pleroma/admin-fe
0
0
Fork 0
Code Issues 48 Pull requests 19 Projects Releases Packages Wiki Activity

Refactor: Maybe remove function hasPermission #213

New issue
Open
opened 2022-08-20 18:01:43 +00:00 by ilja · 2 comments
ilja commented 2022-08-20 18:01:43 +00:00
Member
Copy link

src/permission.js has a function

function hasPermission(roles, permissionRoles) {
  if (roles.indexOf('admin') >= 0) return true // admin permission passed directly
  if (!permissionRoles) return true
  return roles.some(role => permissionRoles.indexOf(role) >= 0)
}

In practice this seems to always return true because the only place I see the function being called has to.meta.roles for permissionRoles. And none of the routes have meta.roles.

AFAICT this is used to return 401 for calls to the BE that a user shouldn't be able to do. But imo it should be up to the BE to determine what is allowed or not, not the FE.

So basically, I believe this function and everything that uses it and the 401 routes can/should all be removed.

`src/permission.js` has a function ```javascript function hasPermission(roles, permissionRoles) { if (roles.indexOf('admin') >= 0) return true // admin permission passed directly if (!permissionRoles) return true return roles.some(role => permissionRoles.indexOf(role) >= 0) } ``` In practice this seems to always return true because the only place I see the function being called has `to.meta.roles` for `permissionRoles`. And none of the routes have `meta.roles`. AFAICT this is used to return 401 for calls to the BE that a user shouldn't be able to do. But imo it should be up to the BE to determine what is allowed or not, not the FE. So basically, I believe this function and everything that uses it and the 401 routes can/should all be removed.
lanodan commented 2022-08-22 12:17:52 +00:00
Owner
Copy link

But imo it should be up to the BE to determine what is allowed or not, not the FE.

I'm not sure on this, I think the user experience would be quite confusing if the FE wouldn't at the very least grey-out options that BE wouldn't allow.
Specially as the interactivity on AdminFE is horribly poor so I wouldn't be surprised to see a massive bug like "BE said no but there is no visual feedback", which would be even more massive if it's not just some elements here and there.

Of course there can be some synchronisation issues in the mapping of the permissions but maybe it's the kind of stuff where Swagger/OpenAPI could be reused (importing the spec at dev/build-time but well fetching it at runtime could be tried as well).

> But imo it should be up to the BE to determine what is allowed or not, not the FE. I'm not sure on this, I think the user experience would be quite confusing if the FE wouldn't at the very least grey-out options that BE wouldn't allow. Specially as the interactivity on AdminFE is horribly poor so I wouldn't be surprised to see a massive bug like "BE said no but there is no visual feedback", which would be even more massive if it's not just some elements here and there. Of course there can be some synchronisation issues in the mapping of the permissions but maybe it's the kind of stuff where Swagger/OpenAPI could be reused (importing the spec at dev/build-time but well fetching it at runtime could be tried as well).
ilja commented 2022-08-22 18:04:44 +00:00
Author
Member
Copy link

I think the user experience would be quite confusing if the FE wouldn't at the very least grey-out options that BE wouldn't allow

Yeah I agree, but that's not what this does. Here the routes are broken, that's it. So you still see the options, but then they don't work. (Which is already the case even without this logic)

I wouldn't be surprised to see a massive bug like "BE said no but there is no visual feedback"

You do get visual feedback from that. Example:
Screenshot_20220822_195519

The worst part is that the whole thing isn't even used. The function is called, but in practice it always returns true, so it's completely useless. It kinda feels like it was added "just in case we need it later". But also assuming access would always be done purely on roles, which isn't the case any more. And even if you do want to reuse the function somehow, it's too limited in what it handles (i.e. it doesn't hide or grey out options).

Idk, maybe I'll remove it later on in #441 but we'll see.

> I think the user experience would be quite confusing if the FE wouldn't at the very least grey-out options that BE wouldn't allow Yeah I agree, but that's not what this does. Here the routes are broken, that's it. So you still see the options, but then they don't work. (Which is already the case even without this logic) > I wouldn't be surprised to see a massive bug like "BE said no but there is no visual feedback" You do get visual feedback from that. Example: ![Screenshot_20220822_195519](/attachments/66f8aec2-e140-42d4-b99e-281feaa9d9c6) The worst part is that the whole thing isn't even used. The function is called, but in practice it always returns true, so it's completely useless. It kinda feels like it was added "just in case we need it later". But also assuming access would always be done purely on roles, which isn't the case any more. And even if you do want to reuse the function somehow, it's too limited in what it handles (i.e. it doesn't hide or grey out options). Idk, maybe I'll remove it later on in https://git.pleroma.social/pleroma/admin-fe/pulls/441 but we'll see.
Screenshot_20220822_195519.png
5.7 KiB
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
coverage-stable
gitlab-mr-iid-332
renovate/sass-1.x
gitlab-mr-iid-330
renovate/babel-eslint-replacement
gitlab-mr-iid-337
renovate/autoprefixer-10.x
gitlab-mr-iid-294
renovate/babel-monorepo
gitlab-mr-iid-320
renovate/babel-loader-8.x
gitlab-mr-iid-340
remove-workers
develop
gitlab-mr-iid-339
gitlab-mr-iid-307
renovate/vue-test-utils-2.x
gitlab-mr-iid-338
renovate/element-ui-2.x
gitlab-mr-iid-309
gitlab-mr-iid-310
gitlab-mr-iid-334
gitlab-mr-iid-230
renovate/vue-monorepo
gitlab-mr-iid-336
gitlab-mr-iid-335
release/2.6
gitlab-mr-iid-333
gitlab-mr-iid-331
renovate/vue-test-utils-1.x
gitlab-mr-iid-304
gitlab-mr-iid-329
gitlab-mr-iid-328
renovate/vuex-3.x
gitlab-mr-iid-327
gitlab-mr-iid-326
stable
gitlab-mr-iid-282
release/2.5.0
gitlab-mr-iid-324
gitlab-mr-iid-323
gitlab-mr-iid-322
gitlab-mr-iid-321
gitlab-mr-iid-319
gitlab-mr-iid-318
gitlab-mr-iid-317
gitlab-mr-iid-316
gitlab-mr-iid-315
gitlab-mr-iid-313
gitlab-mr-iid-314
gitlab-mr-iid-312
gitlab-mr-iid-311
gitlab-mr-iid-305
gitlab-mr-iid-258
gitlab-mr-iid-306
gitlab-mr-iid-308
gitlab-mr-iid-303
gitlab-mr-iid-302
gitlab-mr-iid-301
gitlab-mr-iid-300
gitlab-mr-iid-299
gitlab-mr-iid-298
gitlab-mr-iid-277
gitlab-mr-iid-297
gitlab-mr-iid-255
