feat: utilize access control when populating client-side routes in menu #2316
Conversation
This introduces a new API `RouteUtil::protectHillaViews` to be used while configuring spring security to enable protection of Hilla views based on the same access control logic that is used for http level access control. The impact of calling `protectHillaViews` will manifest itself in the population of the client-side views in the automatic menu.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2316 +/- ##
=======================================
Coverage 95.44% 95.44%
=======================================
Files 67 67
Lines 4438 4438
Branches 633 633
=======================================
Hits 4236 4236
Misses 162 162
Partials 40 40
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
I would suggest having the filtering enabled by default with no way of customizing it for now (other than the existing |
I think what's done in this PR is enabling the filtering by default but only for the client-side views. So is the requirement to to enabled it for the server-side views as well? |
Only client-side views. The reason it seems like it's not enabled by default is that there's a line of code in application code that is needed to enable the filtering. |
...s/java/endpoint/src/main/java/com/vaadin/hilla/startup/RouteUnifyingServiceInitListener.java
Show resolved
Hide resolved
|
|
This ticket/PR has been released with Hilla 24.4.0.alpha23 and is also targeting the upcoming stable 24.4.0 version. |
This enables filtering of Hilla views based on the security configurations exported from views, and uses the same access control API that could be optionally used Spring Security configuration for http level security.
It is important to note that filtering Hilla views in the menu is a usability feature not a security one.