-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement permission policies in the API #22384
Draft
rijkvanzanten
wants to merge
241
commits into
auditus
Choose a base branch
from
auditus-21765
base: auditus
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
+11,416
−6,318
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: Daniel Biegler <[email protected]>
Co-authored-by: Daniel Biegler <[email protected]>
licitdev
reviewed
Jun 11, 2024
This was referenced Jun 11, 2024
…xistence for admin users as well
* Changes to user counting and integrity checks * Ensure that user validation happens in both create one and create many * Rename `checkType` to `flags` * Update api/src/permissions/modules/validate-remaining-admin/validate-remaining-admin-count.ts Co-authored-by: Daniel Biegler <[email protected]> * Update to enum usage Co-authored-by: Daniel Biegler <[email protected]> * A few more changes to enum instead of number * One more enum type update * Make sure to correctly override the callback when combining options * Clean up option type * Update api/src/services/users.ts Co-authored-by: ian <[email protected]> * Only take validation shortcut for users We can only be sure that the deletion of users does not increase any other access types count, so in all other cases we need to verify that for example the App or API users have not increased over the limit * Make both app and admin users count against app access limit * Update api/src/permissions/modules/validate-remaining-admin/validate-remaining-admin-count.ts Co-authored-by: Pascal Jufer <[email protected]> * One post-merge fix, two small fixes * Simplify flag updating and callback calling * Changing app access in a policy only requires user limit checking, not full check * Only the status of a created user should matter to determine if a check is neccessary * Add count alias to count query --------- Co-authored-by: Daniel Biegler <[email protected]> Co-authored-by: ian <[email protected]> Co-authored-by: Pascal Jufer <[email protected]> Co-authored-by: Rijk van Zanten <[email protected]>
* Initial app changes * Fix getRelationsForField * Add changeset * Remove app-permissions from role settings * Make sure access row uuids are auto generated * Move a few things around, set up policies m2m properly * Show roles as tree in sidebar Change avatar field query for user * Show user and role count in policy table * Default to not adding app access for a policy, makes composability less annoying * Correctly fall back to 0 for counts * Change the structure of current user permissions * Start bringing back the public role * Make the public role a real role rather than a virtual one * Revert public role changes * Extend list-m2m to allow for very custom junction matching and a primary key of `null` * Remove unused * Fix public role policy update payload * Fix app access for users without role (which is a thing now apparently) * Make sure that the /me endpoints always return minimal information, similar to /users/me * Tweak nav icons * Pull policy id from constants * Update permissions interface design to match New design language in figma * Some minor adjustments - Make chip hover border more consistent - Add "Remove" button to remove a full row of permissions, as in the UI mockup - Fix table layout * Clean up a few more things * Fix `setFullAccess` * Align collection view icons with navigation * Don't query 'admin_access' for role * Fix relation extraction and permissions for `$FOLLOW` fields * Don't show `0 Items` for child rows, but `--` instead * Make policy detail work in nested policy creating use case * Remove unused v-icon override * Move system collections to separate visual table * Navigate before refresh Prevents a flash of the previous value to be visible in the table * Move composable to separate file --------- Co-authored-by: Daniel Biegler <[email protected]> Co-authored-by: Rijk van Zanten <[email protected]>
…are not allowed at all
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Scope
What's changed:
api/src/permissions
folderroles
flag to accountability object. This is an ordered array of all the parent roles of the current userget-ast-from-query
by splitting it into multiple filescases
andwhenCase
. This allows us to dynamically generate the case/when SQL to have dynamic field output per item.run-ast
by splitting it up into smaller filesPotential Risks / Drawbacks
Review Notes / Questions
Todos
whenCases
inrun-ast
clear
method in memory/cache/permissions
endpointdirectus_access
changesdirectus_roles
changesdirectus_permissions
changesdirectus_policies
changesdown
migrationwithCache
to the known keys -> Handled in Use ip in global access and stabilize accountability keys #22727$FOLLOW
field key for filters (Fixed in c00ff5d)app_access
andadmin_access
false
Closes #21778, closes #21765, closes #22163, closes #21769, closes #21768, closes #21767, closes #21766
Footnotes
Eg check to make sure there's still >=1 admin left after the mutation is done ↩