[FOLIO-3198] UI apps should avoid using ".all" permissions Created: 11/Jun/21 Updated: 06/Oct/22 Resolved: 06/Oct/22 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Task | Priority: | P2 |
| Reporter: | Zak Burke | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | security, security-reviewed | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Sprint: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Development Team: | Stripes Force | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
|
Summary: UI apps should avoid using .all permissions from backend modules. Details: As noted in the permission set guidelines, .all permissions should only be included when absolutely necessary and un-careful use of .all likely grants more permissions than are actually necessary. |
| Comments |
| Comment by Craig McNally [ 11/Jun/21 ] |
|
Zak Burke do you think it's worth creating a Decision Log entry for this just as a reminder for all the tech leads? |
| Comment by Craig McNally [ 24/Sep/21 ] |
|
Security team is bumping this... Ryan Berger / Zak Burke can you please raise this at the Stripes Architecture meeting to raise awareness, and possibly create concrete next steps (e.g. create JIRAs for specific ui modules)? Looking at the related issues, it appears that it might be the case where most UI modules have already looked at this and made adjustments as needed. |
| Comment by Zak Burke [ 24/Sep/21 ] |
|
[13:48] platform-complete/node_modules/@folio(snapshot*) $ grep -r '.all' ./*/package.json | grep permissionName ./acquisition-units/package.json: "permissionName": "ui-acquisition-units.settings.all", ./calendar/package.json: "permissionName": "ui-calendar.all", ./checkin/package.json: "permissionName": "ui-checkin.all", ./checkout/package.json: "permissionName": "ui-checkout.all", ./circulation-log/package.json: "permissionName": "ui-circulation-log.log-event.all", ./circulation/package.json: "permissionName": "settings.loan-policies.all", ./circulation/package.json: "permissionName": "settings.loan-rules.all", ./courses/package.json: "permissionName": "ui-courses.all", ./courses/package.json: "permissionName": "ui-courses.read-all", ./eholdings/package.json: "permissionName": "ui-eholdings.settings.access-types.all", ./eholdings/package.json: "permissionName": "ui-eholdings.settings.custom-labels.all", ./erm-usage/package.json: "permissionName": "ui-erm-usage.all", ./erm-usage/package.json: "permissionName": "ui-erm-usage-harvester.all", ./erm-usage/package.json: "permissionName": "ui-erm-usage.harvester.all", ./export-manager/package.json: "permissionName": "ui-export-manager.export-manager.all", ./finance/package.json: "permissionName": "ui-finance.settings.all", ./finance/package.json: "permissionName": "ui-finance.allocations.create", ./finance/package.json: "permissionName": "ui-finance.manually-release-encumbrances", ./inventory/package.json: "permissionName": "ui-inventory.all-permissions.TEMPORARY", ./inventory/package.json: "permissionName": "ui-inventory.settings.call-number-types", ./invoice/package.json: "permissionName": "ui-invoice.settings.all", ./orders/package.json: "permissionName": "ui-orders.settings.all", ./plugin-bursar-export/package.json: "permissionName": "ui-plugin-bursar-export.bursar-exports.all", ./quick-marc/package.json: "permissionName": "ui-quick-marc.quick-marc-editor.all", ./quick-marc/package.json: "permissionName": "ui-quick-marc.quick-marc-holdings-editor.all", ./requests/package.json: "permissionName": "ui-requests.all", ./tags/package.json: "permissionName": "ui-tags.all", ./users/package.json: "permissionName": "ui-users.settings.feefines.all", ./users/package.json: "permissionName": "ui-users.settings.customfields.all", ./users/package.json: "permissionName": "ui-users.feesfines.actions.all", ./users/package.json: "permissionName": "ui-users.loans.all", ./users/package.json: "permissionName": "ui-users.requests.all", ./users/package.json: "permissionName": "ui-users.settings.departments.all", Do you want tickets per-package or per-pset, Craig McNally? Should I link them to this issue or create a UXPROD?- |
| Comment by Zak Burke [ 24/Sep/21 ] |
|
Sheesh, Zak Burke, read the ticket! The problem is .all from backend modules. Hang on, Craig McNally; lemme actually wrap my head around this. |
| Comment by Zak Burke [ 30/Sep/21 ] |
|
OK, round two, counts of actual backend *.all permissions used in UI app psets: platform-complete/node_modules/@folio(snapshot*) $ grep -r '\.all' ./*/package.json | egrep -v 'permissionName|displayName|description' | cut -d: -f1 | sort | uniq -c 2 ./acquisition-units/package.json 1 ./agreements/package.json 1 ./circulation/package.json 2 ./courses/package.json 1 ./eholdings/package.json 3 ./erm-usage/package.json 3 ./finance/package.json 3 ./invoice/package.json 5 ./notes/package.json 4 ./orders/package.json 1 ./organizations/package.json 1 ./plugin-bursar-export/package.json 1 ./receiving/package.json 3 ./tenant-settings/package.json It's most a mod-configuration problem: platform-complete/node_modules/@folio(snapshot*) $ grep -r '\.all' ./*/package.json | egrep -v 'permissionName|displayName|description' | cut -d\" -f2 | sort | uniq -c 1 acquisitions-units.memberships.all 1 acquisitions-units.units.all 1 batch-groups.all 1 batch-voucher.export-configurations.all 8 configuration.all 1 course-reserves-storage.all 1 course-reserves.all 1 data-export.config.all 1 ermusageharvester.all 1 eusage.all 1 finance.allocations.item.post 1 finance.expense-classes.all 1 finance.fund-types.all 1 kb-ebsco.kb-credentials.users.all 1 note.types.allops 4 notes.domain.all 1 orders.configuration.prefixes.all 1 orders.configuration.reasons-for-closure.all 1 orders.configuration.suffixes.all 1 organizations-storage.categories.all 1 ui-erm-usage-harvester.all |
| Comment by Craig McNally [ 03/Feb/22 ] |
|
The security team reviewed this again - it looks like many of the stories have been completed already. HOwever, in some cases the child stories have been assigned a low priority (e.g. p4). We may want to update that, or contact the relevant POs/SMs and discuss. There's also a story to create a lint rule that would fail PR checks if these permissions are used. We pinged the PO of the stripes force team asking about a timeline for that work. |
| Comment by Craig McNally [ 16/Jun/22 ] |
|
Khalilah Gambrell / Zak Burke any update on when https://folio-org.atlassian.net/browse/ESCONF-12 might be pulled and completed? |
| Comment by Khalilah Gambrell [ 18/Jun/22 ] |
|
Craig McNally - Ryan has commented on the story. There are two remaining modules I believe but we may need to double check since we have had some new modules since this issue was created.
|