissions to save the credential in this project.", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unrelated fix
expect(tp2Relations.find((p) => p.userId === ownerUser.id)?.role).toBe('project:editor'); | ||
}); | ||
|
||
test('should not add from a project adding user with an unlicensed role', async () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I don't know what this means, but judging from the body this tests that you can't assign a role that isn't licensed.
I changed the title and amended the implementation to test editors and viewers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make sure to ignore white space when reviewing this PR.
I combined all the PATCH suites into one describe block.
d58b228
to
fd41447
Compare
b954ce6
to
d3ab534
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make sure to ignore white space when reviewing this PR.
I combined all the PATCH suites into one describe block.
.get(`/credentials/${savedCredential.id}`); | ||
|
||
expect(response.statusCode).toBe(200); | ||
expect(response.body.data).toBeDefined(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering whether we should return this or not, as the UI only shows the fields if the credential:update
scope exists, so the fields won't be visible in the UI, and returning the data is just more potential to leakage wdyt? Maybe we can remove the data
attribute
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now I'm thinking that this might be the top-level data
and not the actual credential information, so it should be fine. I'll approve in this case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I amended the assertions, it now asserts that the viewer cannot see the data.data
attribute.
2 flaky tests on run #5335 ↗︎Details:
|
Test | Artifacts | |
---|---|---|
NDV > should not retrieve remote options when required params throw errors |
Screenshots
Video
|
24-ndv-paired-item.cy.ts • 1 flaky test
Test | Artifacts | |
---|---|---|
NDV > resolves expression with default item when input node is not parent, while still pairing items |
Test Replay
Screenshots
Video
|
Review all test suite changes for PR #9611 ↗︎
✅ All Cypress E2E specs passed |
also making sure that the viewer cannot read credential data
✅ All Cypress E2E specs passed |
Got released with |
Summary
Add a project viewer role.
This role only allows the user to view workflows, credentials and executions within a project, but not to create or modify them.
Related tickets and issues
https://linear.app/n8n/issue/PAY-1423/add-new-project-viewer-role
Review / Merge checklist
(no-changelog)
otherwise. (conventions)