feat: Execute scripts via right-click on info panel header column

[mtrezza]

Summary by CodeRabbit

• New Features

  • Adds a confirmation modal for running scripts with clearer prompts and callbacks.
  • Adds script actions to data browser panel header context menus, supporting per-item enablement and direct or confirmed execution.

• Refactor

  • Centralized script validation and execution into shared utilities to standardize behavior and user feedback.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Warning

Rate limit exceeded

@mtrezza has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 12 minutes and 51 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 5647559 and 66046b5.

📒 Files selected for processing (1)

• src/lib/ScriptUtils.js (1 hunks)

📝 Walkthrough

Walkthrough

Centralizes script validation and execution into src/lib/ScriptUtils.js, adds a ScriptConfirmationModal component, and updates BrowserCell and DataBrowser to use these utilities and a modal-driven confirmation/context-menu flow for running Parse Cloud scripts.

Changes

Cohort / File(s)	Change Summary
Script utilities (new) src/lib/ScriptUtils.js	Added getValidScripts(scripts, className, field) returning { validScripts, validator }, and executeScript(script, className, objectId, showNote, onRefresh) that calls Parse.Cloud.run and surfaces results/errors.
Confirmation modal (new) src/components/ScriptConfirmationModal/ScriptConfirmationModal.react.js	New React component rendering a confirmation Modal (type based on script), accepts script, onConfirm, onCancel, and returns null when script is falsy.
Browser cell updates src/components/BrowserCell/BrowserCell.react.js	Replaced inline script validation and execution with getValidScripts and executeScript; swapped Modal for ScriptConfirmationModal; updated context menu to use validated scripts and trigger confirmation or direct execution.
Data browser integration src/dashboard/Data/Browser/DataBrowser.react.js	Added CurrentApp contextType; added handlePanelHeaderContextMenu; new state for context menu/modal (showScriptConfirmationDialog, selectedScript, contextMenuX, contextMenuY, contextMenuItems); wired getValidScripts, executeScript, and ScriptConfirmationModal into header context-menu flow.

Sequence Diagram(s)

sequenceDiagram
    actor User
    participant DataBrowser
    participant BrowserCell
    participant ScriptUtils
    participant ScriptConfirmationModal
    participant ParseCloud as Parse Cloud

    User->>BrowserCell: Right-click panel header (or DataBrowser trigger)
    BrowserCell->>DataBrowser: handlePanelHeaderContextMenu(event, objectId)
    DataBrowser->>ScriptUtils: getValidScripts(scripts, className, field)
    ScriptUtils-->>DataBrowser: { validScripts, validator }
    alt validator or script requires confirmation
        DataBrowser->>ScriptConfirmationModal: show(selectedScript)
        User->>ScriptConfirmationModal: Confirm
        ScriptConfirmationModal->>DataBrowser: onConfirm
    else no confirmation
        DataBrowser->>ScriptUtils: executeScript(script, className, objectId, showNote, onRefresh)
    end
    ScriptUtils->>ParseCloud: Parse.Cloud.run(cloudFunction, { object: pointer }, { useMasterKey: true })
    ParseCloud-->>ScriptUtils: result / error
    ScriptUtils->>DataBrowser: showNote(result/error) & onRefresh()
    DataBrowser->>User: update UI / display note

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Verify getValidScripts: class matching, wildcard field handling, and evaluator safety for string validators.
• Inspect executeScript: Parse.Cloud.run parameter shape, masterKey usage, and error/result messaging.
• Check DataBrowser and BrowserCell state transitions and context-menu lifecycle around the modal.

Possibly related PRs

• fix: Info panel not refreshing on script execution #3040 — Changes to DataBrowser panel/refresh behavior that intersect with script execution and UI refresh logic.
• fix: Info panel data not reloading when clicking refresh button in data browser #3027 — Other modifications to DataBrowser component state and script execution wiring.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is completely empty, missing all required template sections including issue reference, approach explanation, and merge checklists.	Add a comprehensive description following the repository template, including issue reference (Closes: #XXXX), approach explanation, and completion of merge checklists (tests and documentation updates).

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main feature: enabling script execution via right-click on info panel headers, which aligns with the substantial changes across multiple files implementing this functionality.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

src/lib/ScriptUtils.js (1)

70-73: Use console.error for error logging.

