Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix unauthorised access to pages #37

Merged
merged 1 commit into from
Jun 3, 2024
Merged

fix unauthorised access to pages #37

merged 1 commit into from
Jun 3, 2024

Conversation

torkashvand
Copy link
Contributor

No description provided.

@torkashvand torkashvand mentioned this pull request Jun 3, 2024
Closed
@DutchBen
Copy link
Collaborator

DutchBen commented Jun 3, 2024
edited
Loading

I think this LGTM. At first I couldn't think of any use cases but this could be useful if someone with access rights shares a link with someone who doesn't. Currently the situation for the receiving user would be unclear, they would see the page but not the data. A review by @ricardovdheijden would be useful since he did most of the auth work

@torkashvand
Copy link
Contributor Author

I think this LGTM. At first I couldn't think of any use cases but this could be useful if someone with access rights shares a link with someone who doesn't. Currently the situation for the receiving user would be unclear, they would see the page but not the data. A review by @ricardovdheijden would be useful since he did most of the auth work

I wanted to clarify that both the backend and frontend handle authorization separately. If a tab or menu is hidden from a user, they shouldn’t be able to access that page by typing in the URL.

In my case, I used OPA (Open Policy Agent) to hide certain menus, which worked. But I could still access the hidden pages by navigating to them manually, which shouldn't happen.

This is not about backend authorization; it’s important that the frontend also blocks these pages to prevent unauthorized access.

@torkashvand torkashvand requested review from ricardovdheijden and removed request for wouter1975 June 3, 2024 11:21
@DutchBen
Copy link
Collaborator

DutchBen commented Jun 3, 2024

I wanted to clarify that both the backend and frontend handle authorization separately. If a tab or menu is hidden from a user, they shouldn’t be able to access that page by typing in the URL.

In my case, I used OPA (Open Policy Agent) to hide certain menus, which worked. But I could still access the hidden pages by navigating to them manually, which shouldn't happen.

This is not about backend authorization; it’s important that the frontend also blocks these pages to prevent unauthorized access.

To clarify the clarification. I understand the purpose of the PR and you are right and it aligns with my comment. The backend handles it's own authorization, you are able to call the api endpoints even without a frontend. That means the page becomes meaningless when you try to visit a page without rights because you will see different data and it's better to notify a user about that.

@torkashvand torkashvand merged commit 998ac1a into main Jun 3, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DutchBen DutchBen DutchBen approved these changes

@tjeerddie tjeerddie tjeerddie approved these changes

@ricardovdheijden ricardovdheijden ricardovdheijden approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@torkashvand @DutchBen @tjeerddie @ricardovdheijden @torkashvandmt