Mirrors/unleash.unleash
1
0
Fork 0
mirror of https://github.com/Unleash/unleash.git synced 2025-10-27 11:02:16 +01:00
Code Issues Projects Releases Wiki Activity
64c1527213
unleash.unleash/src/lib/middleware
History
Nuno Góis 7e9069e390
refactor: token permissions, drop admin-like permissions (#4050) 
https://linear.app/unleash/issue/2-1155/refactor-permissions

- Our `rbac-middleware` now supports multiple OR permissions;
- Drops non-specific permissions (e.g. CRUD API token permissions
without specifying the token type);
- Makes our permission descriptions consistent;
- Drops our higher-level permissions that basically mean ADMIN (e.g.
ADMIN token permissions) in favor of `ADMIN` permission in order to
avoid privilege escalations;

This PR may help with
https://linear.app/unleash/issue/2-1144/discover-potential-privilege-escalations
as it may prevent privilege escalations altogether.

There's some UI permission logic around this, but in the future
https://linear.app/unleash/issue/2-1156/adapt-api-tokens-creation-ui-to-new-permissions
could take it a bit further by adapting the creation of tokens as well.

---------

Co-authored-by: Gastón Fournier <gaston@getunleash.io>
2023-06-22 08:35:54 +01:00
..
api-token-middleware.test.ts chore: deprecate username on api-tokens (#3616) 2023-05-04 09:56:00 +02:00
api-token-middleware.ts fix: reject unauthorized client requests (#3881) 2023-05-27 16:29:54 +02:00
authorization-middleware.ts Clean up old errors (#3633) 2023-05-11 11:10:57 +02:00
catch-all-error-handler.ts fix: 4 param error handler (#3520) 2023-04-14 08:59:27 +02:00
conditional-middleware.ts fix: refactor conditional middleware (#2261) 2022-10-26 13:00:49 +02:00
content_type_checker.test.ts feat: unify error responses (#3607) 2023-04-25 13:40:46 +00:00
content_type_checker.ts Clean up old errors (#3633) 2023-05-11 11:10:57 +02:00
cors-origin-middleware.test.ts Fix/remove settings cache (#2694) 2022-12-14 17:35:22 +01:00
cors-origin-middleware.ts Fix/remove settings cache (#2694) 2022-12-14 17:35:22 +01:00
demo-authentication.ts chore: deprecate username on api-tokens (#3616) 2023-05-04 09:56:00 +02:00
index.ts Define exports for enterprise (#2435) 2022-11-17 13:02:40 +02:00
maintenance-middleware.ts Maintenance mode for users (#2716) 2022-12-21 13:23:44 +02:00
no-authentication.test.ts fix: Controller wraps handler with try/catch (#909) 2021-08-13 10:36:19 +02:00
no-authentication.ts refactor: replace ts-ignore with ts-expect-error (#1675) 2022-06-07 11:49:17 +02:00
oss-authentication.test.ts feat: authorization middleware (#3464) 2023-04-06 11:46:54 +02:00
oss-authentication.ts feat: authorization middleware (#3464) 2023-04-06 11:46:54 +02:00
pat-middleware.test.ts fix: log missing user at warn level (#3735) 2023-05-10 13:31:42 +02:00
pat-middleware.ts fix: log missing user at warn level (#3735) 2023-05-10 13:31:42 +02:00
rbac-middleware.test.ts refactor: token permissions, drop admin-like permissions (#4050) 2023-06-22 08:35:54 +01:00
rbac-middleware.ts refactor: token permissions, drop admin-like permissions (#4050) 2023-06-22 08:35:54 +01:00
request-logger.ts fix: Stores as typescript and with interfaces. (#902) 2021-08-12 15:04:37 +02:00
response-time-metrics.ts chore: GA responseTimeWithAppNames (#3178) 2023-02-22 09:10:06 +00:00
secure-headers.ts feat: add plausible as connect src (#3619) 2023-04-25 14:24:54 +03:00
session-db.ts feat: authorization middleware (#3464) 2023-04-06 11:46:54 +02:00
unless-middleware.ts upload limit and import ui tweaks (#2998) 2023-01-26 12:36:45 +01:00