add readonly guard to new routes #665
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR enforces a read-only mode guard across new write routes and cleans up related authentication code, while also introducing a demo login prompt in the client and updating environment hints.
- Add ReadonlyGuard to all write endpoints in users, tokens, roles, and groups controllers
- Deprecate and update ReadonlyGuard behavior; remove legacy RBAC bypass logic in JWT and permissions guards
- Update
.env.templatecomments and enhance login prompt with demo credentials
Reviewed Changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| server/src/users/users.controller.ts | Imported and applied ReadonlyGuard to write routes |
| server/src/token/token.controller.ts | Imported and applied ReadonlyGuard to write routes |
| server/src/roles/roles.controller.ts | Imported and applied ReadonlyGuard to write routes |
| server/src/groups/groups.controller.ts | Imported and applied ReadonlyGuard to write routes |
| server/src/common/guards/readonly.guard.ts | Marked ReadonlyGuard as deprecated and added additional warning message |
| server/src/auth/strategies/jwt.guard.ts | Commented out legacy RBAC skip logic |
| server/src/auth/permissions.guard.ts | Commented out legacy RBAC skip logic |
| server/.env.template | Clarified KUBERO_PROMETHEUS_ENDPOINT settings for local development |
| client/src/components/loginprompt.vue | Added demo domain alert and auto-filled demo credentials |
| server/src/deployments/deployments.service.spec.ts.old | Added legacy test file still suffixed .old |
Comments suppressed due to low confidence (4)
server/src/common/guards/readonly.guard.ts:21
- HTTP 202 (Accepted) is not typically used for blocking requests; consider returning 403 Forbidden to indicate the operation is disallowed.
throw new HttpException('Kubero is in read-only mode', 202);
server/src/deployments/deployments.service.spec.ts.old:1
- This test file ends with
.spec.ts.oldwhich may prevent it from running; consider renaming or removing the legacy.oldsuffix.
import { Test, TestingModule } from '@nestjs/testing';
server/.env.template:33
- The URL is missing a slash after "http:"; it should be "http://127.0.0.1:8080".
KUBERO_PROMETHEUS_ENDPOINT=http:/127.0.0.1:8080 # for local development
client/src/components/loginprompt.vue:129
- [nitpick] Computed properties should be pure and without side effects; moving assignment logic into a watcher or lifecycle hook would be more maintainable.
this.username = 'demo';
Comment on lines
+23
to
+31
| /* Disabling for RBAC | ||
| if ( | ||
| !process.env.KUBERO_USERS && | ||
| !process.env.GITHUB_CLIENT_SECRET && | ||
| !process.env.OAUTH2_CLIENT_SECRET | ||
| ) { | ||
| return true; | ||
| } | ||
| */ |
There was a problem hiding this comment.
[nitpick] Rather than leaving large commented-out blocks, consider removing this legacy code to keep the guard implementation clean.
Suggested change
| /* Disabling for RBAC | |
| if ( | |
| !process.env.KUBERO_USERS && | |
| !process.env.GITHUB_CLIENT_SECRET && | |
| !process.env.OAUTH2_CLIENT_SECRET | |
| ) { | |
| return true; | |
| } | |
| */ | |
| // Removed legacy code for RBAC disabling. |
Comment on lines
+14
to
+23
| /* Disabling for RBAC | ||
| if ( | ||
| !process.env.KUBERO_USERS && | ||
| !process.env.GITHUB_CLIENT_SECRET && | ||
| !process.env.OAUTH2_CLIENT_SECRET | ||
| ) { | ||
| return true; | ||
| } | ||
| */ | ||
|
|
There was a problem hiding this comment.
[nitpick] This commented-out RBAC fallback adds noise; removing deprecated logic would improve readability.
Suggested change
| /* Disabling for RBAC | |
| if ( | |
| !process.env.KUBERO_USERS && | |
| !process.env.GITHUB_CLIENT_SECRET && | |
| !process.env.OAUTH2_CLIENT_SECRET | |
| ) { | |
| return true; | |
| } | |
| */ |
…reader' as the username and '123456' as the password for demo domain access.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Fixes # (issue)
Type of change
How Has This Been Tested?
Test Configuration:
Checklist: