Rework user integrity checks for Auditus #22737
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
hanneskuettner
requested review from
licitdev,
paescuj,
rijkvanzanten and
DanielBiegler
40 tasks
api/src/permissions/modules/validate-remaining-admin/validate-remaining-admin-count.ts
Show resolved
Hide resolved
api/src/permissions/modules/validate-remaining-admin/validate-remaining-admin-count.ts
Outdated
Show resolved
Hide resolved
…remaining-admin-count.ts Co-authored-by: Daniel Biegler <[email protected]>
Co-authored-by: Daniel Biegler <[email protected]>
licitdev
reviewed
Jun 13, 2024
Co-authored-by: ian <[email protected]>
|
@licitdev raised a very good point. There now is the problem that no changes can be made to anything permissions/roles/user related if the current user limit is exceeded before and after the transaction. This is a bigger problem on cloud, where people can't easily disable user limits leaving them in the state, where they can disable users, if they can't manage to bring their user count down to below the limits within one transaction. So we will have to (smartly) do an initial count before a transaction runs that could modify the user counts. That means moving the whole flag update into a util function to have that encapsulated in one place. Hold on tight! |
We can only be sure that the deletion of users does not increase any other access types count, so in all other cases we need to verify that for example the App or API users have not increased over the limit
paescuj
reviewed
Jun 14, 2024
api/src/permissions/modules/validate-remaining-admin/validate-remaining-admin-count.ts
Outdated
Show resolved
Hide resolved
paescuj
reviewed
Jun 14, 2024
hanneskuettner
commented
Jun 14, 2024
paescuj
reviewed
Jun 14, 2024
hanneskuettner
commented
Jun 14, 2024
…remaining-admin-count.ts Co-authored-by: Pascal Jufer <[email protected]>
rijkvanzanten
added a commit
that referenced
this pull request
Jun 17, 2024
* Update system data structure * Update migrations to keep structure flat * Remove icon from policies * Drop policies table on downgrade * Rearchitect migrations to structure v3 * Add down migration * Update system fields * Add policy to fields import * Fix public role attachment * Update packages/system-data/src/fields/index.ts Co-authored-by: Daniel Biegler <[email protected]> * Update packages/system-data/src/fields/policies.yaml Co-authored-by: Daniel Biegler <[email protected]> * Add nested roles * Remove unused step * Use two o2ms instead of m2a for attachments * Update system data * [WIP] Start reorging permissions handling * Setup field extraction * Remove watch from vitest * Finish fieldMap creation logic * Add tests for utils * Improve tests * Improve coverage * Split test and test:watch * Continue on this fun * [WIP] Setup processing * Sort roles * Restructure to util files for org * Add missing util tests * More tests * Add cases/whencase to ast * Start on injection logic * Add tests for inject cases * Add tests for process * Add todo * Organize run-ast * Add clear method to kv * Remove reliance on acc.perm * Restructure permissions setup * Drop perm from acc, add roles/policies * Remove get-permissions in middleware * Remove/comment use of acc.perm * Add default roles/permissions * Use knex So we don't have to initialize the schema before we want to use the accountability system * Use new fetching logic in get accountability * Add new fetch global access utils * Gotta redo based on new setup * Replaced with new util * Remove dropping of perm in acc It's no longer there by default, so no need to remove here * Temporarily comment out the enforce tfa check * Update usage of fetch tree to use knex * Don't store policies on accountability * Feed in roles thru acc * Bit of whitespace * Rename role->policy * Wreck some more stuff Jk, this is splitting up the large get-ast-from-query function into smaller individual functions to make it easier to update the wildcard conversion to use permissions * Add ability to lookup all allowed fields in col+ac * Add note so I don't forget stuff which i will * Handle null acc * Introduce parseAst to itemsservice * That cleans things up * Replace checkAccess with validateAccess * Remove checkaccess from service * cleanup imports * Whoops one more * Leave crumbs for next time * Implement most of the fn * Fix various tests * Start on test for fetch roles tree * Add tests for fetch roles tree * Fix process tests * All. of. the. tests. * Update uses of validateAccess * Fix name in runAst * Fix use of accountability in gql sub * Deprecate authorization service * Remove getPermissions use * Drop old getpermissions * Pass services * Replace admin/app uses with fetch global * Update fetch user count to pull from policies * Remove broken admin existence checks * Update min accountability * Remove unused import * Drop permissions override from controller * Refactor reliance on acc.perm * Replace usage of permissions in fields * Replace usage of permissions in import/export * Drop permissions use from relations * Drop no longer used method * Remove unused import * fix type usage of pk in validate * Fix default acc in user * Replace use of permissions in utils * Update reduceSchema in specs/gql * Remove old share merging * Remove empty file * Remove outdated comment * Use ctx objects for large param fns * Add with-cache memoize util * Add cache to fetchpermissions * Update caching use in fetchRolesTree * Add caching to fetchAllowedFieldMap * Add more cache * Refactor call signatures * Move call signature updates * Handle presets * Update process call sig * Prevent infinite recursion in roles tree lookup * Use create