Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: sanitise access endpoint #7335

Merged
merged 25 commits into from
Nov 15, 2024
Merged

feat: sanitise access endpoint #7335

merged 25 commits into from
Nov 15, 2024

Conversation

paulpopus
Copy link
Contributor

@paulpopus paulpopus commented Jul 24, 2024
edited by jacobsfletch
Loading

Protects the /api/access endpoint behind authentication and sanitizes the result, making it more secure and significantly smaller. To do this:

  1. The permission keyword is completely omitted from the result
  2. Only truthy access results are returned
  3. All nested permissions are consolidated when possible

@denolfe denolfe added this to the 3.0 Release milestone Nov 13, 2024
@DanRibbens
Copy link
Contributor

James and I were talking about this. Do we even need the access endpoint to be exposed any longer now that we have RSC getting the permissions directly from the local API?

@paulpopus paulpopus removed this from the v3.0 milestone Nov 13, 2024
@vercel Vercel
Copy link

vercel bot commented Nov 15, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
template-with-vercel-website ❌ Failed (Inspect) Nov 15, 2024 7:32pm

@jacobsfletch jacobsfletch marked this pull request as ready for review November 15, 2024 19:38
@jacobsfletch jacobsfletch merged commit 26ffbca into beta Nov 15, 2024
52 of 53 checks passed
@jacobsfletch jacobsfletch deleted the feat/sanitise-access-endpoint branch November 15, 2024 20:08
@github-actions GitHub Actions
Copy link

🚀 This is included in version v3.0.0-beta.131

@jacobsfletch jacobsfletch mentioned this pull request Nov 19, 2024
Merged
jacobsfletch added a commit that referenced this pull request Nov 19, 2024
@jacobsfletch
fix(ui): proper permissions within version diff view (#9346)
188baec 
Fixes #9337. The version view was not able to render its diff because of
an invalid permissions lookup. This was a result of a change to how
access results are returned from the API, which are now sanitized:
#7335
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
created-by: Contributor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@paulpopus @DanRibbens @denolfe @jacobsfletch @jmikrut