fix(permissions/fields): #2926 ④⑧ — FLS fail-open + lookup display_field#2537
Merged
Merged
Conversation
…d FLS (framework#2926 ④) /me/permissions was fetched with the cookie-only global fetch, so a token-only session (localStorage, no better-auth cookie) resolved as anonymous and FLS rendering fell open — restricted fields rendered editable and user input was silently stripped by the data layer. MePermissionsProvider now accepts a fetcher and the console injects createAuthenticatedFetch() (root cause), and the unknown-object default is authentication-gated: authenticated sessions fail closed on unconfigured objects, anonymous sessions keep the permissive default so guest/public forms keep working. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_017bJWtKmZ2mFpRFAmmmoeqe
…6 ⑧) ObjectGrid forwards display_field on the column meta, but the read cell ignored it and always ran the hardcoded name-first heuristics — lookup columns showed the raw API name instead of the configured display/label field. Thread the preferred field through every render path and the useLookupName fetch, keying the name cache by display field so two columns over the same record never serve each other's cached name. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_017bJWtKmZ2mFpRFAmmmoeqe
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
Contributor
✅ Console Performance Budget
📦 Bundle Size Report
Size Limits
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
objectui 侧修复,配套框架 PR objectstack-ai/framework#2983(#2926 复测缺陷总修)。
④ console FLS 无 cookie 会话 fail-open
MePermissionsProvider拉/me/permissions用裸fetch+credentials:'include',不带 localStorage 的 Bearer token;仅 token 无 cookie 时请求被当匿名处理 → 返回空objects/fields→ 缺省放行 → 受限字段(budget/spent)可编辑。fetcher?: typeof fetchprop;console 传createAuthenticatedFetch()(与AdapterProvider同模式),/me/permissions现在带鉴权头 —— 已登录用户拿到真实权限,这是根因修复。checkField/check的"未知即放行"缺省收紧为 仅当data.authenticated === true时 fail-closed;guest 响应({authenticated:false},无 objects/fields)保持放行,不锁死公共表单。⑧ 网格 lookup 列显示 API name 而非 display_field
LookupCellRenderer从不读field.display_field(尽管ObjectGrid已通过RELATIONAL_META_KEYS转发),走硬编码启发式(name优先)。field.display_field传入pickRecordDisplayName(preferredField参数已存在)的全部调用点;useLookupName加第三参并入 cacheKey(防跨列串缓存)。验证
@object-ui/permissions(83)、@object-ui/fields(83)全绿;type-check干净。🤖 Generated with Claude Code
Generated by Claude Code