util for acc * Remove old checkIp * Fix where equality operator * Break EVERYTHING! Jk just cleaning up the structure some more, and removing the dep injection in favor of mocking * Fix build * Add missing module tests * Don't crash on missing parent * Fix role lookup * add missing type annotation * use logical-OR assignment and avoid a memory allocation * Attach admin policy in default admin creation * Fix admin check * Add todo for later * rm code duplication * fix test it was missing the new `roles` * add types and fix type error policies dont [yet] have an icon * move spread order to avoid potential future mishaps new default keys would override the manually set keys, potentially leading to unintended behavior * reduce allocations, add escape hatch to loop and type db-row * Implement case/when * Clean up comments * Optimize perm fetching in allowed f * Move apply case when to util fn * Optimize fetch-allowed-fields * Add fetch inconsistent util * Allow nulls * Remove obsolete getCacheKey * Remove unused import * Update getAccountabilityForRole test * Update fetchGlobalAccess test with one more test case + fix other test case * Type cleanup * Fix "admin access means automatic app access" in fetchGlobalAccessForQuery * Clean up and expand fetch-inconsistent-field-map.test.ts * Test uncached functions * Test uncached * Remove cases usage in parse-current-level * Only consider non-null rules in inject cases * Fix parseCurrentLevel call * Move service imports into functions to avoid circular imports * Ensure that we test that an error is thrown in processAst test * Add failing test case for flattenFilter * Ensure uniqueness in extractPathsFromQuery * Early exit in validatePath * Add additional test case for process payload test * Update validateCollectionAccess test * Clean up validate-item-access.test.ts * Remove redundant initializer * Use createDefaultAccountability * Fix fetch-user-count.test.ts * Cleanup unused default initializer * Add empty cases to subfilter in _relationCount * Drop AccessService and PermissionsService usage from services * Found some more PermissionsServices * Fix a few more tests * Add nested role relation * Fix query invocation in aggregate and group queries * Fix role property name in auth/refresh * Add some missing relations for permissions, access and roles * Add m2o relation from permissions to policy * Add m2o relation access to role, user, policy * Allow fetchPermissions to fetch all permissions and not just those limited by an action * Add parent to Role type * Make sure that admin users see all fields * Add access and policies controller, add util methods to policies and access service * Change name and description of public policy, update description of admin policy and add on delete trigger. * Make sure access row uuids are auto generated * optimize kvredis clear function and add a unit test to be fair: unit test is also testing implementation details but thats a problem there in general and for future us * Add minimal app permission and dynamic variable injection to the permission fetching * Fix m2o collection name in extractFieldsFromChildren * Make sure to clone permission before injecting dynamic variables * Actually do the cloning in with withAppMinimalPermissions since people might missbehave with the permissions obtained from PermissionsService.readByQuery so it better to go the source of the problem * Use knex transaction in createOne -> processPayload - otherwise deadlock * Make sure to respect '*' field in allowed fields * Fix extractFieldsFromChildren for o2m as well - classic * Fix allowed field check in `FieldsService.readAll` to account for multiple permissions for collection+action * Skip case/when if `allowedFields` includes '*' * Restructure the way the current users permissions are returned * add ability to clear all keys from memory cache * add test for clear method * add await to clear function * Clear permissions caches on changes to policy attachments (directus_access) and policy updates (directus_policies) and permissions updates (directus_permissions) * Make the public role a real role rather than a virtual one * Inject the public role, we're it previously was `null` * Revert adding a fix public role * remove unused variable * Ensure that a user without a role can still use the /me util endpoints * Make sure that the /me endpoints always return minimal information, similar to /users/me * Some fixes after merging main * Update api/src/permissions/utils/with-cache.ts Co-authored-by: Hannes Küttner <[email protected]> * Avoid broken role query for now * Skip related collection `parseFields` if user has no permissions * Ensure same call order as in `convertWildcards` * Create default admin policy and connect it in cli init command * Remove obsolete middleware mock in app.test.ts * Add validation against non-existent fields and collections to `validatePath` * Split up permission and path existence validation and validate path existence for admin users as well * Make applySearch not async * Fix relation extraction and permissions for `$FOLLOW` fields * Fix case when for related collections and query wrapping * Rework user integrity checks for Auditus (#22737) * Changes to user counting and integrity checks * Ensure that user validation happens in both create one and create many * Rename `checkType` to `flags` * Update api/src/permissions/modules/validate-remaining-admin/validate-remaining-admin-count.ts Co-authored-by: Daniel Biegler <[email protected]> * Update to enum usage Co-authored-by: Daniel Biegler <[email protected]> * A few more changes to enum instead of number * One more enum type update * Make sure to correctly override the callback when combining options * Clean up option type * Update api/src/services/users.ts Co-authored-by: ian <[email protected]> * Only take validation shortcut for users We can only be sure that the deletion of users does not increase any other access types count, so in all other cases we need to verify that for example the App or API users have not increased over the limit * Make both app and admin users count against app access limit * Update api/src/permissions/modules/validate-remaining-admin/validate-remaining-admin-count.ts Co-authored-by: Pascal Jufer <[email protected]> * One post-merge fix, two small fixes * Simplify flag updating and callback calling * Changing app access in a policy only requires user limit checking, not full check * Only the status of a created user should matter to determine if a check is neccessary * Add count alias to count query --------- Co-authored-by: Daniel Biegler <[email protected]> Co-authored-by: ian <[email protected]> Co-authored-by: Pascal Jufer <[email protected]> Co-authored-by: Rijk van Zanten <[email protected]> * Add roles and permissions to the app (#22654) * Initial app changes * Fix getRelationsForField * Add changeset * Remove app-permissions from role settings * Make sure access row uuids are auto generated * Move a few things around, set up policies m2m properly * Show roles as tree in sidebar Change avatar field query for user * Show user and role count in policy table * Default to not adding app access for a policy, makes composability less annoying * Correctly fall back to 0 for counts * Change the structure of current user permissions * Start bringing back the public role * Make the public role a real role rather than a virtual one * Revert public role changes * Extend list-m2m to allow for very custom junction matching and a primary key of `null` * Remove unused * Fix public role policy update payload * Fix app access for users without role (which is a thing now apparently) * Make sure that the /me endpoints always return minimal information, similar to /users/me * Tweak nav icons * Pull policy id from constants * Update permissions interface design to match New design language in figma * Some minor adjustments - Make chip hover border more consistent - Add "Remove" button to remove a full row of permissions, as in the UI mockup - Fix table layout * Clean up a few more things * Fix `setFullAccess` * Align collection view icons with navigation * Don't query 'admin_access' for role * Fix relation extraction and permissions for `$FOLLOW` fields * Don't show `0 Items` for child rows, but `--` instead * Make policy detail work in nested policy creating use case * Remove unused v-icon override * Move system collections to separate visual table * Navigate before refresh Prevents a flash of the previous value to be visible in the table * Move composable to separate file --------- Co-authored-by: Daniel Biegler <[email protected]> Co-authored-by: Rijk van Zanten <[email protected]> * Optimize types * Clone query deep * Optimize type order * Throw error on invalid role id * Rename run.js -> run-ast.js * Re-add filesizes to telemetry report collection that got lost in the merge * Make `systemCollections` reactive * Use one column per action to avoid unwanted shifting if some actions are not allowed at all * Render system and custom together * Add divider between regular and system permissions if both have elements * Add AccessService and PoliciesService to `getService` * Move policy global flags fetching to util * Move collection access fetching into util * Remove permissions for `directus_access`, `directus_permissions` and `directus_policies` from schema permissions * use formatted-value display for name & description in roles & policies * Rename `process.ts` to `process-ast.ts` * Fix process-ast import after renaming * Perform user integrity check on item deletion * Fix first admin creation on bootstrap * Revert "Fix first admin creation on bootstrap" This reverts commit bf480d0. Will be fixed by adjusting the check in access service * Don't perform admin integrity check if a new access row is created. Only check user limits * Don't set an alias to the raw column value if it is wrapped in a case/when * Correctly handle aliases when in field map and case injection --------- Co-authored-by: Pascal Jufer <[email protected]> Co-authored-by: Daniel Biegler <[email protected]> Co-authored-by: Hannes Küttner <[email protected]> Co-authored-by: Hannes Küttner <[email protected]> Co-authored-by: ian <[email protected]>
br41nslug
added a commit
that referenced
this pull request
Jun 20, 2024
* WIP start on migrations * Add migration * Don't insert if there's no rows * Use service to read/write permissions * Use payload service rather than itemsservice * Start on downgrade command * Update system data structure * Update migrations to keep structure flat * Remove icon from policies * Drop policies table on downgrade * Rearchitect migrations to structure v3 * Add down migration * Update system fields * Add policy to fields import * Fix public role attachment * Update packages/system-data/src/fields/index.ts Co-authored-by: Daniel Biegler <[email protected]> * Update packages/system-data/src/fields/policies.yaml Co-authored-by: Daniel Biegler <[email protected]> * Add nested roles * Remove unused step * Use two o2ms instead of m2a for attachments * Update system data * Implement permission policies in the API (#22384) * Update system data structure * Update migrations to keep structure flat * Remove icon from policies * Drop policies table on downgrade * Rearchitect migrations to