feat(homepage): add permission-aware default cards backend by christoph-jerolimov · Pull Request #2855 · redhat-developer/rhdh-plugins

christoph-jerolimov · 2026-04-21T16:09:35Z

Hey, I just made a Pull Request!

WIP

✔️ Checklist

A changeset describing the change and affected packages. (more info)
Added or Updated documentation
Tests for new functionality and regression tests for bug fixes
Screenshots attached (for UI changes)

rhdh-gh-app · 2026-04-21T16:09:59Z

Missing Changesets

The following package(s) are changed by this PR but do not have a changeset:

@red-hat-developer-hub/backstage-plugin-homepage-backend
@red-hat-developer-hub/backstage-plugin-homepage-common

See CONTRIBUTING.md for more information about how to add changesets.

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
app-legacy	workspaces/homepage/packages/app-legacy	none	`v0.0.0`
app	workspaces/homepage/packages/app	none	`v0.0.0`
backend	workspaces/homepage/packages/backend	none	`v0.0.0`
@red-hat-developer-hub/backstage-plugin-dynamic-home-page	workspaces/homepage/plugins/dynamic-home-page	patch	`v1.12.0`
@red-hat-developer-hub/backstage-plugin-homepage-backend	workspaces/homepage/plugins/homepage-backend	none	`v0.0.0`
@red-hat-developer-hub/backstage-plugin-homepage-common	workspaces/homepage/plugins/homepage-common	none	`v0.0.0`

karthikjeeyar

This is a strong step forward 🎉 This feature turns "everyone sees the same static tiles" to "you see what you are meant to see", I have some small comments, but nothing takes away the overall approach.

karthikjeeyar · 2026-04-24T03:47:08Z

+    const requests = names.map(name => ({
+      permission: createPermission({ name, attributes: {} }),


In homepage-common, homepageDefaultWidgetsReadPermission is defined as a resource permission. This means it expects a resourceRef (like a widget ID) to evaluate conditional policies correctly.

Currently, the homepage backend still checks this via createPermission with empty attributes, which is just a basic global name-level check. This won't trigger any logic that relies on specific card IDs.

Should we be adding a second permissions.authorize call and pass the resourceRef for each card to support these conditional policies? Or is if.permissions meant to stay high-level? I

It’s worth clarifying the intended model in the documentation

rhdh-qodo-merge · 2026-04-26T21:07:53Z

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. ~~Invalid defaultWidgets validation~~ ☑ 🐞 Bug ☼ Reliability

Description

loadDefaultWidgets() strictly validates homepage.defaultWidgets using layout (singular) and
requires leaf nodes to have both id and ref, but the repo’s own configs use layouts (plural)
and omit ref, causing startup-time exceptions when the service is instantiated.

Code

workspaces/homepage/plugins/homepage-backend/src/defaultWidgets/loadDefaultWidgets.ts[R46-67]

+      .object({
+        id: z.string().min(1).optional(),
+        ref: z.string().min(1).optional(),
+        props: z.record(z.string(), z.unknown()).optional(),
+        layout: z.record(z.string(), z.unknown()).optional(),
+        if: visibilitySchema.optional(),
+        children: z.array(defaultWidgetNodeSchema).optional(),
+      })
+      .strict()
+      .refine(
+        n => {
+          const hasId = n.id !== undefined && n.id.length > 0;
+          const hasRef = n.ref !== undefined && n.ref.length > 0;
+          const hasChildren = n.children !== undefined && n.children.length > 0;
+          if (hasChildren) return !hasId && !hasRef;
+          return hasId && hasRef;
+        },
+        {
+          message:
+            'Node must have `id` and `ref` (leaf) or non-empty `children` (group), not both',
+        },
+      ),

Relevance

⭐⭐⭐ High
Schema is strict and mismatches repo config (layouts vs layout, missing ref), likely causing
startup failure.
PR-#2742
PR-#2423
PR-#2662

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The backend schema is .strict() and defines layout while enforcing hasId && hasRef for leaves;
therefore configs containing layouts or missing ref will fail validation. The workspace’s
app-config.yaml and the plugin’s dev/index.ts both contain such configs, and
DefaultWidgetsServiceImpl.create() calls loadDefaultWidgets() during service initialization,
which means the backend will fail to start with the current configuration.
workspaces/homepage/plugins/homepage-backend/src/defaultWidgets/loadDefaultWidgets.ts[46-67]
workspaces/homepage/app-config.yaml[84-127]
workspaces/homepage/plugins/homepage-backend/dev/index.ts[36-85]
workspaces/homepage/plugins/homepage-backend/src/services/DefaultWidgetsService.ts[54-65]
workspaces/homepage/plugins/homepage-backend/config.d.ts[33-44]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The backend validation for `homepage.defaultWidgets` rejects the repository’s own example configs:
- Configs use `layouts` (plural) but schema expects `layout`.
- Several leaf widgets omit `ref`, but schema requires `id` **and** `ref`.
- Example dev config also uses extra top-level keys (`title`, `label`, `priority`) that are rejected by `.strict()`.

This causes `loadDefaultWidgets()` to throw during `DefaultWidgetsServiceImpl.create()`, preventing backend startup.

### Issue Context
You already treat `ref` as optional at runtime (`ref: node.ref ?? node.id`). The type declarations (`config.d.ts`) also document `layouts` and do not document `ref`, so current validation is inconsistent with documented/intended usage.

### Fix Focus Areas
- workspaces/homepage/plugins/homepage-backend/src/defaultWidgets/loadDefaultWidgets.ts[21-68]
- workspaces/homepage/plugins/homepage-backend/config.d.ts[33-44]
- workspaces/homepage/app-config.yaml[84-127]
- workspaces/homepage/plugins/homepage-backend/dev/index.ts[36-85]

### Suggested fix direction
Choose one consistent contract and apply it everywhere:
1) **Preferred (least breaking):**
  - Accept `layouts` in config (and map it to the response field you want, or rename response field too).
  - Make `ref` optional for leaves and default it to `id`.
  - Either (a) allow additional metadata via `props` only and fix the dev/example configs accordingly, or (b) explicitly allow known extra keys.
2) Or, if you want to keep `layout` + required `ref`:
  - Update `app-config.yaml`, `dev/index.ts`, and `config.d.ts` to use `layout` and always provide `ref`, and move `title/label/priority` under `props`.

Add/adjust tests to cover the chosen contract.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

2. Ungated debug widget pages 🐞 Bug ⛨ Security

Description

/debug-available-widgets and /debug-default-widgets are added to app-legacy routes and
navigation without any permission/feature-flag gating, exposing widget inventory and the
default-widgets API output to any authenticated user.

Code

workspaces/homepage/packages/app-legacy/src/App.tsx[R444-456]

+    <Route path="/rbac" element={<RbacPage />} />
+    <Route
+      path="/debug-available-widgets"
+      element={
+        <ScalprumContext.Provider value={scalprumState}>
+          <DebugHomepageAvailableWidgets />
+        </ScalprumContext.Provider>
+      }
+    />
+    <Route
+      path="/debug-default-widgets"
+      element={<DebugHomepageDefaultWidgets />}
+    />

Relevance

⭐⭐⭐ High
Team often accepts info-disclosure hardening; ungated debug routes/sidebar links widen exposure
surface.
PR-#2647
PR-#2581
PR-#2759

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The debug routes are registered unconditionally and linked in the sidebar. The available-widgets
page serializes all mount points from ScalprumContext, and the default-widgets page calls the
backend API; while the backend response is permission-filtered, these debug pages still increase
information disclosure surface and are easy to ship accidentally.
workspaces/homepage/packages/app-legacy/src/App.tsx[444-456]
workspaces/homepage/packages/app-legacy/src/components/Root/Root.tsx[88-100]
workspaces/homepage/packages/app-legacy/src/components/homepage/DebugHomepageAvailableWidgets.tsx[24-33]
workspaces/homepage/packages/app-legacy/src/components/homepage/DebugHomepageDefaultWidgets.tsx[32-38]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The app-legacy package exposes debug routes and sidebar entries for widget enumeration and default-widget API inspection without any gating.

### Issue Context
These pages are useful for development, but should not be generally available in production deployments.

### Fix Focus Areas
- workspaces/homepage/packages/app-legacy/src/App.tsx[444-456]
- workspaces/homepage/packages/app-legacy/src/components/Root/Root.tsx[88-100]

### Suggested fix direction
Implement one of:
- Wrap the routes and sidebar items in a `RequirePermission` (RBAC/admin-only), OR
- Hide them behind an environment/config flag (e.g., `process.env.NODE_ENV !== 'production'` or a dedicated `app.debugPages.enabled` config), OR
- Remove them from navigation and keep routes only for local dev builds.

Ensure both the route registration and sidebar links are gated consistently.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

rhdh-qodo-merge · 2026-04-26T21:13:28Z

Review Summary by Qodo

Add permission-aware default cards backend with RBAC integration

✨ Enhancement

Walkthroughs

Description

• Add permission-aware default cards backend with RBAC support
• Implement visibility filtering based on users, groups, and permissions
• Create shared types package for frontend-backend communication
• Register homepage resource type with HAS_CARD_ID permission rule
• Add frontend API client and integrate with both legacy and NFS systems

Diagram

flowchart LR
  Config["app-config.yaml<br/>defaultWidgets tree"]
  Backend["Backend Plugin<br/>DefaultWidgetsService"]
  Visibility["Visibility Evaluation<br/>users/groups/permissions"]
  API["HTTP Endpoint<br/>/default-widgets"]
  Frontend["Frontend API Client<br/>DefaultWidgetsApiClient"]
  UI["UI Components<br/>Debug pages"]
  
  Config -->|loadDefaultWidgets| Backend
  Backend -->|buildUserContext| Visibility
  Visibility -->|filterToVisibleLeaves| API
  API -->|getDefaultWidgets| Frontend
  Frontend -->|display| UI
  
  RBAC["RBAC Plugin<br/>HAS_CARD_ID rule"]
  RBAC -.->|permission decisions| Visibility

File Changes

1. workspaces/homepage/plugins/homepage-backend/src/defaultWidgets/evaluateVisibility.ts ✨ Enhancement +82/-0

Visibility evaluation logic for card filtering

workspaces/homepage/plugins/homepage-backend/src/defaultWidgets/evaluateVisibility.ts

2. workspaces/homepage/plugins/homepage-backend/src/defaultWidgets/evaluateVisibility.test.ts 🧪 Tests +311/-0

Comprehensive tests for visibility evaluation

workspaces/homepage/plugins/homepage-backend/src/defaultWidgets/evaluateVisibility.test.ts

3. workspaces/homepage/plugins/homepage-backend/src/defaultWidgets/loadDefaultWidgets.ts ✨ Enhancement +106/-0

Config loading and validation with Zod schema

workspaces/homepage/plugins/homepage-backend/src/defaultWidgets/loadDefaultWidgets.ts

View more (59)

4. workspaces/homepage/plugins/homepage-backend/src/defaultWidgets/loadDefaultWidgets.test.ts 🧪 Tests +243/-0

Tests for config loading and permission collection

workspaces/homepage/plugins/homepage-backend/src/defaultWidgets/loadDefaultWidgets.test.ts

5. workspaces/homepage/plugins/homepage-backend/src/defaultWidgets/buildUserContext.ts ✨ Enhancement +73/-0

User context building from catalog and permissions

workspaces/homepage/plugins/homepage-backend/src/defaultWidgets/buildUserContext.ts

6. workspaces/homepage/plugins/homepage-backend/src/defaultWidgets/types.ts Miscellaneous +30/-0

Type exports from common package

workspaces/homepage/plugins/homepage-backend/src/defaultWidgets/types.ts

7. workspaces/homepage/plugins/homepage-backend/src/services/DefaultWidgetsService.ts ✨ Enhancement +128/-0

