Closed noahtalerman closed 9 months ago
:shaqwiggle:
Hey @mikermcneil, we decided to use "Software titles" instead of "Software names" (e.g. Titles view and Versions view). What's your take on it? (Figma link is attached in the issue description)
@marko-lisica I think that in the current design I see in Figma, we need to further consider narrower window widths to be sure all the filters fit, and to consider that when switching that dropdown, some or all filters will need to clear, because now there's a new type of entity. Also we'll support CVEs (vulnerabilities) here as a 3rd option in the future, so even if the columns for titles and versions manage to stay the same, there'll still be more differences coming later.
That said I'm intrigued by the idea of solving this with a simple filter, just need to make sure that the visual simplicity doesn't also cause more underlying complexity and dev time / ongoing maintenance and surface area. My hunch is that it works, but to be clear, caveat: I did not review every screen in detail, I literally looked at it for 15 seconds.
cc @noahtalerman
Feedback from Mike:
GET /software
API endpoint to GET /software/versions
. Maintain backwards compatibility. It's now one endpoint w/ two names. API docs show only the new naming.cc @marko-lisica ^^
From @marko-lisica:
Rename GET /software API endpoint to GET /software/versions. Maintain backwards compatibility. It's now one endpoint w/ two names. API docs show only the new naming.
GET /software would be what we call titles right now, and GET /software/versions would be versions for which we use GET /software in current wireframes?
Vulnerabilities instead of Probability of exploit column for paid users on Software page and Software details pages
Is this about column name or functionality should change (instead of percentage we show a number of vulnerabilities, same as we do for the free version)?
Add w/ icons for 10 celebrity apps and hardcode these. Noah: Marko, let's decide what these are together on Monday
Not sure about this one, where should we add icons? Is this something that should be part of Software titles issue or something for the future?
GET /software would be what we call titles right now, and GET /software/versions would be versions for which we use GET /software in current wireframes?
@marko-lisica as part of this story, GET /software
(today's API endpoint) gets renamed to GET /software/versions
. As a user I can hit /software or /software/versions and they return the same response (versions).
Is this about column name or functionality should change (instead of percentage we show a number of vulnerabilities, same as we do for the free version)?
The latter: instead of prob of exploit, we show vulnerabilities (CVEs). Yep, same as we do for free.
Not sure about this one, where should we add icons? Is this something that should be part of https://github.com/fleetdm/fleet/issues/14674 issue or something for the future?
I think where we add them is up to you. Adding icons for top 10 celebrity apps is something we want to be a part of this story.
Celebrity apps that we'll have icons in v1:
@marko-lisica what should be the default sort for the titles and versions tables? Up to you.
I think we need a dev note for this.
@georgekarrv Ready for specification.
Based on conversation with @roperzh, we'll group Application (macOS) by name
instead of bundle_identifier
.
@marko-lisica @noahtalerman regarding:
Permissions changes: Same permissions as "View all software" (permissions docs here)
What's the expectation for GET /software/titles/:id
? we don't have any documented permissions for the equivalent GET /software/:id
.
Determining permissions is a bit tricky because software and software titles don't "belong" to a team.
@roperzh Right now all roles (except GitOps) can view all software. We want same experience for titles as well. Each role (except GitOps) should be able to see all software titles and software versions.
How does it work for team roles today with softvare versions?
How does it work for team roles today with softvare versions?
@marko-lisica as far as I can tell, everyone is able to access everything. Eg: a team member can see any software
@roperzh In regard of team based roles:
Team observer, maintainer and admin roles should be able to view only software installed to hosts that belongs to their team. This is how it works today (e.g. Maintainer of Team A can see only software installed to hosts that belong to Team A).
This should work the same for software titles. For example, the maintainer of Team B should be able to see software titles that are installed to hosts that belong to Team B. The maintainer should be able to see only versions that are installed on the hosts from Team B, in software title details (GET /software/titles/{id}
.
I'll update the issue description to reflect this. cc @noahtalerman
This is how it works today (e.g. Maintainer of Team A can see only software installed to hosts that belong to Team A).
@marko-lisica and @roperzh I just realized that this might be how it works in the UI today but not in the API? (Marko and I tested the UI)
If that's the case, there might be a change we need to make at the API level.
Like Marko said, we'd like for team observer, maintainer and admin roles be able to view only software installed to hosts that belongs to their team. (API and UI)
@noahtalerman yeah, that's the case in the API. It's a bit tricky to do but not impossible
@roperzh and @marko-lisica I think we should add the permissions at the API level.
What permissions error will a team admin of Team A see when they try to view Team B's software?
Manual testing completed. Follow up issue filed here.
Confirm and celebrate ritual:
@marko-lisica was there some permissions change that didn't make it in to this story that we wanted to come back to? IIRC we had some conversation w/ Roberto
@noahtalerman I've just tested and it seems it works as expected. I created account that has access to specific teams and I was able to get response for teams that are assigned to that user, otherwise, it just returns a forbidden error (the error could probably be clearer). Also, when I tried to get all software titles or versions it returns error.
cc @roperzh
TODO Marko: Check if GET /software/titles and GET /software/versions is truly filtered by team as a team user. If not, let's file a bug for it.
@noahtalerman I've checked and it works properly.
The problem is user can open any software title or version by id (GET /software/titles/:id
& GET /software/versions/:id
) in UI (accessing directly via URL) and API.
@noahtalerman I've checked and it works properly.
Great, thanks!
The problem is user can open any software title or version by id (GET /software/titles/:id & GET /software/versions/:id) in UI (accessing directly via URL) and API.
@marko-lisica good find. Can you please file a bug for this?
For the UI, I think the expected behavior is to show a "Forbidden" (403) page. I think this has some illustration. I might be wrong here.
The problem is user can open any software title or version by id (GET /software/titles/:id & GET /software/versions/:id) in UI (accessing directly via URL) and API.
@marko-lisica ping! When you get the chance, can you please file a bug for this?
C&C: @rachaelshaw when you get the chance, can you please take a look at the docs PR here? https://github.com/fleetdm/fleet/pull/14831
If it's approved, can you please merge and close this issue?
The problem is user can open any software title or version by id (GET /software/titles/:id & GET /software/versions/:id) in UI (accessing directly via URL) and API.
@marko-lisica ping! When you get the chance, can you please file a bug for this?
@noahtalerman I did it already last week, here's the bug: #16052
Software titles shine, Each host's unique list aligns, In the cloud, peace of mind.
Goal
Changes
Product
GET /software/titles/{id}
should return only versions that are installed to hosts that belong to their teamRequirements
apt_sources
andyum_sources
from frontend since they aren't available anymore (see here)GET /software
andGET /software/versions
will work the same. We're just documentingGET /software/versions
see more in API design PR, linked above.GET /software/{id}
andGET /software/versions/{id}
will work the same. We're just documentingGET /software/versions/{id}
Group software titles by:
bundle_identifier
name
name
name
name
name
name
name
name
name
name
name
name
Engineering
Context
QA
Risk assessment
Manual testing steps
Testing notes
Confirmation