Implement safety-net when saving or deleting a homebox

Created on 8 April 2024, 3 months ago

Updated 11 April 2024, 3 months ago

Homebox is quite complex due to the many levels of permissions and especially cloning of the presets to instances.

To ensure nothing really bad can happen finally, we should implement a safety-net in

In these, I'd say we should implement Exception-driven permission checks, for example:

If preset, it should only be saved / deleted, if the user has the appropriate PRESET permission (administer presets)
If instance and not owned by the user, should only be saved / deleted, if the user has the appropriate ANY permission (or bypass homebox access control?)

This might not be perfect architecture, but should be seen as "last resource ass-saver" ;) ;D (sorry) if all other hurdles should break.

Background: I'm afraid of edge-cases where a user might get passed a wrong (preset or other user) instance.

Can we have simple (programmatic?) tests to ensure these exceptions work as expected eventually?

📌 Task

Status

Postponed

Version

3.0

Component

Code

Created by

🇩🇪Germany Anybody Porta Westfalica

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @Anybody
Comment 3 months ago →
🇩🇪Germany Anybody Porta Westfalica
Comment 3 months ago →
🇩🇪Germany Anybody Porta Westfalica
Comment 3 months ago →
🇩🇪Germany Grevil
Comment 3 months ago →
🇩🇪Germany Grevil
Thinking about this once again, I don't think this is necessary. The "retrieveInstance" Method, through which we load all of our homeboxes is quite bulletproof. Furthermore, we implement our own HomeboxAccessHandler and have all critical access checks validated through appropriate tests.

I'll keep this open for now, but I am not 100% sold on this yet.
Issue was unassigned.
Status changed to Postponed 3 months ago11:00am 11 April 2024
Comment 3 months ago →
🇩🇪Germany Grevil
Let's implement this if we run into any major problems.

Production build 0.69.0 2024