search

omar-dulaimi / trpc-shield

🛡 A tRPC tool to ease the creation of permission layer.
MIT License
402 stars 10 forks source link

Fallback rule not working on nested routers #24

Closed zoey-kaiser closed 6 months ago

zoey-kaiser commented 8 months ago

Bug report

Describe the bug

The fallbackRule option is not working on nested routers.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

const trpcShield = shield<Context>(
  {
    user: {
      query: {
        getCurrentUser: isAdmin,
        users: isAdmin,
        user: or(isAdmin, userOwnsUser)
      },
      mutation: {
        updateUser: or(isAdmin, userIsArg(['user', 'id'])),
        createUser: isAdmin
      }
    },
   { fallbackRule: deny } // This does not apply
 }
)

Expected behavior

Routes that do not have any permissions set, should fallback to the fallbackRule in a namespaced router setup.

behavior

fallbackRule does not apply and all routes are unprotected

Additional context

This issue was first raised in https://github.com/omar-dulaimi/trpc-shield/issues/23. The issue has been closed without any context provided as to if the bug was resolved or if the author went with another approach.

A fix for this bug was already pushed in https://github.com/omar-dulaimi/trpc-shield/pull/22 a while ago. It would be great to receive a review on this to merge and publish this fix soon. If the orignal PR author does not respond, I also do not mind opening a new PR!

Fixing this is critical to our project, as it makes using trpc-shield with namespaced routes super unsafe. If you forget to properly add a route to the shield config or have a small spelling mistake, it can compromise your entire application.

hilibari commented 6 months ago

I am also facing this issue. @zoey-kaiser have you found any method or approach to dealing with this issue?

omar-dulaimi commented 6 months ago

Released in: https://github.com/omar-dulaimi/trpc-shield/releases/tag/0.4.4

Let me know how it goes.

Also, if you can, please consider supporting me to allocate time for this project and others. I have stepped away from Open Source for a few months now, but would love to comeback. The lacking nature of open source support doesn't help me and others to stay motivated for continued work. Hope this changes soon.