CV2-6604: Remove global keys permission #2379
Conversation
melsawy
changed the title
caiosba
left a comment
caiosba
left a comment
There was a problem hiding this comment.
Sawy, to be extra safe, I think we should make the team_id column on ApiKey mandatory. This should simplify the implementation since you won’t need to filter by non-null team IDs, and it also avoids the risk of forgetting to update that logic somewhere. Of course, you’ll need to run the rake task before deploying the code change; otherwise, the database migration will fail. Also, please rebase the PR since you already handled the last activity part in another PR.
@caiosba for now I added a validation inside the model ApiKey so I can deploy and run the rake task and after deploying this PR I'll make the team_id column mandatory |
|
Thanks, I think it's better. |
caiosba
left a comment
caiosba
left a comment
There was a problem hiding this comment.
Sawy, so now that the other PR contains only the rake task, you still need to update this one to remove the rake task and to make team_id mandatory, right?
Right |
| bot = BotUser.find_by_login(login) || BotUser.create!(team_author_id: team.id, login: login, name: login.capitalize, settings: { approved: true }) | ||
| team_user = bot.team_users.first |
There was a problem hiding this comment.
Did you run Check Web integration tests after this change?
app/models/ability.rb
Outdated
| private | ||
|
|
||
| def api_key_perms | ||
| can :read, :all |
There was a problem hiding this comment.
Blocker: This means any API key can read anything in any team. Other than trying to fix this rule, I think it's safer to just delete this line.
| # @b.api_key = @a | ||
| # @b.save! |
There was a problem hiding this comment.
Can't you just delete these lines?
Description
Check existing API keys and limit the usage of global keys.
References: CV2-6604
How to test?
For both cases I used graphql UI to run different quires
Checklist