Do not give everyone permission to read answers #156
Conversation
| return (dispatch, getState) => { | ||
| dispatch({type: SCHEMA_RETRIEVAL_PENDING}); | ||
| new KintoClient(config.server.remote, { | ||
| headers: getAuthenticationHeaders(collection) | ||
| headers: getAuthenticationHeaders("EVERYONE") |
There was a problem hiding this comment.
Could be "AUTHENTICATED" or "ANYONE" or a random uuid too.
| @@ -8,7 +8,7 @@ import config from "./config"; | |||
| * are stored. This is useful to always have one id to pass to the clients, | |||
| * and they can figure out what the user token and collection name is. | |||
| **/ | |||
| export function getUserToken(adminToken) { | |||
| export function getFormID(adminToken) { | |||
There was a problem hiding this comment.
If you change the name of the function, you need to update the description for it as well (returns the unique identifier of the form, from the administrative token)
|
Note that this needs Kinto >= 4.3 |
|
I test the new formbuilder with the https://kinto.dev.mozaws.net/v1/ backend. The admin token is: 91ec309e9a3c463ca63fd8036d9e6d71 As you can see in the admin console it looks ok! 👍 I suggest to update the README.md as it still refers to I find a bug too when you create a form without any required field, it fails publishing the form → 2502118#diff-d3be7b791c4d0d2548517ed3b5b9834bR81 |
|
I removed the |
|
In fact, I cannot reproduce. I got an error in the console |
|
Yes but the TypeError should change the form status as well. |
|
You can add something like that to forbid empty form publication: |
|
We should already have this somewhere. It rings a bell :) |
|
@Natim, how does this affects people with already in use forms? Does this continues to work for them or is this breaking compatibility? Thanks for the precision, and thanks for the code submission :-) |
Since Kinto 4.3 people can read the schema with the `record:create` permission.
almet
force-pushed
the
do-not-give-everyone-permission-to-read-answers
branch
from
03c9308 to
cdab572
Compare
|
This is now ready to be merged! |
Refs Kinto/kinto#828 (comment)
r? @almet
f? @enguerran
When we created the formbuilder it wasn't possible to let people read the schema without being able to read all the form answer.
This limitation was fixed in Kinto 4.3 and people with the
record:createpermission can now read the collection schema and their answer only.This is the implementation of the fix for the formbuilder.