gitlab-mr-iid-296
gitlab-mr-iid-295
gitlab-mr-iid-285
gitlab-mr-iid-288
gitlab-mr-iid-248
gitlab-mr-iid-293
gitlab-mr-iid-292
gitlab-mr-iid-291
gitlab-mr-iid-290
gitlab-mr-iid-275
gitlab-mr-iid-270
gitlab-mr-iid-269
gitlab-mr-iid-289
gitlab-mr-iid-286
gitlab-mr-iid-287
gitlab-mr-iid-256
gitlab-mr-iid-209
gitlab-mr-iid-284
gitlab-mr-iid-194
gitlab-mr-iid-283
gitlab-mr-iid-281
gitlab-mr-iid-280
gitlab-mr-iid-279
gitlab-mr-iid-278
gitlab-mr-iid-276
gitlab-mr-iid-274
gitlab-mr-iid-273
gitlab-mr-iid-272
gitlab-mr-iid-271
gitlab-mr-iid-268
gitlab-mr-iid-267
gitlab-mr-iid-266
gitlab-mr-iid-260
gitlab-mr-iid-262
gitlab-mr-iid-264
gitlab-mr-iid-263
gitlab-mr-iid-261
gitlab-mr-iid-265
gitlab-mr-iid-259
gitlab-mr-iid-257
gitlab-mr-iid-254
gitlab-mr-iid-253
gitlab-mr-iid-251
gitlab-mr-iid-252
gitlab-mr-iid-250
gitlab-mr-iid-249
gitlab-mr-iid-247
gitlab-mr-iid-246
gitlab-mr-iid-245
gitlab-mr-iid-244
gitlab-mr-iid-243
gitlab-mr-iid-242
gitlab-mr-iid-241
gitlab-mr-iid-236
gitlab-mr-iid-240
gitlab-mr-iid-216
gitlab-mr-iid-239
gitlab-mr-iid-238
gitlab-mr-iid-237
gitlab-mr-iid-235
gitlab-mr-iid-234
gitlab-mr-iid-233
gitlab-mr-iid-232
gitlab-mr-iid-231
gitlab-mr-iid-229
gitlab-mr-iid-228
gitlab-mr-iid-227
gitlab-mr-iid-226
gitlab-mr-iid-225
gitlab-mr-iid-224
gitlab-mr-iid-217
gitlab-mr-iid-223
gitlab-mr-iid-221
gitlab-mr-iid-222
gitlab-mr-iid-220
gitlab-mr-iid-219
gitlab-mr-iid-213
gitlab-mr-iid-212
gitlab-mr-iid-218
gitlab-mr-iid-215
gitlab-mr-iid-214
gitlab-mr-iid-211
gitlab-mr-iid-210
gitlab-mr-iid-207
gitlab-mr-iid-208
gitlab-mr-iid-206
gitlab-mr-iid-205
gitlab-mr-base-iid-208
feature/dynamic-settings-rendering
gitlab-mr-iid-203
gitlab-mr-iid-204
feature/render-settings-dynamically
feature/fetchs-list-of-tabs
gitlab-mr-iid-202
gitlab-mr-iid-195
gitlab-mr-iid-197
feature/post-pagination
gitlab-mr-iid-196
gitlab-mr-iid-190
feature/ability-to-add-custom-tags
gitlab-mr-iid-188
feature/settings-rollback
gitlab-mr-iid-182
gitlab-mr-iid-201
gitlab-mr-iid-200
gitlab-mr-iid-199
gitlab-mr-iid-198
gitlab-mr-iid-193
gitlab-mr-iid-192
gitlab-mr-iid-191
gitlab-mr-iid-187
gitlab-mr-iid-189
gitlab-mr-iid-186
gitlab-mr-iid-185
gitlab-mr-iid-184
feature/media-preview-proxy
gitlab-mr-iid-183
gitlab-mr-iid-181
revert-fd9f0542
feature/add-metrics-exporter-settings
gitlab-mr-iid-165
gitlab-mr-iid-180
gitlab-mr-iid-179
gitlab-mr-iid-169
gitlab-mr-iid-171
gitlab-mr-iid-178