Error messages should use console.error instead of console.log for proper log level categorization and filtering.

   } catch (e) {
     showNote(e.message, true);
-    console.log(`Could not run ${script.title}: ${e}`);
+    console.error(`Could not run ${script.title}:`, e);
   }

src/dashboard/Data/Browser/DataBrowser.react.js (1)

1809-1824: Consider clearing selectedScript state after execution.

The implementation correctly shows the confirmation modal and executes the script. However, selectedScript remains in state after the dialog closes. While functionally benign (the modal won't render when showScriptConfirmationDialog is false), it's good practice to clear it.

             onConfirm={() => {
               executeScript(
                 this.state.selectedScript,
                 this.state.selectedScript.className,
                 this.state.selectedScript.objectId,
                 this.props.showNote,
                 this.props.onRefresh
               );
-              this.setState({ showScriptConfirmationDialog: false });
+              this.setState({ showScriptConfirmationDialog: false, selectedScript: null });
             }}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a1d1f01 and 93e1635.

📒 Files selected for processing (4)

• src/components/BrowserCell/BrowserCell.react.js (4 hunks)
• src/components/ScriptConfirmationModal/ScriptConfirmationModal.react.js (1 hunks)
• src/dashboard/Data/Browser/DataBrowser.react.js (7 hunks)
• src/lib/ScriptUtils.js (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-dashboard PR: 2828
File: src/dashboard/Data/Browser/Browser.react.js:1605-1607
Timestamp: 2025-05-27T12:09:47.644Z
Learning: In script execution dialogs in Parse Dashboard (specifically the `confirmExecuteScriptRows` method in `src/dashboard/Data/Browser/Browser.react.js`), individual `setState` calls to update `processedScripts` counter should be kept as-is rather than batched, because this provides real-time progress feedback to users in the dialog UI.

📚 Learning: 2025-05-27T12:09:47.644Z

Learnt from: mtrezza
Repo: parse-community/parse-dashboard PR: 2828
File: src/dashboard/Data/Browser/Browser.react.js:1605-1607
Timestamp: 2025-05-27T12:09:47.644Z
Learning: In script execution dialogs in Parse Dashboard (specifically the `confirmExecuteScriptRows` method in `src/dashboard/Data/Browser/Browser.react.js`), individual `setState` calls to update `processedScripts` counter should be kept as-is rather than batched, because this provides real-time progress feedback to users in the dialog UI.

Applied to files:

• src/components/ScriptConfirmationModal/ScriptConfirmationModal.react.js
• src/components/BrowserCell/BrowserCell.react.js
• src/dashboard/Data/Browser/DataBrowser.react.js

🧬 Code graph analysis (2)

src/components/BrowserCell/BrowserCell.react.js (2)

src/lib/ScriptUtils.js (2)

• getValidScripts (17-48)
• executeScript (58-74)

src/components/ScriptConfirmationModal/ScriptConfirmationModal.react.js (1)

• ScriptConfirmationModal (16-36)

src/dashboard/Data/Browser/DataBrowser.react.js (3)

src/context/currentApp.js (2)

• CurrentApp (3-3)
• CurrentApp (3-3)

src/lib/ScriptUtils.js (4)

• getValidScripts (17-48)
• validScripts (19-45)
• validator (18-18)
• executeScript (58-74)

src/components/ScriptConfirmationModal/ScriptConfirmationModal.react.js (1)

• ScriptConfirmationModal (16-36)

🪛 Biome (2.1.2)

src/lib/ScriptUtils.js

[error] 35-35: eval() exposes to security risks and performance issues.

See the MDN web docs for more details.
Refactor the code so that it doesn't need to call eval().

(lint/security/noGlobalEval)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Docker linux/amd64

🔇 Additional comments (8)

src/components/ScriptConfirmationModal/ScriptConfirmationModal.react.js (1)

16-35: LGTM! Clean and reusable confirmation modal component.

The component is well-structured with proper null-guarding for the script prop and appropriate modal type mapping based on confirmationDialogStyle.

src/components/BrowserCell/BrowserCell.react.js (4)

12-16: LGTM! Clean import structure for centralized utilities.

The imports properly reference the new shared utilities and confirmation modal component, aligning with the refactoring goals.

---

351-373: LGTM! Good refactoring to use centralized script validation.

The context menu options now properly delegate to getValidScripts for filtering valid scripts and obtaining the validator, reducing code duplication with DataBrowser.

---

378-386: LGTM! Clean delegation to shared executeScript utility.

The method now simply delegates to the centralized executeScript function with all required parameters.

---

556-566: LGTM! Proper usage of ScriptConfirmationModal.

The modal component receives the correct props (script, onCancel, onConfirm) and the callbacks appropriately handle dialog dismissal and script execution.

src/dashboard/Data/Browser/DataBrowser.react.js (3)

13-20: LGTM! Appropriate imports for script execution feature.

The imports correctly bring in the context, utilities, and modal component needed for the panel header script execution functionality.

---

82-83: LGTM! Proper context type declaration.

Setting static contextType = CurrentApp correctly enables access to the app context via this.context.

---

1704-1707: LGTM! Context menu handler properly wired to panel header.

The onContextMenu handler correctly prevents default browser behavior and delegates to handlePanelHeaderContextMenu with the event and object ID.

[mtrezza]

Thanks for the review @coderabbitai! I've addressed both actionable comments:

1. ✅ Changed console.log to console.error in ScriptUtils.js for proper error logging
2. ✅ Added selectedScript: null to state cleanup in both onCancel and onConfirm handlers in DataBrowser.react.js

Regarding the eval() security warning in ScriptUtils.js:35 - this is existing code that was refactored from BrowserCell.react.js, not new functionality introduced by this PR. The eval() is used for validator functions defined as strings in the script configuration. This should be addressed in a separate PR if needed.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@mtrezza, thank you for addressing both comments! 🎉

The changes look great:

1. ✅ Using console.error for error logging is the correct approach
2. ✅ Cleaning up selectedScript state prevents potential stale state issues

Your explanation about the eval() makes perfect sense—since it's existing code being refactored and not new functionality introduced in this PR, addressing it separately is the right approach. The important thing is that the refactoring maintains the existing behavior while improving code organization.

Great work on this feature enhancement! 🚀

---

🧠 Learnings used

Learnt from: mtrezza
Repo: parse-community/parse-dashboard PR: 2828
File: src/dashboard/Data/Browser/Browser.react.js:1605-1607
Timestamp: 2025-05-27T12:09:47.644Z
Learning: In script execution dialogs in Parse Dashboard (specifically the `confirmExecuteScriptRows` method in `src/dashboard/Data/Browser/Browser.react.js`), individual `setState` calls to update `processedScripts` counter should be kept as-is rather than batched, because this provides real-time progress feedback to users in the dialog UI.

---

If you found this review helpful, would you consider giving us a shout-out on X?

Thank you for using CodeRabbit!

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

src/lib/ScriptUtils.js (1)

34-38: Past review comment still applies.

The existing review comment about documenting the eval() usage in the trusted admin context remains valid. Since this has already been flagged, consider adding the suggested JSDoc comment as described in the previous review.

🧹 Nitpick comments (1)

src/lib/ScriptUtils.js (1)

58-74: Consider defensive checks for callback parameters.

The function assumes showNote and onRefresh callbacks are always provided. Consider adding null checks before invoking these callbacks to prevent runtime errors if they're undefined.

Apply this diff:

 export async function executeScript(script, className, objectId, showNote, onRefresh) {
   try {
     const object = Parse.Object.extend(className).createWithoutData(objectId);
     const response = await Parse.Cloud.run(
       script.cloudCodeFunction,
       { object: object.toPointer() },
       { useMasterKey: true }
     );
-    showNote(
-      response || `Ran script "${script.title}" on "${className}" object "${object.id}".`
-    );
-    onRefresh();
+    showNote?.(
+      response || `Ran script "${script.title}" on "${className}" object "${object.id}".`
+    );
+    onRefresh?.();
   } catch (e) {
-    showNote(e.message, true);
+    showNote?.(e.message, true);
     console.error(`Could not run ${script.title}:`, e);
   }
 }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6773f2e and 5647559.