Service implementation for default widgets retrieval

workspaces/homepage/plugins/homepage-backend/src/services/DefaultWidgetsService.ts

8. workspaces/homepage/plugins/homepage-backend/src/router.ts ✨ Enhancement +38/-0

HTTP endpoint for default widgets API

workspaces/homepage/plugins/homepage-backend/src/router.ts

9. workspaces/homepage/plugins/homepage-backend/src/router.test.ts 🧪 Tests +86/-0

Tests for router and endpoint behavior

workspaces/homepage/plugins/homepage-backend/src/router.test.ts

10. workspaces/homepage/plugins/homepage-backend/src/plugin.ts ✨ Enhancement +64/-0

Backend plugin registration and initialization

workspaces/homepage/plugins/homepage-backend/src/plugin.ts

11. workspaces/homepage/plugins/homepage-backend/src/plugin.test.ts 🧪 Tests +195/-0

Integration tests for plugin functionality

workspaces/homepage/plugins/homepage-backend/src/plugin.test.ts

12. workspaces/homepage/plugins/homepage-backend/src/permissions/resource.ts ✨ Enhancement +31/-0

Permission resource reference definition

workspaces/homepage/plugins/homepage-backend/src/permissions/resource.ts

13. workspaces/homepage/plugins/homepage-backend/src/permissions/rules.ts ✨ Enhancement +62/-0

HAS_CARD_ID permission rule implementation

workspaces/homepage/plugins/homepage-backend/src/permissions/rules.ts

14. workspaces/homepage/plugins/homepage-backend/config.d.ts 📝 Documentation +56/-0

TypeScript config schema definitions

workspaces/homepage/plugins/homepage-backend/config.d.ts

15. workspaces/homepage/plugins/homepage-backend/src/index.ts Miscellaneous +16/-0

Plugin export entry point

workspaces/homepage/plugins/homepage-backend/src/index.ts

16. workspaces/homepage/plugins/homepage-backend/src/setupTests.ts ⚙️ Configuration changes +16/-0

Test setup configuration file

workspaces/homepage/plugins/homepage-backend/src/setupTests.ts

17. workspaces/homepage/plugins/homepage-backend/package.json ⚙️ Configuration changes +60/-0

Backend plugin package configuration

workspaces/homepage/plugins/homepage-backend/package.json

18. workspaces/homepage/plugins/homepage-backend/README.md 📝 Documentation +28/-0

Backend plugin documentation

workspaces/homepage/plugins/homepage-backend/README.md

19. workspaces/homepage/plugins/homepage-backend/.eslintrc.js ⚙️ Configuration changes +1/-0

ESLint configuration for backend

workspaces/homepage/plugins/homepage-backend/.eslintrc.js

20. workspaces/homepage/plugins/homepage-backend/dev/index.ts Miscellaneous +110/-0

Development server with mock configuration

workspaces/homepage/plugins/homepage-backend/dev/index.ts

21. workspaces/homepage/plugins/homepage-backend/report.api.md 📝 Documentation +13/-0

API report for backend plugin

workspaces/homepage/plugins/homepage-backend/report.api.md

22. workspaces/homepage/plugins/homepage-common/src/types.ts ✨ Enhancement +54/-0

Shared type definitions for frontend and backend

workspaces/homepage/plugins/homepage-common/src/types.ts

23. workspaces/homepage/plugins/homepage-common/src/permissions.ts ✨ Enhancement +49/-0

Permission definitions and resource type

workspaces/homepage/plugins/homepage-common/src/permissions.ts

24. workspaces/homepage/plugins/homepage-common/src/index.ts Miscellaneous +29/-0

Common package exports

workspaces/homepage/plugins/homepage-common/src/index.ts

25. workspaces/homepage/plugins/homepage-common/src/setupTests.ts ⚙️ Configuration changes +16/-0

Test setup for common package

workspaces/homepage/plugins/homepage-common/src/setupTests.ts

26. workspaces/homepage/plugins/homepage-common/package.json ⚙️ Configuration changes +46/-0