gitlab-mr-iid-177
gitlab-mr-iid-176
gitlab-mr-iid-175
gitlab-mr-iid-159
gitlab-mr-iid-174
gitlab-mr-iid-173
gitlab-mr-iid-172
gitlab-mr-iid-170
gitlab-mr-iid-167
gitlab-mr-iid-168
gitlab-mr-iid-166
gitlab-mr-iid-164
gitlab-mr-base-iid-183
gitlab-mr-iid-163
gitlab-mr-iid-162
gitlab-mr-iid-161
gitlab-mr-iid-160
feature/update-styles
gitlab-mr-iid-158
gitlab-mr-iid-157
gitlab-mr-iid-156
gitlab-mr-iid-155
gitlab-mr-iid-154
gitlab-mr-iid-151
gitlab-mr-iid-147
gitlab-mr-iid-153
gitlab-mr-iid-152
gitlab-mr-iid-150
gitlab-mr-iid-149
gitlab-mr-iid-148
gitlab-mr-iid-142
gitlab-mr-iid-146
gitlab-mr-iid-145
gitlab-mr-iid-144
gitlab-mr-iid-143
gitlab-mr-iid-141
gitlab-mr-iid-140
gitlab-mr-iid-139
gitlab-mr-iid-137
gitlab-mr-iid-138
gitlab-mr-iid-136
gitlab-mr-iid-133
gitlab-mr-iid-134
gitlab-mr-iid-135
gitlab-mr-iid-126
gitlab-mr-iid-132
gitlab-mr-iid-120
gitlab-mr-iid-131
gitlab-mr-iid-130
gitlab-mr-iid-129
gitlab-mr-iid-128
gitlab-mr-iid-127
gitlab-mr-iid-125
gitlab-mr-iid-124
gitlab-mr-iid-123
gitlab-mr-iid-121
gitlab-mr-iid-122
gitlab-mr-iid-119
gitlab-mr-base-iid-125
gitlab-mr-iid-118
gitlab-mr-iid-117
gitlab-mr-base-iid-118
gitlab-mr-iid-112
gitlab-mr-iid-116
gitlab-mr-iid-115
gitlab-mr-iid-114
gitlab-mr-iid-113
gitlab-mr-base-iid-113
gitlab-mr-base-iid-114
gitlab-mr-base-iid-115
gitlab-mr-base-iid-116
gitlab-mr-iid-111
gitlab-mr-iid-110
gitlab-mr-iid-109
gitlab-mr-iid-108
gitlab-mr-iid-107
gitlab-mr-iid-106
gitlab-mr-iid-102
gitlab-mr-iid-105
gitlab-mr-iid-104
gitlab-mr-iid-103
gitlab-mr-iid-92
gitlab-mr-iid-101
gitlab-mr-iid-100
gitlab-mr-iid-99
gitlab-mr-iid-98
gitlab-mr-iid-97
gitlab-mr-iid-96
gitlab-mr-iid-95
gitlab-mr-iid-94
gitlab-mr-iid-93
gitlab-mr-iid-91
gitlab-mr-iid-90
gitlab-mr-iid-89
gitlab-mr-iid-88
gitlab-mr-iid-87
gitlab-mr-iid-86
gitlab-mr-iid-85
gitlab-mr-iid-84
gitlab-mr-iid-83
gitlab-mr-iid-81
gitlab-mr-iid-82
gitlab-mr-iid-80
gitlab-mr-iid-77
gitlab-mr-iid-79
gitlab-mr-iid-78
gitlab-mr-iid-65
gitlab-mr-iid-76
gitlab-mr-iid-75
gitlab-mr-iid-74
gitlab-mr-iid-73
gitlab-mr-iid-72
gitlab-mr-iid-71
gitlab-mr-iid-69
gitlab-mr-iid-70
gitlab-mr-iid-68
gitlab-mr-iid-62
gitlab-mr-iid-67
gitlab-mr-iid-53
gitlab-mr-base-iid-53
gitlab-mr-iid-52
gitlab-mr-iid-66
gitlab-mr-base-iid-52
gitlab-mr-iid-64
gitlab-mr-iid-63
gitlab-mr-base-iid-63
gitlab-mr-base-iid-64
gitlab-mr-iid-61
gitlab-mr-base-iid-61
gitlab-mr-iid-60
gitlab-mr-base-iid-60
gitlab-mr-iid-59
