Closed soey closed 3 months ago
soey
commented
3 months ago ~@mattwr18 @roschaefer - please have a short look here. It seems that I have to move the onboarding_unauthorized_heading and the onboarding_unauthorized_text out of the organization scope if we leave the routes where JWT validation is done in a global scope.~
We can keep it if the onboarding routes itself are scoped. Problem solved
soey
commented
3 months ago soey speaking of your comments, I'm super happy to move
onboarding_unauthorized_headingandonboarding_unauthorized_textout of the organization.
done with: https://github.com/tactilenews/100eyes/pull/1953/commits/62600a572ef5b8e6cbc278e591c73c834637b8e3
mattwr18
commented
3 months ago @mattwr18 @roschaefer - please have a short look here. It seems that I have to move the onboarding_unauthorized_heading and the onboarding_unauthorized_text out of the organization scope if we leave the routes where JWT validation is done in a global scope.
I don't really understand this comment. Why would the JWT validation be done with a global scope?
I think you provided some more context in your comment in Slack.
Yes, I would expect that we would a) remove the organization_id from the JWT as we no longer need this because b) We are now going to scope the routes themselves by the organization the contributor will onboard to.
I don't really mind if we want to have a generic unauthorized message, that is something you could talk to someone on the team that has more contact with the clients to see if they actually customize this ever, I guess they do since the default asks them to send a message to our email.
mattwr18
commented
3 months ago @soey they biggest thing I am concerned about this PR, which maybe solved in another PR that I have not reviewed yet, is this allows a user to access any other organizations routes. There is no check to see if the organization in the path is one that the current user belongs to.
Scopes the dashboard routes by the organization
TODOS: