restrict administration tab #242
Conversation
| shinyjs::hide(selector = ".sidebar-menu") | ||
| shinyjs::hide(selector = "a[data-value='tab_administrator']") |
There was a problem hiding this comment.
I've been using shinyjs hide and show functions to manage when tabs are visible to the user. Through some googling it was brought to my attention that this isn't a very secure method. A user can easily bypass the hidden tab (see for more info).
I'm not really too worried about users "breaking in" to the data flow manifest, but there is a solution if we wanted to make this more secure. For example, using shinyjs::renderMenu() to dynamically render the menu rather than just hiding the tab.
I didn't come across this problem/solution until after implementing the hide/show method. So I figured it was worth putting it up to review to determine if this extra step is necessary.
Curious what you think @afwillia @milen-sage @mialy-defelice
|
Thanks for flagging this @lakikowolfe ! Could you start a Jira issue? We can prioritize (I don't think it needs to block work now, but we can decide whether we want to address before going to production). |
| # show admin tab if user has ADMIN access to data flow manifest | ||
| manifest_admin_perm <- dfamodules::synapse_access( | ||
| id = selected_dcc_config()$dcc$manifest_dataset_id, | ||
| access = "CHANGE_PERMISSIONS", |
There was a problem hiding this comment.
Confirmed with Jay that using CHANGE_PERMISSIONS would reliably identify who is an administrator
Restrict administration tab to Data Flow App users who do not have administration access to the synapse folder holding the data flow manifest.