structure v3 * Add down migration * Update system fields * Add policy to fields import * Fix public role attachment * Update packages/system-data/src/fields/index.ts Co-authored-by: Daniel Biegler <[email protected]> * Update packages/system-data/src/fields/policies.yaml Co-authored-by: Daniel Biegler <[email protected]> * Add nested roles * Remove unused step * Use two o2ms instead of m2a for attachments * Update system data * [WIP] Start reorging permissions handling * Setup field extraction * Remove watch from vitest * Finish fieldMap creation logic * Add tests for utils * Improve tests * Improve coverage * Split test and test:watch * Continue on this fun * [WIP] Setup processing * Sort roles * Restructure to util files for org * Add missing util tests * More tests * Add cases/whencase to ast * Start on injection logic * Add tests for inject cases * Add tests for process * Add todo * Organize run-ast * Add clear method to kv * Remove reliance on acc.perm * Restructure permissions setup * Drop perm from acc, add roles/policies * Remove get-permissions in middleware * Remove/comment use of acc.perm * Add default roles/permissions * Use knex So we don't have to initialize the schema before we want to use the accountability system * Use new fetching logic in get accountability * Add new fetch global access utils * Gotta redo based on new setup * Replaced with new util * Remove dropping of perm in acc It's no longer there by default, so no need to remove here * Temporarily comment out the enforce tfa check * Update usage of fetch tree to use knex * Don't store policies on accountability * Feed in roles thru acc * Bit of whitespace * Rename role->policy * Wreck some more stuff Jk, this is splitting up the large get-ast-from-query function into smaller individual functions to make it easier to update the wildcard conversion to use permissions * Add ability to lookup all allowed fields in col+ac * Add note so I don't forget stuff which i will * Handle null acc * Introduce parseAst to itemsservice * That cleans things up * Replace checkAccess with validateAccess * Remove checkaccess from service * cleanup imports * Whoops one more * Leave crumbs for next time * Implement most of the fn * Fix various tests * Start on test for fetch roles tree * Add tests for fetch roles tree * Fix process tests * All. of. the. tests. * Update uses of validateAccess * Fix name in runAst * Fix use of accountability in gql sub * Deprecate authorization service * Remove getPermissions use * Drop old getpermissions * Pass services * Replace admin/app uses with fetch global * Update fetch user count to pull from policies * Remove broken admin existence checks * Update min accountability * Remove unused import * Drop permissions override from controller * Refactor reliance on acc.perm * Replace usage of permissions in fields * Replace usage of permissions in import/export * Drop permissions use from relations * Drop no longer used method * Remove unused import * fix type usage of pk in validate * Fix default acc in user * Replace use of permissions in utils * Update reduceSchema in specs/gql * Remove old share merging * Remove empty file * Remove outdated comment * Use ctx objects for large param fns * Add with-cache memoize util * Add cache to fetchpermissions * Update caching use in fetchRolesTree * Add caching to fetchAllowedFieldMap * Add more cache * Refactor call signatures * Move call signature updates * Handle presets * Update process call sig * Prevent infinite recursion in roles tree lookup * Use create util for acc * Remove old checkIp * Fix where equality operator * Break EVERYTHING! Jk just cleaning up the structure some more, and removing the dep injection in favor of mocking * Fix build * Add missing module tests * Don't crash on missing parent * Fix role lookup * add missing type annotation * use logical-OR assignment and avoid a memory allocation * Attach admin policy in default admin creation * Fix admin check * Add todo for later * rm code duplication * fix test it was missing the new `roles` * add types and fix type error policies dont [yet] have an icon * move spread order to avoid potential future mishaps new default keys would override the manually set keys, potentially leading to unintended behavior * reduce allocations, add escape hatch to loop and type db-row * Implement case/when * Clean up comments * Optimize perm fetching in allowed f * Move apply case when to util fn * Optimize fetch-allowed-fields * Add fetch inconsistent util * Allow nulls * Remove obsolete getCacheKey * Remove unused import * Update getAccountabilityForRole test * Update fetchGlobalAccess test with one more test case + fix other test case * Type cleanup * Fix "admin access means automatic app access" in fetchGlobalAccessForQuery * Clean up and expand fetch-inconsistent-field-map.test.ts * Test uncached functions * Test uncached * Remove cases usage in parse-current-level * Only consider non-null rules in inject cases * Fix parseCurrentLevel call * Move service imports into functions to avoid circular imports * Ensure that we test that an error is thrown in processAst test * Add failing test case for flattenFilter * Ensure uniqueness in extractPathsFromQuery * Early exit in validatePath * Add additional test case for process payload test * Update validateCollectionAccess test * Clean up validate-item-access.test.ts * Remove redundant initializer * Use createDefaultAccountability * Fix fetch-user-count.test.ts * Cleanup unused default initializer * Add empty cases to subfilter in _relationCount * Drop AccessService and PermissionsService usage from services * Found some more PermissionsServices * Fix a few more tests * Add nested role relation * Fix query invocation in aggregate and group queries * Fix role property name in auth/refresh * Add some missing relations for permissions, access and roles * Add m2o relation from permissions to policy * Add m2o relation access to role, user, policy * Allow fetchPermissions to fetch all permissions and not just those limited by an action * Add parent to Role type * Make sure that admin users see all fields * Add access and policies controller, add util methods to policies and access service * Change name and description of public policy, update description of admin policy and add on delete trigger. * Make sure access row uuids are auto generated * optimize kvredis clear function and add a unit test to be fair: unit test is also testing implementation details but thats a problem there in general and for future us * Add minimal app permission and dynamic variable injection to the permission fetching * Fix m2o collection name in extractFieldsFromChildren * Make sure to clone permission before injecting dynamic variables * Actually do the cloning in with withAppMinimalPermissions since people might missbehave with the permissions obtained from PermissionsService.readByQuery so it better to go the source of the problem * Use knex transaction in createOne -> processPayload - otherwise deadlock * Make sure to respect '*' field in allowed fields * Fix extractFieldsFromChildren for o2m as well - classic * Fix allowed field check in `FieldsService.readAll` to account for multiple permissions for collection+action * Skip case/when if `allowedFields` includes '*' * Restructure the way the current users permissions are returned * add ability to clear all keys from memory cache * add test for clear method * add await to clear function * Clear permissions caches on changes to policy attachments (directus_access) and policy updates (directus_policies) and permissions updates (directus_permissions) * Make the public role a real role rather than a virtual one * Inject the public role, we're it previously was `null` * Revert adding a fix public role * remove unused variable * Ensure that a user without a role can still use the /me util endpoints * Make sure that the /me endpoints always return minimal information, similar to /users/me * Some fixes after merging main * Update api/src/permissions/utils/with-cache.ts Co-authored-by: Hannes Küttner <[email protected]> * Avoid broken role query for now * Skip related collection `parseFields` if user has no permissions * Ensure same call order as in `convertWildcards` * Create default admin policy and connect it in cli init command * Remove obsolete middleware mock in app.test.ts * Add validation against non-existent fields and collections to `validatePath` * Split up permission and path existence validation and validate path existence for admin users as well * Make applySearch not async * Fix relation extraction and permissions for `$FOLLOW` fields * Fix case when for related collections and query wrapping * Rework user integrity checks for Auditus (#22737) * Changes to user counting and integrity checks * Ensure that user validation happens in both create one and create many * Rename `checkType` to `flags` * Update api/src/permissions/modules/validate-remaining-admin/validate-remaining-admin-count.ts Co-authored-by: Daniel Biegler <[email protected]> * Update to enum usage Co-authored-by: Daniel Biegler <[email protected]> * A few more changes to enum instead of number * One more enum type update * Make sure to correctly override the callback when combining options * Clean up option type * Update api/src/services/users.ts Co-authored-by: ian <[email protected]> * Only take validation shortcut for users We can only be sure that the deletion of users does not increase any other access types count, so in all other cases we need to verify that for example the App or API users have not increased over the limit * Make both app and admin users count against app access limit * Update api/src/permissions/modules/validate-remaining-admin/validate-remaining-admin-count.ts Co-authored-by: Pascal Jufer <[email protected]> * One post-merge fix, two small fixes * Simplify flag updating and callback calling * Changing app access in a policy only requires user limit checking, not full check * Only the status of a created user should matter to determine if a check is neccessary * Add count alias to count query --------- Co-authored-by: Daniel Biegler <[email protected]> Co-authored-by: ian <[email protected]> Co-authored-by: Pascal Jufer <[email protected]> Co-authored-by: Rijk van Zanten <[email protected]> * Add roles and permissions to the app (#22654) * Initial app changes * Fix getRelationsForField * Add changeset * Remove app-permissions from role settings * Make sure access row uuids are auto generated * Move a few things around, set up policies m2m properly * Show roles as tree in sidebar Change avatar field query for user * Show user and role count in policy table * Default to not adding app access for a policy, makes composability less annoying * Correctly fall back to 0 for counts * Change the structure of current user permissions * Start bringing back the public role * Make the public role a real role rather than a virtual one * Revert public role changes * Extend list-m2m to allow for very custom junction matching and a primary key of `null` * Remove unused * Fix public role policy update payload * Fix app access for users without role (which is a thing now apparently) * Make sure that the /me endpoints always return minimal information, similar to /users/me * Tweak nav icons * Pull policy id from constants * Update permissions interface design to match New design language in figma * Some minor adjustments - Make chip hover border more consistent - Add "Remove" button to remove a full row of permissions, as in the UI mockup - Fix table layout * Clean up a few more things * Fix `setFullAccess` * Align collection view icons with navigation * Don't query 'admin_access' for role * Fix relation extraction and permissions for `$FOLLOW` fields * Don't show `0 Items` for child rows, but `--` instead * Make policy detail work in nested policy creating use case * Remove unused v-icon override * Move system collections to separate visual table * Navigate before refresh Prevents a flash of the previous value to be visible in the table * Move composable to separate file --------- Co-authored-by: Daniel Biegler <[email protected]> Co-authored-by: Rijk van Zanten <[email protected]> * Optimize types * Clone query deep * Optimize type order * Throw error on invalid role id * Rename run.js -> run-ast.js * Re-add filesizes to telemetry report collection that got lost in the merge * Make `systemCollections` reactive * Use one column per action to avoid unwanted shifting if some actions are not allowed at all * Render system and custom together * Add divider between regular and system permissions if both have elements * Add AccessService and PoliciesService to `getService` * Move policy global flags fetching to util * Move collection access fetching into util * Remove permissions for `directus_access`, `directus_permissions` and `directus_policies` from schema permissions * use formatted-value display for name & description in roles & policies * Rename `process.ts` to `process-ast.ts` * Fix process-ast import after renaming * Perform user integrity check on item deletion * Fix first admin creation on bootstrap * Revert "Fix first admin creation on bootstrap" This reverts commit bf480d0. Will be fixed by adjusting the check in access service * Don't perform admin integrity check if a new access row is created. Only check user limits * Don't set an alias to the raw column value if it is wrapped in a case/when * Correctly handle aliases when in field map and case injection --------- Co-authored-by: Pascal Jufer <[email protected]> Co-authored-by: Daniel Biegler <[email protected]> Co-authored-by: Hannes Küttner <[email protected]> Co-authored-by: Hannes Küttner <[email protected]> Co-authored-by: ian <[email protected]> * Remove changeset of already merged PR (#22653) * Fix multi cache subscribe call to preserve context Co-authored-by: Brainslug <[email protected]> * Add max length to name for policy and role names Co-authored-by: Brainslug <[email protected]> * Update app/src/modules/settings/routes/policies/collection.vue Co-authored-by: Brainslug <[email protected]> * Organize settings sidebar for clarity * Remove query limit override from access and policies controller THe query limit was added previously, where the idea was to fetch all policies in the app, but since that is not required anymore we can remove the override again, which in turn fixed pagination for policies. Woop * Rework MetaService * Fix filtered counting (previously it did not account for left join caused by permissions filter) * Collect permissions for current collection and dedupe access to align filter with the one used in the actual query * Use applyFilter and an _or filter to retrieve permitted items * Prevent certain skips in _or filters We can only skip empty filters in `_or` if either they are not equal to the value of `cases` or if _or has exactly only exactly one empty filter This is needed to prevent dropping joins that are required for the case/when construction. For example when having the permissions `_or: [ {}, {related_item: { id: 1} }]` all joins need to be retained * Revert unintentional with-cache commit * Remove check for id in children which fails on some DBs if no children are set * Show users and roles in policy item view * Update directus_access policy/roles + policy/users `one_deselect_action` This ensures that the access rows are cleaned up when removing users or roles from the policy side of the relation * Merge policy loaded from API with current edits * Make `app_access` default to false * Split field map into read specific and other fields This change is necessary since process-ast is used to verify item access for actions other than `read`. But, if a user does not have action permissions for fields used in the query filter or sort field the validation for `xByQuery` would have failed until now. * The fields are verified separately checked against read and action specific permission. * Updated all the tests accordingly * Fix `hasCaseWhen` check in `getDBQuery` Previously it was checking if `cases.length > 0` which was always true, since we always pass in at least one case (`{}`), now it checks if there are actually field nodes with a whenCase property * Don't expose o2m fields that the user might not have access to for some items This approach uses a flag that is introduced into the parent item db query, that uses the case/when construct to determine if a user has access to the o2m field on the specific item. The flag is 1 if the user has access and null otherwise. It is set in the resulting query object for all o2m fields that have a whenCase (the ones with partial access) and used when merging the nested query items into the parent items. * Accept O2MNode as fieldNode * Filter policies in fetchGlobalAccess by ip_access if applicable and use `withCache` util * Filter the policies influencing the global access by ip_access filter if an ip is available * Use `withCache` util for top level function and the two lower level functions Co-authored-by: Daniel Biegler <[email protected]> * Fix filter in roles. Again. Almost like I didn't properly test it. huh * Add cache key stability by only picking the props that are relevant from accountability and enforcing an order in the provided options object * Improve `fetchAllowedFields` to only return fields that are actually in the schema * Make a local copy of `junctionFilter` in order to prevent reloads on form value changes * Remove debug log * Update packages/system-data/src/fields/policies.yaml Co-authored-by: ian <[email protected]> * Update api/src/permissions/utils/filter-policies-by-ip.ts Co-authored-by: ian <[email protected]> * Conditionally add IP to request level cache key Add `accountability.ip` to the request level cache key if, and only if, the IP is matched by any of the `ip_access` filters of the current users policies. This ensures that, if the request IP influences the request result, it is path of the cache key, but also not included if there are no IP filters configured for the current user. * Update api/src/permissions/modules/fetch-policies-ip-access/fetch-policies-ip-access.ts Co-authored-by: ian <[email protected]> * Make sure that fetchAllowedFields does not remove field wildcard '*' * Temporarily disable cache key picking * Refine cache key picking + remove `undefined` from Accountability['ip'] type * Rename `pick` to `prepareArg` * Define the sort field for the `directus_access` junction table * Verify that user has access to automatically selected sort field and default to first allowed field if not * Sort the fetched permissions to match the order of the passed in policies * Some clean-up of TODOs and unused code * Take care of a special case, where no fields are requested and we are still interested the correct items being returned This surfaced when running `validateItemAccess` with an update permission that did not include the primary key field. * 3 less * Update api/src/database/migrations/20240328A-permissions-policies.ts Co-authored-by: ian <[email protected]> * Change /permissions/me response and add corresponding types and constants * Fix payload validation - Field validation needs to happen for admin users as well - Add back injection of validation rules for non-nullable fields Tests added/adjusted accordingly * Mark `system-permissions` interface as `system` * Remove special handling for public policy. It's one of us now. - Add `icon` field to policies - Add notice to the public role * Rename migration to most recent date * Clear permissions cache in `clearSystemCache` * Make `getDBQuery` not async * Set the sort field to `null` if the user does not have any allowed fields, not even the primary key * Handle the case where `null` is returned as item edits by the permission detail drawer and remove the existing item, if any. * Prevent role recursion (this is a simple check right now and I would expect it to fail on nested role updates that do funky stuff) * Add overflow to permissions table * Ensure fields are always passed to validation-errors When v-form is used with the `collection` prop, instead of directly passing fields via `fields` prop, the validation-errors component didn't receive any field information. This is fixed, by passing down the "finalFields" from `useForm`. This is not directly related to 'auditus', but since it seems like this will be the only place (so far) where we want to show validation-errors on a system collection, I'm committing here. * Outsource 'useSave' for roles, exactly as in policies * Clean-up policies & roles item views - Remove leftover styles, use clearer naming 'content' - Fix types (policies was using role type) - Show validation errors, handle errors on save & delete - Use loading state of v-form (to have some indicator and less layout shift) * Mark name field in policy & role as required That way, an indicator is shown in the form, and value is checked when editing via drawer * remove role filter from public registration m2o roles dont have access fields anymore, simply allow admin roles for now * Remove overflow again. It broke * Add cache purging for permission related updates. * Add `dropForeign` in migration Fixes migration on MySQL * Add parsed field name to field map instead of raw field name This fixes filtering & sorting with function as keys, e.g. `year(date_updated)` * Account for $FOLLOW field filters earlier and don't confuse them with functions (see prev commit) * Update migration to also work with CockroachDB Instead of altering the `policy` column on `directus_permissions` to add the NOT NULL constraint it needs to be created with NOT NULL in the first place, as this will fail in CockroachDB. That means we need to drop the foreign key constraint for the role column in order to update to `null` `role` to the public policy ID before we copy the values into the `policy` column * Fix typo * Add icon to default admin policy * Be more clear about where the public role applies * Update api/src/permissions/lib/fetch-policies.ts Co-authored-by: ian <[email protected]> * Update api/src/permissions/lib/fetch-policies.test.ts Co-authored-by: ian <[email protected]> * Enable GH workflows * Make eslint happy, cleanup and improve role sidebar in users view * Fix wrong suggestion application and move comments in block * Format files * Update isFullPermission test * Clean up policy filter logic * Flip order in test * Update mocking in user/flows store tests * Update expected results of a lot of api tests that changed during development (all stay true to the original idea) * Update parseFilter