app/routes/crate/settings: hide the settings page for non-owners #10792
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The backend controllers all have appropriate permission checks, so there's no actual security issue here, but there's no reason for us to even show this page to someone who doesn't own a crate.
Turbo87
approved these changes
Mar 10, 2025
Member
Turbo87
left a comment
Turbo87
left a comment
There was a problem hiding this comment.
I've been aware of this for a while but figured that since the frontend doesn't actually know whether the user is a team owner, it's fine. But then again, it doesn't make much sense to use different logic for showing the tab and allowing the user to visit the page.
tl;dr LGTM :D
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
@technetos pinged me via DM on this just in case it was a security issue. It wasn't, since the backend controllers all have appropriate permission checks, but there's no reason for us to even show this page to someone who doesn't own a crate.
I implemented some quick regression tests for the authentication side of the frontend controller based on the delete crate tests, but not a full set of tests for the page. It's Sunday night.