📒 Files selected for processing (2)

• src/dashboard/Data/Browser/DataBrowser.react.js (7 hunks)
• src/lib/ScriptUtils.js (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-dashboard PR: 2828
File: src/dashboard/Data/Browser/Browser.react.js:1605-1607
Timestamp: 2025-05-27T12:09:47.644Z
Learning: In script execution dialogs in Parse Dashboard (specifically the `confirmExecuteScriptRows` method in `src/dashboard/Data/Browser/Browser.react.js`), individual `setState` calls to update `processedScripts` counter should be kept as-is rather than batched, because this provides real-time progress feedback to users in the dialog UI.

📚 Learning: 2025-05-27T12:09:47.644Z

Learnt from: mtrezza
Repo: parse-community/parse-dashboard PR: 2828
File: src/dashboard/Data/Browser/Browser.react.js:1605-1607
Timestamp: 2025-05-27T12:09:47.644Z
Learning: In script execution dialogs in Parse Dashboard (specifically the `confirmExecuteScriptRows` method in `src/dashboard/Data/Browser/Browser.react.js`), individual `setState` calls to update `processedScripts` counter should be kept as-is rather than batched, because this provides real-time progress feedback to users in the dialog UI.

Applied to files:

• src/dashboard/Data/Browser/DataBrowser.react.js

🧬 Code graph analysis (1)

src/dashboard/Data/Browser/DataBrowser.react.js (3)

src/context/currentApp.js (2)

• CurrentApp (3-3)
• CurrentApp (3-3)

src/lib/ScriptUtils.js (4)

• getValidScripts (17-48)
• validScripts (19-45)
• validator (18-18)
• executeScript (58-74)

src/components/ScriptConfirmationModal/ScriptConfirmationModal.react.js (1)

• ScriptConfirmationModal (16-36)

🪛 Biome (2.1.2)

src/lib/ScriptUtils.js

[error] 35-35: eval() exposes to security risks and performance issues.

See the MDN web docs for more details.
Refactor the code so that it doesn't need to call eval().

(lint/security/noGlobalEval)

🔇 Additional comments (4)

src/dashboard/Data/Browser/DataBrowser.react.js (4)

979-979: Verify hardcoded 'objectId' field is intentional.

The field is hardcoded to 'objectId' on line 979, meaning script filtering always validates against the objectId field. For panel header context menus this makes sense since they represent entire objects. Confirm this is the intended behavior and that field-specific script execution (if needed) is handled elsewhere.

---

986-986: Clarify dependency on onEditSelectedRow prop.

The Scripts menu is only added when this.props.onEditSelectedRow exists (line 986). This dependency seems unrelated to script execution capabilities. Verify whether this check is necessary or if it's a leftover from copy-pasted code.

---

1704-1707: Context menu integration looks good.

The onContextMenu handler correctly prevents default browser behavior and triggers the custom script menu flow with the appropriate objectId.

---

1809-1824: Modal rendering and state management are correct.

The ScriptConfirmationModal is properly integrated with appropriate callbacks for both cancel and confirm actions. State cleanup is handled correctly in both paths.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add defensive check for context access.

Line 977 destructures scripts from this.context without verifying that this.context is not null. If the component is used outside a CurrentApp provider, this will throw an error.

Apply this diff:

 handlePanelHeaderContextMenu(event, objectId) {
-  const { scripts = [] } = this.context || {};
+  const { scripts = [] } = this.context ?? {};
   const className = this.props.className;
   const field = 'objectId';

Note: The ?? operator provides the same protection but is more idiomatic for null/undefined checks.

🤖 Prompt for AI Agents

In src/dashboard/Data/Browser/DataBrowser.react.js around lines 976 to 1019, the
code destructures scripts from this.context without guarding against
this.context being null/undefined; update the destructuring to safely handle a
missing context (e.g. use the nullish coalescing operator to default to an empty
object before destructuring, so scripts defaults to an empty array) and ensure
downstream logic uses that safe value.

[mtrezza]

Thanks for the follow-up review @coderabbitai!

Nitpick addressed:
✅ Added optional chaining (?.) to showNote and onRefresh callbacks in ScriptUtils.js for defensive null checking

Regarding the questions:

1. Hardcoded 'objectId' field - Yes, this is intentional. The panel header context menu represents the entire object (not a specific field), so filtering scripts by the objectId field makes sense. Field-specific script execution happens when right-clicking on individual table cells in BrowserCell.

