NEXT-30849 - Fix permission errors

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file.
 
+## [3.0.15] - 05.10.2023
+
+## Removed
+
+- Removed client side permission validation based on Entities and EntityCollections
+
 ## [3.0.13] - 21.07.2023
 
 ## Fixed

devenv.lock

@@ -34,12 +34,15 @@
  }
  },
  "flake-utils": {
+ "inputs": {
+ "systems": "systems"
+ },
  "locked": {
- "lastModified": 1667395993,
- "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+ "lastModified": 1685518550,
+ "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
  "owner": "numtide",
  "repo": "flake-utils",
- "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+ "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
  "type": "github"
  },
  "original": {
@@ -96,7 +99,7 @@
  },
  "original": {
  "owner": "NixOS",
- "ref": "nixos-22.11",
+ "ref": "nixos-23.05",
  "repo": "nixpkgs",
  "type": "github"
  }
@@ -131,6 +134,21 @@
  "nixpkgs": "nixpkgs",
  "pre-commit-hooks": "pre-commit-hooks"
  }
+ },
+ "systems": {
+ "locked": {
+ "lastModified": 1681028828,
+ "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+ "owner": "nix-systems",
+ "repo": "default",
+ "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-systems",
+ "repo": "default",
+ "type": "github"
+ }
  }
  },
  "root": "root",

e2e/channel.spec.ts

@@ -580,81 +580,6 @@ test.describe('Privilege tests', () => {
  expect(response.isMissingPrivilesErrorInstance).toBe(true);
  });
 
- test('should not accept entity data without correct privileges (create,read,update,delete)', async ({ page }) => {
- const { mainFrame, subFrame } = await setup({ page });
-
- await mainFrame.evaluate(() => {
- window.sw_internal.setExtensions({
- example: {
- baseUrl: 'http://localhost:8182',
- permissions: {
- read: ['product']
- }
- }
- });
-
- window.sw_internal.handle('_collectionTest', () => {
- const collection = new window.sw_internal.Collection(
- 'playwright',
- 'product',
- // @ts-expect-error
- {},
- new window.sw_internal.Criteria(),
- );
-
- collection.add(new window.sw_internal.Entity('productEntityId', 'product', {
- name: 'Amazing T-Shirt',
- foo: new window.sw_internal.Entity('manufacturerEntityId', 'manufacturer', {
- name: 'Shopware AG',
- })
- }));
-
- return {
- title: 'Collection privilege test',
- collection: collection,
- }
- })
- })
-
- const response = await subFrame.evaluate(async () => {
- const collection = new window.sw_internal.Collection(
- 'playwright',
- 'product',
- // @ts-expect-error
- {},
- new window.sw_internal.Criteria(),
- );
-
- collection.add(new window.sw_internal.Entity('productEntityId', 'product', {
- name: 'Amazing SDK T-Shirt',
- foo: new window.sw_internal.Entity('manufacturerEntityId', 'manufacturer', {
- name: 'Best manufacturer ever',
- })
- }));
-
- try {
- const result = await window.sw_internal.send('_collectionTest', {
- title: 'From SDK',
- collection: collection,
- });
-
- return {
- response: result,
- errorMessage: 'No error happened',
- }
- } catch (error) {
- return {
- response: error,
- errorMessage: error.toString(),
- isMissingPrivilesErrorInstance: error instanceof window.sw_internal.MissingPrivilegesError
- }
- }
- });
-
- expect(response.errorMessage).toEqual(`Error: Your app is missing the privileges create:product, delete:product, update:product, create:manufacturer, delete:manufacturer, read:manufacturer, update:manufacturer for action "_collectionTest".`);
- expect(response.isMissingPrivilesErrorInstance).toBe(true);
- });
-
  test('should accept entity data without correct privileges when on the same origin (for plugins)', async ({ page }) => {
  const { mainFrame, subFrame } = await setup({ page });
 

