Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access control: pessimistic rendering in CRUD views #10258

Merged
merged 14 commits into from
Oct 4, 2024
Merged

Access control: pessimistic rendering in CRUD views #10258

merged 14 commits into from
Oct 4, 2024

Conversation

djhi
Copy link
Collaborator

@djhi djhi commented Oct 4, 2024
edited
Loading

Problem

All CRUD views currently starts to render optimistically even though authentication and optionally authorization checks are pending. This is a security issue.

Solution

Make sure the base components for all CRUD views verify that no auth checks are pending before rendering.
Introduce a loading prop accepting a ReactNode on those components that is displayed while auth checks are pending.

How To Test

Describe the steps required to test the changes

Additional Checks

  • The PR targets master for a bugfix, or next for a feature
  • The PR includes unit tests (if not possible, describe why)
  • The PR includes one or several stories (if not possible, describe why)
  • The documentation is up to date

@djhi djhi added the WIP Work In Progress label Oct 4, 2024
@djhi djhi mentioned this pull request Oct 4, 2024
Merged
19 tasks
fzaninotto
fzaninotto requested changes Oct 4, 2024
View reviewed changes
Copy link
Member

@fzaninotto fzaninotto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's great! Now apps with a slow checkAuth won't reveal anything in CRUD pages.

The UX is a bit different for the Dashboard, as users don't see the Loading page while auth is checked. Is there a way to make this view consistent with the others?

packages/ra-core/src/controller/create/CreateBase.tsx Outdated
}

return (
<OptionalResourceContextProvider value={controllerProps.resource}>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<OptionalResourceContextProvider value={controllerProps.resource}>
<OptionalResourceContextProvider value={props.resource}>

Otherwise it's a BC. Same for other controllers.

Copy link
Collaborator Author

@djhi djhi Oct 4, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No because the controller already handles it

packages/ra-ui-materialui/src/detail/Create.tsx Outdated
@@ -81,6 +82,7 @@ export const Create = <
disableAuthentication={disableAuthentication}
hasEdit={hasEdit}
hasShow={hasShow}
loading={defaultLoading}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

<Create> should allow overriding the loading component. Same for the others.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stupid me

@djhi
Copy link
Collaborator Author

djhi commented Oct 4, 2024

That's great! Now apps with a slow checkAuth won't reveal anything in CRUD pages.

The UX is a bit different for the Dashboard, as users don't see the Loading page while auth is checked. Is there a way to make this view consistent with the others?

Yes, by wrapping user provided dashboard in another component

@fzaninotto fzaninotto merged commit 30924a4 into access-control-resources Oct 4, 2024
14 checks passed
@fzaninotto fzaninotto deleted the access-control-views-loading branch October 4, 2024 14:51
@fzaninotto fzaninotto added this to the 5.3.0 milestone Oct 4, 2024
@djhi djhi added RFR Ready For Review and removed WIP Work In Progress labels Oct 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fzaninotto fzaninotto fzaninotto approved these changes

Assignees
No one assigned
Labels
RFR Ready For Review
Projects
None yet
Milestone
5.3.0
Development

Successfully merging this pull request may close these issues.
2 participants
@djhi @fzaninotto