gitlab-mr-base-iid-59
gitlab-mr-iid-58
gitlab-mr-base-iid-58
gitlab-mr-iid-57
gitlab-mr-base-iid-57
gitlab-mr-iid-54
gitlab-mr-base-iid-54
gitlab-mr-iid-56
gitlab-mr-base-iid-56
gitlab-mr-iid-55
gitlab-mr-base-iid-55
gitlab-mr-iid-51
gitlab-mr-iid-50
gitlab-mr-base-iid-50
gitlab-mr-base-iid-51
gitlab-mr-iid-38
gitlab-mr-base-iid-38
gitlab-mr-iid-49
gitlab-mr-base-iid-49
gitlab-mr-iid-48
gitlab-mr-base-iid-48
gitlab-mr-iid-47
gitlab-mr-base-iid-47
gitlab-mr-iid-46
gitlab-mr-base-iid-46
gitlab-mr-iid-45
gitlab-mr-base-iid-45
gitlab-mr-iid-32
gitlab-mr-base-iid-32
gitlab-mr-iid-44
gitlab-mr-base-iid-44
gitlab-mr-iid-43
gitlab-mr-base-iid-43
gitlab-mr-iid-42
gitlab-mr-iid-41
gitlab-mr-base-iid-41
gitlab-mr-base-iid-42
gitlab-mr-iid-40
gitlab-mr-base-iid-40
gitlab-mr-iid-39
gitlab-mr-base-iid-39
gitlab-mr-iid-37
gitlab-mr-base-iid-37
gitlab-mr-iid-29
gitlab-mr-base-iid-29
gitlab-mr-iid-31
gitlab-mr-base-iid-31
gitlab-mr-iid-36
gitlab-mr-base-iid-36
gitlab-mr-iid-35
gitlab-mr-base-iid-35
gitlab-mr-iid-34
gitlab-mr-base-iid-34
gitlab-mr-iid-33
gitlab-mr-base-iid-33
gitlab-mr-iid-30
gitlab-mr-iid-28
gitlab-mr-base-iid-28
gitlab-mr-base-iid-30
gitlab-mr-iid-12
gitlab-mr-base-iid-12
gitlab-mr-iid-27
gitlab-mr-base-iid-27
gitlab-mr-iid-26
gitlab-mr-iid-24
gitlab-mr-iid-25
gitlab-mr-base-iid-24
gitlab-mr-base-iid-25
gitlab-mr-base-iid-26
gitlab-mr-iid-23
gitlab-mr-base-iid-23
gitlab-mr-iid-22
gitlab-mr-base-iid-22
gitlab-mr-iid-21
gitlab-mr-base-iid-21
gitlab-mr-iid-20
gitlab-mr-base-iid-20
gitlab-mr-iid-11
gitlab-mr-iid-17
gitlab-mr-iid-19
gitlab-mr-base-iid-11
gitlab-mr-base-iid-17
gitlab-mr-base-iid-19
gitlab-mr-iid-18
gitlab-mr-base-iid-18
gitlab-mr-iid-16
gitlab-mr-base-iid-16
gitlab-mr-iid-15
gitlab-mr-base-iid-15
gitlab-mr-iid-14
gitlab-mr-base-iid-14
gitlab-mr-iid-13
gitlab-mr-base-iid-13
gitlab-mr-iid-10
gitlab-mr-base-iid-10
gitlab-mr-iid-9
gitlab-mr-base-iid-9
gitlab-mr-iid-8
gitlab-mr-base-iid-8
gitlab-mr-iid-7
gitlab-mr-base-iid-7
gitlab-mr-iid-6
gitlab-mr-iid-5
gitlab-mr-base-iid-6
gitlab-mr-iid-4
gitlab-mr-base-iid-4
gitlab-mr-iid-3
gitlab-mr-base-iid-5
gitlab-mr-iid-2
gitlab-mr-base-iid-2
gitlab-mr-base-iid-3
gitlab-mr-iid-1
gitlab-mr-base-iid-1
2.5.0
2.4.0
v2.2.0
v2.1.0
v2.0.2
1.2.0
Labels
Clear labels   
blocked

   
stale
No labels
blocked
stale
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
pleroma/admin-fe#213
No description provided.