feat: enhance relation permissions and accessibility checks#2765
Conversation
Signed-off-by: Enjeck C. <patrathewhiz@gmail.com>
ce4f34e to
b365a3c
Compare
Fair. We could simplify and say that columns from publicly shared tables or views can be accessed generally. When they are password protected, however, you would want to verify that and it becomes difficult again. They could be exempted generally though, this would need to come with a clear info somewhere to be an accepted risk. Could still improve upon it later one. Have some stomach aches with this on the one hand, on the other one the relational column can only be added with by a user with sufficient permissions, so it would be OK imo to have that exception. Or what do other think? |
| * @param string|null $customSettings | ||
| * @throws BadRequestError | ||
| */ | ||
| private function validateRelationTargetAccess(?string $customSettings, ?string $userId): void { |
There was a problem hiding this comment.
I'd recommend to merge #2271 first as it introduces very useful method:
$settings = $column->getCustomSettingsObject(RelationLookupSettings::class);
$settings->relationColumnId; // always exists, always non-nullable, so we don't need redundant checksAlso it adds better cache key management buildRelationCacheKey(string $relationType, int $targetId, int $labelColumn): string

This PR has the following improvements:
🏁 Checklist
/backport to stableX.X🤖 AI (if applicable)