Skip to content

fix(app-admin): merge permission groups by name#5338

Merged
adrians5j merged 1 commit into
nextfrom
adrian/admin-dedupe-sec-permissions-2026-06-29
Jul 3, 2026
Merged

fix(app-admin): merge permission groups by name#5338
adrians5j merged 1 commit into
nextfrom
adrian/admin-dedupe-sec-permissions-2026-06-29

Conversation

@adrians5j

@adrians5j adrians5j commented Jun 29, 2026

Copy link
Copy Markdown
Member

What changed

Previously the GraphQL Playground and SDK Playground apps each declared the entire "Dev Tools" permission group — including the other app's entity — because permission groups registered under the same name overwrote one another, so each app had to ship the full list to stay complete. This meant an admin could see (and toggle) a permission for an app that wasn't even installed.

Now each app declares only its own entity. The admin permissions UI merges all contributions that share a group name into a single "Dev Tools" group, combining their entities. Installing either playground (or both) shows exactly the right set of permissions, and any future dev tool can add its own entity without touching the others.

Changelog

Dev Tools permissions no longer duplicated across playground apps

The GraphQL Playground and SDK Playground apps each used to register the other app's permissions as well as their own, which could show permissions for apps that weren't installed. Each app now contributes only its own permissions, and they're combined into a single "Dev Tools" group automatically.

Squash Merge Commit

refactor(app-admin): merge permission groups by name (#5338)

@adrians5j adrians5j added this to the 6.5.0 milestone Jun 29, 2026
app-graphql-playground and app-sdk-playground each declared the full
"dev-tools" permission group with both entities, because same-name
registrations overwrite each other in the PropertyStore (last write wins),
so each app shipped both entities to ensure the surviving one was complete.

Each app now declares only its own entity. SecurityPermissions makes each
registration id unique by appending the contributed entity ids, and
Permissions merges renderers that share a group name (concatenating their
entities, deduped by id) at render time. This also fixes a latent duplicate
React key when two renderers shared a name.

Also ignore the local .nx cache directory.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@adrians5j adrians5j force-pushed the adrian/admin-dedupe-sec-permissions-2026-06-29 branch from c21fbd0 to 9d6796d Compare June 30, 2026 08:18
@adrians5j adrians5j changed the title adrian/admin-dedupe-sec-permissions-2026-06-29 refactor(app-admin): merge permission groups by name Jun 30, 2026
@adrians5j adrians5j marked this pull request as ready for review July 3, 2026 11:20
@adrians5j adrians5j changed the title refactor(app-admin): merge permission groups by name fix(app-admin): merge permission groups by name Jul 3, 2026
@adrians5j adrians5j merged commit 21cf8c0 into next Jul 3, 2026
20 checks passed
@adrians5j adrians5j deleted the adrian/admin-dedupe-sec-permissions-2026-06-29 branch July 3, 2026 11:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant