fix: Switch to $client for API mutation and replace fetch with Store value in feedback comp #3652
Conversation
|
🤖 Hasura Change Summary compared a subset of table metadata including permissions: Updated Tables (1)
|
|
Removed vultr server and associated DNS entries |
There was a problem hiding this comment.
Unfortunately, I don't think this is the right solution here.
submission_email should not be exposed via the pubic role as it's used to access "send to email" payloads (see https://trello.com/c/EeJb0QVC/2614-harden-download-application-files-endpoint?search_id=8c2b8fda-b422-445a-a594-ae0c9b0360d7 and https://www.notion.so/opensystemslab/Inadequate-hardening-on-Send-to-email-endpoint-02cb855f339b4a1bab49fc0ff8e0dd72?pvs=4)
As we know that "move Flow" is an authorised user only feature, a better solution here would be to ensure that the API is using the correct permission level for this action 👍
Ah yeah okay, this makes sense. It be better for the moveFlow to use export const getUserAndTeam = async ({
userEmail,
teamSlug,
}: {
userEmail: string;
teamSlug: string;
}) => {
const $client = getClient();
const team = await $client.team.getBySlug(teamSlug);
if (!team) throw Error(`Unable to find team matching slug ${teamSlug}`);
const user = await $client.user.getByEmail(userEmail);
if (!user) throw Error(`Unable to find team matching email ${userEmail}`);
return { team, user };
}; |
|
@RODO94 Yep, that should work without changing the column permission structure on Hasura 👍 |
RODO94
force-pushed
the
rory/submission_email-fix
branch
from
d351b08 to
9703d5c
Compare
RODO94
changed the title
submission_email column
Addressing the bug: https://opensystemslab.slack.com/archives/C4B0CKQ3U/p1726047860980599
I found there was an issue with moveFlow in the API which was using the Public role to getTeamBySlug(). Found that this was unchecked for
submission_emailon Hasura.Tried locally and it fixes the issue.