Conversation
) --- updated-dependencies: - dependency-name: Microsoft.FluentUI.AspNetCore.Components dependency-version: 4.13.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
--- updated-dependencies: - dependency-name: QuestPDF dependency-version: 2025.12.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…13.2 (#38) --- updated-dependencies: - dependency-name: Microsoft.FluentUI.AspNetCore.Components.Icons dependency-version: 4.13.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix(web): Change allowedRoles from 'authenticated' to 'editor' * fix(web): Add route for manifest.webmanifest with anonymous
MWG-Logan
changed the title
There was a problem hiding this comment.
Pull request overview
This pull request updates NuGet package dependencies and modifies the authorization model for the Azure Static Web App. The changes upgrade PDF generation and UI component libraries while restricting application access from any authenticated user to only users with the "editor" role.
Changes:
- Upgraded QuestPDF from version 2025.4.0 to 2025.12.1 for improved PDF generation capabilities
- Updated Microsoft FluentUI components from version 4.13.1 to 4.13.2 for latest UI fixes
- Added anonymous access route for PWA manifest file to support Progressive Web App functionality
- Changed default authorization from "authenticated" to "editor" role, significantly restricting application access
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| Bezalu.ProjectReporting.API/Bezalu.ProjectReporting.API.csproj | Upgraded QuestPDF package to version 2025.12.1 for PDF generation improvements |
| Bezalu.ProjectReporting.Web/Bezalu.ProjectReporting.Web.csproj | Updated Microsoft FluentUI packages to version 4.13.2 for UI component fixes |
| Bezalu.ProjectReporting.Web/staticwebapp.config.json | Added PWA manifest route with anonymous access and changed default authorization to require "editor" role |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| { | ||
| "route": "/*", | ||
| "allowedRoles": ["authenticated"] | ||
| "allowedRoles": [ "editor" ] | ||
| } |
There was a problem hiding this comment.
The catch-all route "/" with "editor" role requirement will apply to all routes including API routes (/api/). This means API endpoints will also require the "editor" role, not just the web UI. If the intent is to have different authorization requirements for API routes versus the web UI, you should add explicit route configurations for /api/* routes before the catch-all route. For example:
{
"route": "/api/*",
"allowedRoles": ["authenticated"]
}Otherwise, ensure that the "editor" role requirement for API access is intentional and documented.
| { | ||
| "route": "/*", | ||
| "allowedRoles": ["authenticated"] | ||
| "allowedRoles": [ "editor" ] | ||
| } |
There was a problem hiding this comment.
With the catch-all route now requiring "editor" role, static assets like CSS (/css/), JavaScript (/js/), icons (/icon-*.png), and favicon (/favicon.ico) will also require authentication with the "editor" role. While these are excluded from navigationFallback, they are not excluded from route authorization.
For a typical web application, these static assets should be accessible without authentication to allow the application shell to load before authentication. Consider adding explicit route entries for these static assets with anonymous access:
{
"route": "/css/*",
"allowedRoles": ["anonymous"]
},
{
"route": "/js/*",
"allowedRoles": ["anonymous"]
},
{
"route": "/favicon.ico",
"allowedRoles": ["anonymous"]
},
{
"route": "/icon-*.png",
"allowedRoles": ["anonymous"]
}These routes should be added before the catch-all "/*" route.
|
Azure Static Web Apps: Your stage site is ready! Visit it here: https://mango-river-0addcf70f-43.eastus2.2.azurestaticapps.net |
This pull request updates dependencies and modifies access control for the web application. The most important changes include upgrading NuGet package versions for better stability and security, and refining route authorization rules to improve role-based access.
Dependency Upgrades:
QuestPDFpackage inBezalu.ProjectReporting.API.csprojfrom version2025.4.0to2025.12.1for improved PDF generation features and bug fixes.Microsoft.FluentUI.AspNetCore.ComponentsandMicrosoft.FluentUI.AspNetCore.Components.IconsinBezalu.ProjectReporting.Web.csprojfrom4.13.1to4.13.2to incorporate latest UI enhancements and fixes.Authorization and Routing Changes:
/manifest.webmanifestinstaticwebapp.config.json, allowing access for anonymous users to improve PWA support."authenticated"to"editor"instaticwebapp.config.json, restricting general access to users with theeditorrole.