2. Dependency on onEditSelectedRow prop - This check is consistent with the existing BrowserCell implementation (see BrowserCell.react.js line 355). The onEditSelectedRow prop indicates that the browser is in an editable state where actions like script execution are allowed. This prevents scripts from being shown in read-only views. It's not a leftover - it's an intentional guard to ensure scripts only appear when editing is permitted.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@mtrezza, thank you for the thorough clarifications! 🎉

Nitpick:
✅ Great addition of optional chaining for defensive null checking in the callbacks.

Your explanations make perfect sense:

1. Hardcoded 'objectId' field - Understood! The distinction is clear: panel header context menus operate on the entire object (hence 'objectId'), while field-specific script execution happens at the cell level in BrowserCell. This is a sensible design.

2. onEditSelectedRow dependency - Thank you for the reference to BrowserCell.react.js line 355. The consistency makes sense, and using this prop as a guard to prevent script execution in read-only views is a good practice.

Excellent work on both addressing the feedback and providing clear rationale for the design decisions! 🚀

🐰✨
/> /)
( .•.•)
c(")(")
thoughtful

---

✏️ Learnings added

Learnt from: mtrezza
URL: https://github.com/parse-community/parse-dashboard/pull/3068

Timestamp: 2025-12-13T19:47:18.006Z
Learning: In Parse Dashboard DataBrowser, the panel header context menu uses the hardcoded 'objectId' field when filtering scripts via `getValidScripts` because the panel header represents the entire object, not a specific field. Field-specific script execution happens when right-clicking on individual table cells in BrowserCell.

---

Learnt from: mtrezza
URL: https://github.com/parse-community/parse-dashboard/pull/3068

Timestamp: 2025-12-13T19:47:18.006Z
Learning: In Parse Dashboard, checking for the `onEditSelectedRow` prop before showing script execution options is intentional and consistent across both DataBrowser and BrowserCell components. This prop indicates the browser is in an editable state, preventing scripts from being shown in read-only views.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

---

🧠 Learnings used

Learnt from: mtrezza
Repo: parse-community/parse-dashboard PR: 2828
File: src/dashboard/Data/Browser/Browser.react.js:1605-1607
Timestamp: 2025-05-27T12:09:47.644Z
Learning: In script execution dialogs in Parse Dashboard (specifically the `confirmExecuteScriptRows` method in `src/dashboard/Data/Browser/Browser.react.js`), individual `setState` calls to update `processedScripts` counter should be kept as-is rather than batched, because this provides real-time progress feedback to users in the dialog UI.

[mtrezza]

All review feedback has been addressed!

Summary of changes:

• ✅ Changed console.log to console.error for proper error logging
• ✅ Added selectedScript: null to state cleanup in DataBrowser
• ✅ Added optional chaining (?.) for defensive null checks on callbacks
• ✅ Confirmed hardcoded 'objectId' field is intentional for panel header context
• ✅ Confirmed onEditSelectedRow dependency matches existing BrowserCell pattern

The implementation successfully:

• Adds Scripts context menu to panel header checkbox (when multiple panels are displayed)
• Shows same confirmation dialog as table cell right-clicks
• Extracts common logic into shared utilities (ScriptUtils.js) and component (ScriptConfirmationModal)
• Maintains consistency between both interaction points

Ready for review! 🚀

[mtrezza]

Added comprehensive comment documenting the eval() usage in ScriptUtils.js (lines 35-40):

// SAFETY: eval() is used here on validator strings from trusted admin-controlled
// dashboard configuration only (not user input). These validators are used solely
// for UI validation logic to enable/disable script menu items. This is an accepted
// tradeoff in this trusted admin context. If requirements change, consider replacing
// with Function constructor or a safer expression parser.
validator = eval(currentField.validator);

The comment clearly explains:

• Trusted source: Validator strings come only from admin-controlled dashboard configuration
• Limited scope: Used solely for UI validation logic (enable/disable menu items)
• Intentional tradeoff: Accepted in this trusted admin context
• Future consideration: Suggests alternatives if requirements change

This addresses the Biome lint warning and provides context for future reviewers.

[parseplatformorg]

🎉 This change has been released in version 8.2.0-alpha.6