feat: Pass the set of roles the user has to triggers and cloud functions #9299
Conversation
Thanks for opening this pull request! |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## alpha #9299 +/- ##
=======================================
Coverage 93.49% 93.49%
=======================================
Files 186 186
Lines 14807 14810 +3
=======================================
+ Hits 13844 13847 +3
Misses 963 963 ☔ View full report in Codecov by Sentry. |
|
Done @mtrezza |
|
Please rebase the PR; you disabled repo owner permission to do so, so every time there is a merge in the base branch, you'd need to update yourself to make sure the CI still passes. |
|
Done @mtrezza No idea about the repo owner permission. Didn't change anything myself. |
There is a checkbox for this in your PR on the right side, but mind the note about secrets: 
|
|
Are the roles already fetched somewhere from the cache during the auth process? If so, we may be able to use them and set them on the The obj structure seems strange in general. The roles are related to the user and we already expose the user in the |
They seem to be fetched for trigger calls, there we can have synchronous access to the set of roles. For cloud function calls, they are not. But even for trigger calls, I don't think it is sound architecture to give synchronous access to the set of roles to triggers, as Parse might change under which conditions it fetches the set of roles in the future. Then, supplying an async function is more future-proof.
We could do that, given that currently there is currently no helper to get the set of roles a user has. Note, however, that this patch reads the set of roles from the auth object, and the lifetime of that is limited to that of the request, by design. Caching roles any longer would involve tradeoffs around staleness of data. |
|
Maybe adding this to the I think this method needs clarification in the docs that this is cached. And what level of nested roles it returns. For example, for the following relations:
|
Co-authored-by: Manuel <[email protected]> Signed-off-by: Kartal Kaan Bozdoğan <[email protected]>
Co-authored-by: Manuel <[email protected]> Signed-off-by: Kartal Kaan Bozdoğan <[email protected]>
mstniy
force-pushed
the
cloud_getroles_mr
branch
from
7f7d5e5
to
2317a95
Compare
Done |
It is recursive, as the Parse cache is, so it would return both. I added this case to the tests. |
| * @example | ||
| * stripACLRolePrefix("role:myrole") // Returns "myrole" | ||
| */ | ||
| static stripACLRolePrefix(entry) { |
There was a problem hiding this comment.
Apologies if my earlier comment wasn't clear. I meant to add a method getUserRoleIds() to where getUserRoles() currently is.
Pull Request
Issue
Closes: #9298
Approach
Expose a field
getRolesto cloud functions and triggers if the caller is a user. The field, if it exists, is an async function that resolves to a list of strings, which is the set of roles the user has.The exposed function uses Parse's internal cache of user roles, if it is populated. Otherwise, it queries the set of roles and populates the cache before returning them.
Tasks