feat: add dashboard option allowAnonymousUser
#2066
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Thanks for opening this pull request!
|
mtrezza
requested changes
Mar 23, 2022
|
Still some checks failing. Please request another review once this is ready. |
|
Is this a breaking change? Does an existing deployment need a reconfiguration to maintain the same security? |
|
I would say so, an existing localhost configuration would need to be changed but remote servers should function the same as before |
|
I guess our deprecation policy should be (or is in practice already) extending to Parse Dashboard. So breaking changes should probably happen accumulated once a year only as well. Otherwise we may have a breaking change every other month. Is there a way to make this non-breaking? For example, if the new option is not set, fall back to the old behavior. |
|
The only way I think is if we set |
|
Yes, I think we should avoid that |
|
Could you rebase this on alpha? |
## [4.1.1-alpha.1](parse-community/parse-dashboard@4.1.0...4.1.1-alpha.1) (2022-04-04) ### Bug Fixes * security upgrade js-beautify from 1.14.0 to 1.14.1 ([parse-community#2077](parse-community#2077)) ([e4ea787](parse-community@e4ea787)) * security vulnerability bump minimist from 1.2.5 to 1.2.6 ([parse-community#2070](parse-community#2070)) ([3d0407e](parse-community@3d0407e))
* adding internal class (e.g. `_User`) fails due to prefixed underscore ([parse-community#2036](parse-community#2036)) ([f80bd07](parse-community@f80bd07))
# [4.0.0-alpha.17](parse-community/parse-dashboard@4.0.0-alpha.16...4.0.0-alpha.17) (2022-02-23) ### Bug Fixes * security upgrade prismjs from 1.26.0 to 1.27.0 ([parse-community#2047](parse-community#2047)) ([3afb24e](parse-community@3afb24e))
Snyk has created this PR to upgrade @babel/runtime from 7.17.0 to 7.17.2. See this package in npm: https://www.npmjs.com/package/@babel/runtime See this project in Snyk: https://app.snyk.io/org/acinader/project/3e039b91-2450-4b56-8420-baf56cab388e?utm_source=github&utm_medium=referral&page=upgrade-pr
# [4.0.0-alpha.18](parse-community/parse-dashboard@4.0.0-alpha.17...4.0.0-alpha.18) (2022-03-02) ### Bug Fixes * upgrade @babel/runtime from 7.17.0 to 7.17.2 ([parse-community#2055](parse-community#2055)) ([93335e9](parse-community@93335e9))
Snyk has created this PR to upgrade express from 4.17.2 to 4.17.3. See this package in npm: https://www.npmjs.com/package/express See this project in Snyk: https://app.snyk.io/org/acinader/project/3e039b91-2450-4b56-8420-baf56cab388e?utm_source=github&utm_medium=referral&page=upgrade-pr Co-authored-by: Manuel <5673677+mtrezza@users.noreply.github.com>
# [4.0.0-alpha.19](parse-community/parse-dashboard@4.0.0-alpha.18...4.0.0-alpha.19) (2022-03-10) ### Bug Fixes * upgrade express from 4.17.2 to 4.17.3 ([parse-community#2058](parse-community#2058)) ([f8dc602](parse-community@f8dc602))
# [4.0.0-alpha.20](parse-community/parse-dashboard@4.0.0-alpha.19...4.0.0-alpha.20) (2022-03-16) ### Features * change string filter description ([parse-community#2059](parse-community#2059)) ([bb1e184](parse-community@bb1e184))
Snyk has created this PR to upgrade otpauth from 7.0.10 to 7.0.11. See this package in npm: https://www.npmjs.com/package/otpauth See this project in Snyk: https://app.snyk.io/org/acinader/project/3e039b91-2450-4b56-8420-baf56cab388e?utm_source=github&utm_medium=referral&page=upgrade-pr
# [4.0.0-alpha.21](parse-community/parse-dashboard@4.0.0-alpha.20...4.0.0-alpha.21) (2022-03-18) ### Bug Fixes * upgrade otpauth from 7.0.10 to 7.0.11 ([parse-community#2061](parse-community#2061)) ([c379306](parse-community@c379306))
dblythy
force-pushed
the
allowAnonymousUser
branch
from
6921339 to
b9cc888
Compare
mtrezza
reviewed
Apr 14, 2022
mtrezza
force-pushed
the
alpha
branch
2 times, most recently
from
d32a043 to
0f42a34
Compare
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New Pull Request Checklist
Issue Description
Parse Dashboard assumes security if it detects a remote server, which is unreliable. This adds the option
allowAnonymousUserwhich defaults to false.Related issue: #2065
Approach
allowAnonymousUserthat defaults to false. Setting this to true allows Dashboard to run with no users.This also add additional security for when dashboard is run on localhost with no options. Previously Dashboard was effectively assuming the
devparameter if localhost. This PR will only run Dashboard indevmode if it's implicitly set. To get previous localhost behaviour, thedevparameter is required to be set.TODOs before merging