Common package configuration

workspaces/homepage/plugins/homepage-common/package.json

27. workspaces/homepage/plugins/homepage-common/README.md 📝 Documentation +5/-0

Common package documentation

workspaces/homepage/plugins/homepage-common/README.md

28. workspaces/homepage/plugins/homepage-common/.eslintrc.js ⚙️ Configuration changes +1/-0

ESLint configuration for common

workspaces/homepage/plugins/homepage-common/.eslintrc.js

29. workspaces/homepage/plugins/homepage-common/report.api.md 📝 Documentation +67/-0

API report for common package

workspaces/homepage/plugins/homepage-common/report.api.md

30. workspaces/homepage/plugins/dynamic-home-page/src/api/DefaultWidgetsApiClient.ts ✨ Enhancement +65/-0

Frontend API client for default widgets

workspaces/homepage/plugins/dynamic-home-page/src/api/DefaultWidgetsApiClient.ts

31. workspaces/homepage/plugins/dynamic-home-page/src/api/index.ts Miscellaneous +1/-0

API client exports

workspaces/homepage/plugins/dynamic-home-page/src/api/index.ts

32. workspaces/homepage/plugins/dynamic-home-page/src/plugin.ts ✨ Enhancement +19/-1

Register default widgets API in legacy system

workspaces/homepage/plugins/dynamic-home-page/src/plugin.ts

33. workspaces/homepage/plugins/dynamic-home-page/src/alpha/extensions/apis.ts ✨ Enhancement +29/-2

Register default widgets API in NFS system

workspaces/homepage/plugins/dynamic-home-page/src/alpha/extensions/apis.ts

34. workspaces/homepage/plugins/dynamic-home-page/src/alpha/index.ts Miscellaneous +2/-1

Export default widgets API in frontend module

workspaces/homepage/plugins/dynamic-home-page/src/alpha/index.ts

35. workspaces/homepage/plugins/dynamic-home-page/package.json Dependencies +7/-3

Update dependencies and plugin packages

workspaces/homepage/plugins/dynamic-home-page/package.json

36. workspaces/homepage/plugins/dynamic-home-page/report.api.md 📝 Documentation +11/-0

API report for dynamic home page plugin

workspaces/homepage/plugins/dynamic-home-page/report.api.md

37. workspaces/homepage/plugins/dynamic-home-page/src/utils/customizable-cards.ts 📝 Documentation +1/-1

Fix layout property name in comment

workspaces/homepage/plugins/dynamic-home-page/src/utils/customizable-cards.ts

38. workspaces/homepage/packages/backend/src/index.ts ✨ Enhancement +7/-6

Add homepage and RBAC backend plugins

workspaces/homepage/packages/backend/src/index.ts

39. workspaces/homepage/packages/backend/package.json Dependencies +2/-0

Add homepage backend and RBAC dependencies

workspaces/homepage/packages/backend/package.json

40. workspaces/homepage/packages/app/package.json Dependencies +2/-1

Update theme and add RBAC dependencies

workspaces/homepage/packages/app/package.json

41. workspaces/homepage/packages/app/src/modules/nav/Sidebar.tsx ✨ Enhancement +24/-1

Update sidebar with search and settings groups

workspaces/homepage/packages/app/src/modules/nav/Sidebar.tsx

42. workspaces/homepage/packages/app/src/modules/nav/SidebarLogo.tsx ✨ Enhancement +5/-2

Import logo from theme package

workspaces/homepage/packages/app/src/modules/nav/SidebarLogo.tsx

43. workspaces/homepage/packages/app-legacy/package.json Dependencies +5/-2

Add RBAC and update theme dependencies

workspaces/homepage/packages/app-legacy/package.json

44. workspaces/homepage/packages/app-legacy/src/components/Root/Root.tsx ✨ Enhancement +21/-10

Update sidebar with RBAC and debug routes

workspaces/homepage/packages/app-legacy/src/components/Root/Root.tsx

45. workspaces/homepage/packages/app-legacy/src/App.tsx ✨ Enhancement +17/-0

Add RBAC page and debug widget routes

workspaces/homepage/packages/app-legacy/src/App.tsx

46. workspaces/homepage/packages/app-legacy/src/components/homepage/DebugHomepageAvailableWidgets.tsx ✨ Enhancement +49/-0

