AB#129134 use-user-context-in-permissions#1227
Open
GhaziAlibi wants to merge 3 commits intonextfrom
Open
Conversation
There was a problem hiding this comment.
Pull request overview
This PR extends role/resource access filtering to support comparing $attribute.* values against typed literal values (in addition to comparing against another record field), and ensures backend permission filters evaluate these comparisons using the current user’s attributes.
Changes:
- Added backend support for literal comparisons (including text operators) on
$attribute.*filters by pre-evaluating them into match-all / match-none Mongo predicates. - Updated permission-filter generation to pass the current
userintogetFilterso attribute filters can be resolved. - Added unit tests covering attribute-to-field vs attribute-to-literal behavior in
getFormPermissionFilter.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
src/utils/schema/resolvers/Query/getFilter.ts |
Adds literal attribute evaluation and routes attribute filters to either literal evaluation or record-field comparison. |
src/utils/filter/getFormPermissionFilter.ts |
Passes user into getFilter context so $attribute.* filters can resolve against current user attributes. |
__tests__/unit-tests/utils/filter/getFormPermissionFilter.spec.ts |
Adds unit tests for attribute filter behavior (field vs literal, match-all/match-none outcomes). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
GhaziAlibi
changed the title
GhaziAlibi
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds support for literal values in role resource access filters.
For attribute filters, eq and neq can now compare either to another field or to a typed value. Text operators like contains, starts with, and ends with also work with attribute filters. On the backend, permission filters now correctly handle these literal attribute comparisons using the current user’s attributes.
Type of change
How Has This Been Tested?
Ran frontend checks with eslint and tsc --noEmit, and ran the backend unit test tests/unit-tests/utils/filter/getFormPermissionFilter.spec.ts.
verified manually in Back Office -> Settings -> Roles -> Resources that attribute filters can switch between Field and Value, save correctly, and enforce access as expected.
Screenshots
Checklist:
( * == Mandatory )
More explanation
https://www.loom.com/share/05a716d61b9744faaf51fb304c21d1e5?sid=f87cf896-582a-4f76-93ae-8ceed801b145