Closed n3o77 closed 3 months ago
You use asynchronous streams, right ?
Yes, basically what's described here: https://symfony.com/bundles/ux-turbo/current/index.html#coming-alive-with-turbo-streams
Did you try using Mercure private updates ?
https://symfony.com/doc/current/mercure.html#authorization
https://symfony.com/bundles/ux-turbo/current/index.html#broadcast-options
Yes. But, if i'm not missing something, that only checks if the user is authenticated / has rights to receive updates on that stream. It doesn't affect which data is sent over the stream or how that data is rendered.
For anybody coming across this issue here's a quick and dirty workaround. But so far this seems to solve all of our issues with just minor adjustments to our codebase.
https://gist.github.com/n3o77/0c9bdd9f566eb23435a39953ea980f04
Basically we only send some key for the update over the event stream. Each client then sends a fetch request to render all the necessary turbo-streams which are passed to turbo to render the streams. This adds some delay and of course more load, but it's better than nothing till a better solution exists.
Thank you for this issue. There has not been a lot of activity here for a while. Has this been resolved?
Friendly reminder that this issue exists. If I don't hear anything I'll close this.
Hey,
I didn't hear anything so I'm going to close it. Feel free to comment if this is still relevant, I can always reopen!
We recently started to use ux-turbo and now run into the problem that the stream updates are always rendered for the user who triggers the change (which in hindsight makes total sense). But this means that role checks in templates don't make sense for other users. In our case we display senstive and more detailed data only to admin users.
To reproduce this create 2 users one with ROLE_ADMIN. In the turbo stream template:
Now trigger an update with the ROLE_ADMIN user. As this block will be rendered from the admin users session both elements will be streamed to all connected users.
In our case this happened in some nested template, much less obvious as in the example above. Of course we could separate the update streams / listeners by users etc. or build the template in a different way to have that data better separated. But that would be something to always keep in mind and every dev who works on the codebase needs to be aware of that circumstance and needs to check that the template part being worked on might be used in some stream update. Which i think is only a matter of time until it goes wrong when the codebase is getting bigger or more people working on it.
If i'm not missing something i don't think it's currently possible to handle this in the current implementation but it would be nice to have a warning in the docs for awareness.