[FOLIO-3198] UI apps should avoid using ".all" permissions Created: 11/Jun/21  Updated: 06/Oct/22  Resolved: 06/Oct/22

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P2
Reporter: Zak Burke Assignee: Unassigned
Resolution: Done Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to UICHKIN-261 Permission set in ui-checkin needs ev... Closed
relates to UICHKOUT-724 Permission set in ui-checkout needs e... Closed
relates to UID-87 permission sets should avoid ".all" p... Closed
relates to UIEH-1135 permission sets should avoid ".all" p... Closed
relates to UINOTES-108 permission sets should avoid ".all" p... Closed
relates to UITEN-178 permission sets should avoid ".all" p... Closed
relates to ESCONF-12 write a lint rule to prevent .all in ... Closed
relates to UIAC-30 settings.acquisition-units.enabled sh... Closed
relates to UIORGS-251 permission sets should avoid ".all" p... Closed
relates to UIREC-141 permission sets should avoid ".all" p... Closed
relates to UIAC-41 refactor psets away from backend ".al... Closed
relates to UICIRC-697 refactor psets away from backend ".al... Closed
relates to UICR-150 refactor psets away from backend ".al... Closed
relates to UIEH-1212 refactor psets away from backend ".al... Closed
relates to UIF-333 refactor psets away from backend ".al... Closed
relates to UIIN-1654 Missing permission - inventory.items.... Closed
relates to UIINREACH-182 Refactor psets to avoid '.all' permis... Closed
relates to UINOTES-113 refactor psets away from backend ".al... Closed
relates to UINV-308 refactor psets away from backend ".al... Closed
relates to UIOR-810 refactor psets away from backend ".al... Closed
relates to UIORGS-265 refactor psets away from backend ".al... Closed
relates to UIPBEX-26 refactor psets away from backend ".al... Closed
relates to UIREC-177 refactor psets away from backend ".al... Closed
relates to UITEN-187 refactor psets away from backend ".al... Closed
relates to ERM-1881 refactor psets away from backend ".al... Closed
relates to UIEUS-281 refactor psets away from backend ".al... Closed
Sprint:
Development Team: Stripes Force

 Description   

Summary: UI apps should avoid using .all permissions from backend modules.

Details: As noted in the permission set guidelines, .all permissions should only be included when absolutely necessary and un-careful use of .all likely grants more permissions than are actually necessary.



 Comments   
Comment by Craig McNally [ 11/Jun/21 ]

Zak Burke do you think it's worth creating a Decision Log entry for this just as a reminder for all the tech leads?

Comment by Craig McNally [ 24/Sep/21 ]

Security team is bumping this... Ryan Berger / Zak Burke can you please raise this at the Stripes Architecture meeting to raise awareness, and possibly create concrete next steps (e.g. create JIRAs for specific ui modules)?

Looking at the related issues, it appears that it might be the case where most UI modules have already looked at this and made adjustments as needed.  

Comment by Zak Burke [ 24/Sep/21 ]

I'm not sure we really need to raise awareness so much as just make the changes:

[13:48] platform-complete/node_modules/@folio(snapshot*) 
$ grep -r '.all' ./*/package.json | grep permissionName
./acquisition-units/package.json:        "permissionName": "ui-acquisition-units.settings.all",
./calendar/package.json:        "permissionName": "ui-calendar.all",
./checkin/package.json:        "permissionName": "ui-checkin.all",
./checkout/package.json:        "permissionName": "ui-checkout.all",
./circulation-log/package.json:        "permissionName": "ui-circulation-log.log-event.all",
./circulation/package.json:        "permissionName": "settings.loan-policies.all",
./circulation/package.json:        "permissionName": "settings.loan-rules.all",
./courses/package.json:        "permissionName": "ui-courses.all",
./courses/package.json:        "permissionName": "ui-courses.read-all",
./eholdings/package.json:        "permissionName": "ui-eholdings.settings.access-types.all",
./eholdings/package.json:        "permissionName": "ui-eholdings.settings.custom-labels.all",
./erm-usage/package.json:        "permissionName": "ui-erm-usage.all",
./erm-usage/package.json:        "permissionName": "ui-erm-usage-harvester.all",
./erm-usage/package.json:        "permissionName": "ui-erm-usage.harvester.all",
./export-manager/package.json:        "permissionName": "ui-export-manager.export-manager.all",
./finance/package.json:        "permissionName": "ui-finance.settings.all",
./finance/package.json:        "permissionName": "ui-finance.allocations.create",
./finance/package.json:        "permissionName": "ui-finance.manually-release-encumbrances",
./inventory/package.json:        "permissionName": "ui-inventory.all-permissions.TEMPORARY",
./inventory/package.json:        "permissionName": "ui-inventory.settings.call-number-types",
./invoice/package.json:        "permissionName": "ui-invoice.settings.all",
./orders/package.json:        "permissionName": "ui-orders.settings.all",
./plugin-bursar-export/package.json:        "permissionName": "ui-plugin-bursar-export.bursar-exports.all",
./quick-marc/package.json:        "permissionName": "ui-quick-marc.quick-marc-editor.all",
./quick-marc/package.json:        "permissionName": "ui-quick-marc.quick-marc-holdings-editor.all",
./requests/package.json:        "permissionName": "ui-requests.all",
./tags/package.json:        "permissionName": "ui-tags.all",
./users/package.json:        "permissionName": "ui-users.settings.feefines.all",
./users/package.json:        "permissionName": "ui-users.settings.customfields.all",
./users/package.json:        "permissionName": "ui-users.feesfines.actions.all",
./users/package.json:        "permissionName": "ui-users.loans.all",
./users/package.json:        "permissionName": "ui-users.requests.all",
./users/package.json:        "permissionName": "ui-users.settings.departments.all",

