Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix check access on page load #1512

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix check access on page load #1512

wants to merge 1 commit into from

Conversation

joonatank
Copy link
Contributor

@joonatank joonatank commented Nov 15, 2024
edited
Loading

🛠️ Changelog

  • Fix: block seeing other users applications in customer application (url access) even if the user has access to the data.
  • Refactor: replace per page checks from reservations with middleware so any pages under /reservations path will always be protected with same rules.

🧪 Test plan

  • Manual testing: in the customer app users with admin (or other roles with access) are blocked seeing other users reservations and applications (similar to regular users) and receive 404 error. This works for all paths related to reservations and applications (i.e. user specific data).

🎫 Tickets

@joonatank joonatank mentioned this pull request Nov 15, 2024
Closed
@joonatank joonatank force-pushed the fix-check-access-on-page-load branch 3 times, most recently from 5d3b36d to 835eab4 Compare November 15, 2024 11:32
@joonatank joonatank changed the base branch from fix-middleware-running-on-asset-requests to chore-update-gql-types November 15, 2024 11:36
Base automatically changed from chore-update-gql-types to main November 15, 2024 15:02
@joonatank joonatank force-pushed the fix-check-access-on-page-load branch 2 times, most recently from 7a88fb9 to e754155 Compare November 18, 2024 06:11
@joonatank
add: middleware to check users ownership
6bfb1a8 
In customer app user should have access to reservations and
applications only if they own them (even if they have higher access in
admin application).

For unauthorized access return 404 error.
@joonatank joonatank marked this pull request as ready for review November 18, 2024 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vincit-matu vincit-matu Awaiting requested review from vincit-matu

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@joonatank