fix: use action in [...] and remove resource filter for all-tables/al…#1679
Merged
lyubov-voloshko merged 2 commits intomainfrom Mar 20, 2026
Merged
fix: use action in [...] and remove resource filter for all-tables/al…#1679lyubov-voloshko merged 2 commits intomainfrom
lyubov-voloshko merged 2 commits intomainfrom
Conversation
…l-dashboards policies Replace `action like` with `action in [...]` for wildcard table/dashboard actions, and use bare `resource` instead of `resource like .../*` when targeting all tables or all dashboards. Both frontend and backend parsers updated to handle the new syntax with backwards compatibility for `like`. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the Cedar policy syntax used for “all tables” / “all dashboards” permissions by replacing action like ...:* with action in [...], and by switching wildcard resources from resource like RocketAdmin::<Type>::".../*" to bare resource. Both frontend and backend policy parsers are updated to recognize the new syntax while remaining compatible with existing like-based policies.
Changes:
- Generate wildcard table/dashboard policies using
action in [...]instead ofaction like ...:*. - Generate wildcard “all tables/dashboards” policies using bare
resourceinstead ofresource like .../*. - Update frontend and backend policy parsers to expand
action in [...]into per-action permits.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| frontend/src/app/lib/cedar-policy-parser.ts | Adds action in [...] parsing/expansion and changes how missing resources are interpreted. |
| frontend/src/app/lib/cedar-policy-items.ts | Generates action in [...] for wildcard actions and uses bare resource for all-tables/all-dashboards resources. |
| backend/src/entities/cedar-authorization/cedar-policy-parser.ts | Adds action in [...] parsing/expansion and updates classical-permissions derivation to handle wildcard/all-resources cases. |
Comments suppressed due to low confidence (2)
backend/src/entities/cedar-authorization/cedar-policy-parser.ts:194
- Same issue as frontend:
action in [...]leavesresult.actionnull, soresourceClause && !result.actionmarkspermit(principal, action in [...], resource);asisWildcard(full access) after expansion. This will mis-sync classical permissions and can unintentionally elevate connection/group access when saving policies that target all tables/dashboards. Update wildcard detection to account foractionsbeing present (or only setisWildcardwhen both action and resource are unconstrained variables).
}
function extractDashboardId(resourceId: string | null, connectionId: string): string | null {
if (!resourceId) return null;
const prefix = `${connectionId}/`;
if (resourceId.startsWith(prefix)) {
return resourceId.slice(prefix.length);
}
return resourceId;
}
backend/src/entities/cedar-authorization/cedar-policy-parser.ts:77
- This change treats a missing/unparsed
permit.resourceIdas'*'(all tables). IfparsePermitBodyfails to parse a valid but unsupported resource constraint (e.g.resource is RocketAdmin::Table), the classical permissions sync will over-grant by assuming a wildcard. Prefer distinguishing “bare resource” (intentional all-tables) from “resource expression not parsed”; e.g., set an explicit flag inparsePermitBodywhenresourceis bare, and otherwise skip whenresourceIdis null.
if (!dashboardId) break;
const dashboardEntry = getOrCreateDashboardEntry(dashboardMap, dashboardId);
applyDashboardAction(dashboardEntry, permit.action);
break;
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
93
to
97
| const permitIndex = policyText.indexOf(permitKeyword, searchFrom); | ||
| if (permitIndex === -1) break; | ||
|
|
||
| let i = permitIndex + permitKeyword.length; | ||
| // Skip whitespace after "permit" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…l-dashboards policies
Replace
action likewithaction in [...]for wildcard table/dashboard actions, and use bareresourceinstead ofresource like .../*when targeting all tables or all dashboards. Both frontend and backend parsers updated to handle the new syntax with backwards compatibility forlike.