Do you want tickets per-package or per-pset, Craig McNally? Should I link them to this issue or create a UXPROD?-

Comment by Zak Burke [ 24/Sep/21 ]

Sheesh, Zak Burke, read the ticket! The problem is .all from backend modules. Hang on, Craig McNally; lemme actually wrap my head around this.

Comment by Zak Burke [ 30/Sep/21 ]

OK, round two, counts of actual backend *.all permissions used in UI app psets:

platform-complete/node_modules/@folio(snapshot*)
$ grep -r '\.all' ./*/package.json | egrep -v 'permissionName|displayName|description' | cut -d: -f1 | sort | uniq -c
   2 ./acquisition-units/package.json
   1 ./agreements/package.json
   1 ./circulation/package.json
   2 ./courses/package.json
   1 ./eholdings/package.json
   3 ./erm-usage/package.json
   3 ./finance/package.json
   3 ./invoice/package.json
   5 ./notes/package.json
   4 ./orders/package.json
   1 ./organizations/package.json
   1 ./plugin-bursar-export/package.json
   1 ./receiving/package.json
   3 ./tenant-settings/package.json

It's most a mod-configuration problem:

platform-complete/node_modules/@folio(snapshot*)
$ grep -r '\.all' ./*/package.json | egrep -v 'permissionName|displayName|description' | cut -d\" -f2 | sort | uniq -c
   1 acquisitions-units.memberships.all
   1 acquisitions-units.units.all
   1 batch-groups.all
   1 batch-voucher.export-configurations.all
   8 configuration.all
   1 course-reserves-storage.all
   1 course-reserves.all
   1 data-export.config.all
   1 ermusageharvester.all
   1 eusage.all
   1 finance.allocations.item.post
   1 finance.expense-classes.all
   1 finance.fund-types.all
   1 kb-ebsco.kb-credentials.users.all
   1 note.types.allops
   4 notes.domain.all
   1 orders.configuration.prefixes.all
   1 orders.configuration.reasons-for-closure.all
   1 orders.configuration.suffixes.all
   1 organizations-storage.categories.all
   1 ui-erm-usage-harvester.all
Comment by Craig McNally [ 03/Feb/22 ]

The security team reviewed this again - it looks like many of the stories have been completed already.  HOwever, in some cases the child stories have been assigned a low priority (e.g. p4).  We may want to update that, or contact the relevant POs/SMs and discuss.

There's also a story to create a lint rule that would fail PR checks if these permissions are used.  We pinged the PO of the stripes force team asking about a timeline for that work.

Comment by Craig McNally [ 16/Jun/22 ]

Khalilah Gambrell / Zak Burke any update on when https://folio-org.atlassian.net/browse/ESCONF-12 might be pulled and completed?

Comment by Khalilah Gambrell [ 18/Jun/22 ]

Craig McNally - Ryan has commented on the story. There are two remaining modules I believe but we may need to double check since we have had some new modules since this issue was created.

  • ui-courses = There is no development team to do this work
  • ui-innreach = I just created a story.
Generated at Thu Feb 08 23:26:20 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.