test * Update injectCases test * Manually set parent to `null` if a role gets deleted and remove the `SET NULL` on delete action. The `SET NULL` action causes problems problems on OracleDB * Fix limit check for new users w/o "status" field status defaults to "active", thus if the field is not in payload, the user limit check needs to be triggered * Fixed migration "inconsistent datatypes: expected - got CLOB" error in oracle * Update extractFieldsFromChildren test * Fix `count(o2m)` type queries * Update UsersService tests - Adapt to new user integrity logic - Add basic ItemsService tests to ensure user integrity checks take place * Move withAppMinimalPermissions to appropriate dir * Fixed boolean logic error for graphql counting * Make sure that relational function aliases are recognized as `functionField` * Fix permission for relational functions Before this functions that operated on a o2m field like `count(o2m)` did not respect permissions on the related collection. Now function field nodes have a cases list as well and correctly get the cases injected for the related collection. The permissions are then correctly injected in the query that is passed down to the relational count function helper. * Fix mock in withAppMinimalPermissions test * Update RolesService tests Copied and commented out old checks from roles to policies, so we can re-check later on * Add preliminary changesets * Reword changeset to "Policies" * Update .changeset/strong-numbers-warn.md Co-authored-by: Pascal Jufer <[email protected]> * Policies Documentation (#22729) Co-authored-by: Hannes Küttner <[email protected]> Co-authored-by: Brainslug <[email protected]> * Reformat docs * SDK functions for auditus (#22795) * Updated sdk types * added policy commands * prettier * Added new and missing websocket subscription hooks * Added missing endpoints * Added missing graphql endpoints * prettier * Added changesets * updated changesets * Update .changeset/nine-geckos-jog.md * Update api/src/services/graphql/index.ts Co-authored-by: Pascal Jufer <[email protected]> * Update sdk/src/rest/commands/create/policies.ts Co-authored-by: Pascal Jufer <[email protected]> * Update sdk/src/rest/commands/create/policies.ts Co-authored-by: Pascal Jufer <[email protected]> * Update sdk/src/rest/commands/read/policies.ts Co-authored-by: Pascal Jufer <[email protected]> * Update sdk/src/rest/commands/read/roles.ts Co-authored-by: Pascal Jufer <[email protected]> * Update sdk/src/rest/commands/read/policies.ts Co-authored-by: Pascal Jufer <[email protected]> * Update sdk/src/rest/commands/read/policies.ts Co-authored-by: Pascal Jufer <[email protected]> * Update sdk/src/rest/commands/read/policies.ts Co-authored-by: Pascal Jufer <[email protected]> * Update sdk/src/schema/policy.ts Co-authored-by: Pascal Jufer <[email protected]> * Update sdk/src/schema/policy.ts Co-authored-by: Pascal Jufer <[email protected]> --------- Co-authored-by: Pascal Jufer <[email protected]> --------- Co-authored-by: Daniel Biegler <[email protected]> Co-authored-by: Hannes Küttner <[email protected]> Co-authored-by: Pascal Jufer <[email protected]> Co-authored-by: Hannes Küttner <[email protected]> Co-authored-by: ian <[email protected]> Co-authored-by: Brainslug <[email protected]> Co-authored-by: Brainslug <[email protected]> Co-authored-by: Kevin Lewis <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Scope
The general idea behind this change is to delay the user integrity checks (user limits & remaining admin users) to after all changes have been made to the DB within a transaction and abort that transaction if the integrity is not given. But since modification to system collection that are relevant for the user count (per access level) can happen at any point of a mutation and it only makes sense to do the check once all mutations have been applied, it is necessary to perform this check in the
ItemsServiceitself.For this to work, every individual item service needs a way of marking a mutation as relevant for triggering a user integrity check based on the contents of the revision. For example, the role service needs to trigger and integrity check if the
parentof a role changed, since that can influence the access types of all users.Additionally it is useful to only do certain checks for some mutations, for example creating new users does not require us to validate the number of existing admin users > 0, neither does the granting of additional app or admin rights in a policy. So we want some control over what integrity checks need to be performed.
This change assumes that all top level system services are called correctly from nested payload processing operations, because otherwise we don't have a chance of identifying nested changes. This will be ensured in a different PR from @paescuj.
What's changed:
ItemsServiceMutationOptionsuserIntegrityCheckFlagsindicate if, and what user integrity checks need to be performedonRequireUserIntegrityChecka callback a nested service can call in order to pass up additional user integrity check flagsItemsServicemutation (identified by not having aonRequireUserIntegrityCheckpassed in) if any nested service identifies the need for a checkItemsServicecan pass in theuserIntegrityCheckFlagsif a check is deemed necessary from a top level callUser counting
get-*-counthelpersfetchUserCountto accept roles, users, policies and access rows to ignore, in order to allow for a reduced admin check if some of those have been removedfetchUserCountto use aggregation instead of iterating over all users sequentiallySystem Services
last_pageuser updatePotential Risks / Drawbacks
Review Notes / Questions