Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

restrict administration tab #242

Merged
merged 3 commits into from
Apr 1, 2024
Merged

restrict administration tab #242

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
993afca
restrict administration tab
lakikowolfe Mar 21, 2024
d489f14
add back in reactiveVal needed for administrator
lakikowolfe Mar 22, 2024
44c5ee3
remove fds* branch name from action trigger
lakikowolfe Mar 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .github/workflows/shinyapps_deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ on:
branches:
- main
- dev*
- fds*
tags:
- v[0-9]+.[0-9]+.[0-9]+

Expand Down
44 changes: 31 additions & 13 deletions R/app_server.R
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,18 @@ app_server <- function( input, output, session ) {
httr::authenticate(app$key, app$secret, type = "basic"),
config = list()
)
# Stop the code if anything other than 2XX status code is returned

# Stop the code if anything other than 2XX status code is returned
httr::stop_for_status(req, task = "get an access token")
token_response <- httr::content(req, type = NULL)
access_token <- token_response$access_token

session$userData$access_token <- access_token

# hide things
# sidebar
shinyjs::hide(selector = ".sidebar-menu")
shinyjs::hide(selector = "a[data-value='tab_administrator']")
Copy link
Collaborator Author

@lakikowolfe lakikowolfe Mar 22, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've been using shinyjs hide and show functions to manage when tabs are visible to the user. Through some googling it was brought to my attention that this isn't a very secure method. A user can easily bypass the hidden tab (see for more info).

I'm not really too worried about users "breaking in" to the data flow manifest, but there is a solution if we wanted to make this more secure. For example, using shinyjs::renderMenu() to dynamically render the menu rather than just hiding the tab.

I didn't come across this problem/solution until after implementing the hide/show method. So I figured it was worth putting it up to review to determine if this extra step is necessary.

Curious what you think @afwillia @milen-sage @mialy-defelice


# SET UP REACTIVE VALUES ###################################################

Expand Down Expand Up @@ -72,6 +75,18 @@ app_server <- function( input, output, session ) {
# CONFIGURE APP ############################################################
observeEvent(mod_select_dcc_out()$btn_click, {

# update reactiveVals
# FIXME: redundant (could get rid of selected_dcc_config_list)
selected_dcc_config_list$synapse_asset_view(
mod_select_dcc_out()$selected_dcc_config$dcc$synapse_asset_view
)
selected_dcc_config_list$manifest_dataset_id(
mod_select_dcc_out()$selected_dcc_config$dcc$manifest_dataset_id
)
selected_dcc_config_list$schema_url(
mod_select_dcc_out()$selected_dcc_config$dcc$data_model_url
)

selected_dcc_config(mod_select_dcc_out()$selected_dcc_config)

# move to dashboard page
Expand All @@ -89,28 +104,31 @@ app_server <- function( input, output, session ) {
color="#424874"
)

# show sidebar tabs
# show sidebar menu
shinyjs::show(selector = ".sidebar-menu")

# update reactiveVals
selected_dcc_config_list$synapse_asset_view(
mod_select_dcc_out()$selected_dcc_config$dcc$synapse_asset_view
)
selected_dcc_config_list$manifest_dataset_id(
mod_select_dcc_out()$selected_dcc_config$dcc$manifest_dataset_id
)
selected_dcc_config_list$schema_url(
mod_select_dcc_out()$selected_dcc_config$dcc$data_model_url
# check user's access
# show admin tab if user has ADMIN access to data flow manifest
manifest_admin_perm <- dfamodules::synapse_access(
id = selected_dcc_config()$dcc$manifest_dataset_id,
access = "CHANGE_PERMISSIONS",
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed with Jay that using CHANGE_PERMISSIONS would reliably identify who is an administrator

auth = access_token
)

if (isTRUE(manifest_admin_perm)) {
shinyjs::show(selector = "a[data-value='tab_administrator']")
} else {
shinyjs::hide(selector = "a[data-value='tab_administrator']")
}

# Check that user has appropriate permissions to use DFA
# User must have DOWNLOAD access to the DFA manifest.
manifest_perm <- dfamodules::synapse_access(
manifest_download_perm <- dfamodules::synapse_access(
id = selected_dcc_config()$dcc$manifest_dataset_id,
access = "DOWNLOAD",
auth = access_token
)
if (!isTRUE(manifest_perm)) {
if (!isTRUE(manifest_download_perm)) {
shinypop::nx_report_error(
title = "Permission error",
message = tagList(
Expand Down