package.json

@@ -1,7 +1,7 @@
 {
  "name": "@shopware-ag/admin-extension-sdk",
  "license": "MIT",
- "version": "3.0.14",
+ "version": "3.0.15",
  "repository": "git://github.com/shopware/admin-extension-sdk.git",
  "description": "The SDK for App iframes to communicate with the Shopware Administration",
  "keywords": [

src/channel.ts

@@ -7,7 +7,6 @@ import { ShopwareMessageTypePrivileges } from './privileges';
 import MissingPrivilegesError from './privileges/missing-privileges-error';
 import SerializerFactory from './_internals/serializer';
 import createError from './_internals/error-handling/error-factory';
-import validate from './_internals/validator/index';
 import type { datasetRegistration } from './data';
 import { selectData } from './data/_internals/selectData';
 import sdkVersion from './_internals/sdkVersion';
@@ -126,47 +125,7 @@ export function send<MESSAGE_TYPE extends keyof ShopwareMessageTypes>(
  _callbackId: callbackId,
  };
 
- let serializedData = serialize(messageData) as ShopwareMessageSendData<MESSAGE_TYPE>;
-
- // Validate if send value contains entity data where the app has no privileges for
- if (_origin) {
- const validationErrors = validate({
- serializedData: serializedData,
- origin: _origin,
- privilegesToCheck: ['read'],
- type: type,
- });
-
- if (validationErrors) {
- // Datasets need the id for matching the response
- if ([
- 'datasetSubscribe',
- 'datasetUpdate',
- 'datasetRegistration',
- 'datasetGet',
- ].includes(serializedData._type)) {
- serializedData = serialize({
- _type: serializedData._type,
- _callbackId: serializedData._callbackId,
- _data: {
- // @ts-expect-error - We know with the includes that it has an ID
- // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
- id: serializedData._data.id,
- data: validationErrors,
- },
- }) as ShopwareMessageSendData<MESSAGE_TYPE>;
- }
- // Everything else can overwrite the response
- else {
- serializedData = serialize({
- _type: serializedData._type,
- _callbackId: serializedData._callbackId,
- _data: validationErrors,
- }) as ShopwareMessageSendData<MESSAGE_TYPE>;
- }
-
- }
- }
+ const serializedData = serialize(messageData) as ShopwareMessageSendData<MESSAGE_TYPE>;
 
  // Convert message data to string for message sending
  const message = JSON.stringify(serializedData);
@@ -315,21 +274,6 @@ export function handle<MESSAGE_TYPE extends keyof ShopwareMessageTypes>
 
  // eslint-disable-next-line @typescript-eslint/explicit-function-return-type
  const responseValue = await Promise.resolve((() => {
- /*
- * Validate incoming handle messages for privileges
- * in Entity and Entity Collection
- */
- const validationErrors = validate({
- serializedData: shopwareMessageData,
- origin: event.origin,
- type: type,
- privilegesToCheck: ['create', 'delete', 'update', 'read'],
- });
-
- if (validationErrors) {
- return validationErrors;
- }
-
  // eslint-disable-next-line @typescript-eslint/no-unsafe-return
  return method(
  deserializedMessageData._data,
@@ -345,23 +289,7 @@ export function handle<MESSAGE_TYPE extends keyof ShopwareMessageTypes>
 
  // Replace methods etc. so that they are working in JSON format
  const serializedResponseMessage = ((): ShopwareMessageResponseData<MESSAGE_TYPE> => {
- let serializedMessage = serialize(responseMessage) as ShopwareMessageResponseData<MESSAGE_TYPE>;
-
- // Validate if response value contains entity data where the app has no privileges for
- const validationErrors = validate({
- serializedData: serializedMessage,
- origin: event.origin,
- privilegesToCheck: ['read'],
- type: type,
- });
-
- if (validationErrors) {
- // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
- serializedMessage._response = validationErrors;
- serializedMessage = serialize(serializedMessage) as ShopwareMessageResponseData<MESSAGE_TYPE>;
- }
-
- return serializedMessage;
+ return serialize(responseMessage) as ShopwareMessageResponseData<MESSAGE_TYPE>;
  })();
 
  const stringifiedResponseMessage = JSON.stringify(serializedResponseMessage);