Debug page for available widgets

workspaces/homepage/packages/app-legacy/src/components/homepage/DebugHomepageAvailableWidgets.tsx

47. workspaces/homepage/packages/app-legacy/src/components/homepage/DebugHomepageDefaultWidgets.tsx ✨ Enhancement +63/-0

Debug page for default widgets from API

workspaces/homepage/packages/app-legacy/src/components/homepage/DebugHomepageDefaultWidgets.tsx

48. workspaces/homepage/app-config.yaml ⚙️ Configuration changes +55/-0

Add homepage config with default widgets and RBAC

workspaces/homepage/app-config.yaml

49. workspaces/homepage/packages/app-legacy/e2e-tests/homepageCustomizable.test.ts 🧪 Tests +0/-0

Rename test method for consistency

workspaces/homepage/packages/app-legacy/e2e-tests/homepageCustomizable.test.ts

50. workspaces/homepage/packages/app-legacy/e2e-tests/pages/homePageCustomization.ts 🧪 Tests +0/-0

Rename method to match test expectations

workspaces/homepage/packages/app-legacy/e2e-tests/pages/homePageCustomization.ts

51. workspaces/homepage/package.json Dependencies +2/-2

Update dev dependencies and remove patch

workspaces/homepage/package.json

52. workspaces/homepage/README.md 📝 Documentation +3/-15

Update project description

workspaces/homepage/README.md

53. workspaces/homepage/.changeset/green-singers-rush.md 📝 Documentation +5/-0

Changeset for theme dependency update

workspaces/homepage/.changeset/green-singers-rush.md

54. workspaces/homepage/.prettierignore ⚙️ Configuration changes +1/-0

Add dist-dynamic to prettier ignore

workspaces/homepage/.prettierignore

55. workspaces/homepage/.yarn/patches/@backstage-plugin-home-npm-0.8.11-a127246043.patch Additional files +0/-13

...

workspaces/homepage/.yarn/patches/@backstage-plugin-home-npm-0.8.11-a127246043.patch

56. workspaces/homepage/app-config.production.yaml Additional files +0/-55

...

workspaces/homepage/app-config.production.yaml

57. workspaces/homepage/packages/app-legacy/src/components/Root/LogoFull.tsx Additional files +0/-45

...

workspaces/homepage/packages/app-legacy/src/components/Root/LogoFull.tsx

58. workspaces/homepage/packages/app-legacy/src/components/Root/LogoIcon.tsx Additional files +0/-46

...

workspaces/homepage/packages/app-legacy/src/components/Root/LogoIcon.tsx

59. workspaces/homepage/packages/app/e2e-tests/homepageCustomizable.test.ts Additional files +1/-1

...

workspaces/homepage/packages/app/e2e-tests/homepageCustomizable.test.ts

60. workspaces/homepage/packages/app/e2e-tests/pages/homePageCustomization.ts Additional files +1/-1

...

workspaces/homepage/packages/app/e2e-tests/pages/homePageCustomization.ts

61. workspaces/homepage/packages/app/src/modules/nav/LogoFull.tsx Additional files +0/-44

...

workspaces/homepage/packages/app/src/modules/nav/LogoFull.tsx

62. workspaces/homepage/packages/app/src/modules/nav/LogoIcon.tsx Additional files +0/-44

...

workspaces/homepage/packages/app/src/modules/nav/LogoIcon.tsx

karthikjeeyar

Changes looks good to me.

Conditional RBAC policy isn't handled. can we have followup ticket for this?
Good to have a small blurb in plugin documentation to capture the new implementation homepage.defaultWidgets
some test cases are failing.

karthikjeeyar · 2026-04-27T10:13:49Z

+        xs: { w: 12, h: 9 }
+        xxs: { w: 12, h: 14 }
+    - id: onboarding
+      ref: Onboarding


This should match with the mountpoint ID 'rhdh-onboarding-section`