Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix ui.isAccessAllowed when undefined to prevent access #8771

Merged
merged 1 commit into from
Aug 15, 2023
Merged

Fix ui.isAccessAllowed when undefined to prevent access #8771

merged 1 commit into from
Aug 15, 2023

Conversation

dcousens
Copy link
Member

@dcousens dcousens commented Aug 15, 2023
edited
Loading

Please see the security vulnerability report for an up-to-date description and work-around if you can't update.

What happened

The default AdminUI middleware prevents access to the AdminUI if

  • a session strategy configuration has been defined, and
  • context.session is undefined or falsey

This is not what happens for the adminMeta GraphQL query, which falls back on public access when isAccessAllowed is undefined.

The GraphQL and AdminUI middleware behaviour should be the same.
We haven't committed or documented what the behaviour should be, so what we fall back on is open ended.

In this pull request, I have opted to fall back to the same behaviour as the default Admin UI middleware, as the behaviour that users would have observed and probably expect.

@dcousens dcousens self-assigned this Aug 15, 2023
@changeset-bot

This comment was marked as resolved.

Sign in to view
@dcousens dcousens requested a review from borisno2 August 15, 2023 01:56
@dcousens dcousens force-pushed the fix-access-allowed branch from c3acf32 to d924d6a Compare August 15, 2023 02:00
@dcousens dcousens merged commit 650e27e into main Aug 15, 2023
@dcousens dcousens deleted the fix-access-allowed branch August 15, 2023 02:03
@dcousens
Copy link
Member Author

Maybe in the near future, we should drop the isAccessAllowed default, and instead update the types (or validation errors) to ensure that isAccessAllowed is always defined if a session is defined.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@borisno2 borisno2 borisno2 approved these changes

Assignees

@dcousens dcousens

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dcousens @borisno2