[ESCONF-12] write a lint rule to prevent .all in permission sets Created: 30/Sep/21 Updated: 18/Jun/22 Resolved: 16/Jun/22 |
|
| Status: | Closed |
| Project: | eslint-config-stripes |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Story | Priority: | P3 |
| Reporter: | Zak Burke | Assignee: | Ryan Berger |
| Resolution: | Won't Do | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||
| Sprint: | stripes-force 133, stripes-force 134 | ||||||||
| Development Team: | Stripes Force | ||||||||
| Description |
|
Summary: UI permission sets should not contain .all permissions from backend repositories. We should be able to check for that with lint. |
| Comments |
| Comment by Craig McNally [ 03/Feb/22 ] |
|
Khalilah Gambrell - the security team discussed this today and think it would be helpful to have this in place. When do you think the team can get to this? |
| Comment by Khalilah Gambrell [ 08/Mar/22 ] |
|
Per stripes-force weekly meeting > Ryan will create a story to investigate approach to address this issue. |
| Comment by Ryan Berger [ 16/Jun/22 ] |
|
Based on the limitation of JSON where comments are not allowed, this makes the implementation of this rule very difficult since there would be no way to override cases where .all is actually needed. Any other approach such as converting these config values to javascript is a ton of effort for not a whole lot of benefit, since most repositories have already fixed offending cases. Only inn-reach has major cleanup left to do. All that said, I am closing this issue as 'won't do'. |
| Comment by Khalilah Gambrell [ 18/Jun/22 ] |
|
Craig McNally, please see Ryan Berger above comment. cc: Zak Burke |