Migration to @forestadmin/agent - permission problems with disassociate relationship

Matteo · October 3, 2024, 2:15pm

Hi.
We’re migrating from forest-express-sequelize to @forestadmin/agent.

We have the following models setup:

ExperienceTemplate <-- many-to-many --> Idea,
through a “bridge” table named ExperienceIdea.

Both the models have a sequelize relationship (they’re related in both directions):

// in the ExperienceTemplate model:
    this.belongsToMany(models.Idea, {
      through: models.ExperienceIdea,
      foreignKey: 'idExperience',
      otherKey: 'idIdea',
    })

// in the Idea model:
    this.belongsToMany(models.ExperienceTemplate, {
      through: models.ExperienceIdea,
      foreignKey: 'idIdea',
      otherKey: 'idExperience',
    })

In Forest Admin currently (with the old agent) we can disassociate an experienceTemplate from an Idea (and viceversa).

Here are the current permission settings (old agent) for the models fields:

Here are the roles permissions for the collections:

Thus, we can update (but not delete) the two models. And this is fine with our use case.

Allowing update we also allow the relationship update. Therefore with the old agent we can disassociate the relationship between one ExperienceTemplate record and one Idea record.

With the new agent, with the very same permission setup, we cannot any more.

With the new agent, when we disassociate (for example) one Idea record from one ExperienceTemplate record, we get the following error:

It looks like there’s some permission problem, because in our logs we see that the backend is returning a http 403 error to Forest (as we can see with the Chrome dev tools):

With the new agent, we had some struggle about this… and finally we found out that we could make this work by adding the DELETE permission to the role for the collections ExperienceTemplate and Idea. But we absolutely don’t want to allow the delete of these items! And we’re quite sure that the disassociate operation has nothing to do with the record deletion.

All this said, may you please doublecheck this feature in the new agent, please?
As far as you can tell, do you think that we’re doing some mistake?

PS: The many to many relationship is made with a bridge table. With the old agent we excluded that table from the list of models added to forest (as it’s just a technical item), using the exclude option in the Liana init call:

await Liana.init({
// various settings omitted...
      excludedModels: [
        // bridge table excluded
        databases.sequelize.datamix.models.ExperienceIdea.name,
      ],
})

With the new agent, we couldn’t exclude this model, because we understood that it’s needed to fulfil all the paths between model relationships on Forest side. So we didn’t exclude it. And we just hid the collection from the collection list in the main forest dashboard.

But we had a couple of test with this collection permissions too and the observed behaviour does not change whichever setting we do: allowing all the (role related) permissions doesn’t fix. And the “realtionship” fields in the collection settings are NOT read only on both sides:

Matteo · October 8, 2024, 7:33am

May I kindly ask for feedback, please?
This issue is critical for us, especially in the context of the migration to the new agent.

Thank you.
Matteo

morganperre · October 8, 2024, 9:06am

Hello @Matteo,

Sorry for the late response we were in an event last week and your ticket has been lost in the way…

It reminds me this thread about dissociate… and the fact that not easy to setup this…

You are absolutely right. I just check our code and the agent check that the user can delete to allow dissociate. But as we saw this is wrong since dissociating can only be an update…

github.com

ForestAdmin/agent-nodejs/blob/64bd49e34e75d391d96634916fa48eb333968e26/packages/agent/src/routes/modification/dissociate-delete-related.ts#L31


      
          
          export default class DissociateDeleteRelatedRoute extends RelationRoute {
            setupRoutes(router: Router): void {
              router.delete(
                `/${this.collectionUrlSlug}/:parentId/relationships/${this.relationUrlSlug}`,
                this.handleDissociateDeleteRelatedRoute.bind(this),
              );
            }
          
            public async handleDissociateDeleteRelatedRoute(context: Context): Promise<void> {
              await this.services.authorization.assertCanDelete(context, this.collection.name);
          
              // Parse route params
              const parentId = IdUtils.unpackId(this.collection.schema, context.params.parentId);
              const isDeleteMode = Boolean(context.request.query?.delete);
              const caller = QueryStringParser.parseCaller(context);
              const filter = await this.getBaseForeignFilter(context);
          
              // Dissociating a one to many or many many is quite a different job => delegate
              const relation = SchemaUtils.getToManyRelation(this.collection.schema, this.relationName);

I will circle back with our teams to find a clean solution. I will come back to you when we decide something.

I imagine you tried the excludes collection option of addDataSource am I right ?

Read-only settings has you show is only a frontend layout customization (it only affects the frontend state).

Again, I will circle back we our team to solve the dissociate issue.

Kind regards,
Morgan

morganperre · October 8, 2024, 10:11am

Hey again @Matteo,

As a side note, we did release the ability to hide “Dissociate the relationship” action.

The possibility to hide the default “Dissociate the relationship” action has been released. You can now hide at the team level that default action, for a relationship they don’t want to dissociate.

Here is a little video demonstrating the feature.

Kind regards,
Morgan

Matteo · October 8, 2024, 3:50pm

Hi @morganperre
Thank you for the disassociate-on/off-setting. It fits perfectly with our needs. We’ll give it a try ASAP.

About the collection exclusion, actually we did it with agent.removeCollection (documentation here).

Now we need to have some additional test with the method you suggested. In the mean time, may you please explain which is the difference between the two methods? Which is the intended use case for the two alternatives?

About the update permission for the disassociate feature, at the moment, it’s the last blocking issue with our old/new agent migration thus we hope to get news from you soon

Thank you very much for your support.
Matteo

morganperre · October 9, 2024, 6:46am

Hello @Matteo

Awesome. I will share the vibe to our team.

Clever ! So agent.removeCollection removes the collection from the admin-panel (frontend) but it is still usable in the agent.
At the opposite, addDatasource option to exclude removes it completely from both the admin-panel and the agent.

It is still an interesting feedback because some clients wants the bridge to be use inside forest others not. But agent.removeCollection definitely seems to be the best option.

No worries, something will be released today. You can have a look.

github.com/ForestAdmin/agent-nodejs

fix(permissions): properly check permissions when dissociating or deleting related resources

ForestAdmin:main ← ForestAdmin:fix/dissociate-delete-route

opened 12:39PM - 08 Oct 24 UTC

Thenkei

+96 -42

… ## Definition of Done ### General - [ ] Write an explicit title for t…he Pull Request, following [Conventional Commits specification](https://www.conventionalcommits.org) - [ ] Test manually the implemented changes - [ ] Validate the code quality (indentation, syntax, style, simplicity, readability) ### Security - [ ] Consider the security impact of the changes made

Basically, the agent will check the right permissions for the resource it will change/delete. Anyway I will let you know when released.

You are welcome.

Kind regards,
Morgan

morganperre · October 9, 2024, 8:58am

Hey again,

We’ve just released a new version of @forestadmin/agent (version 1.50.1)

We took a shortcut with the ManyToMany relationship even though the through table is the one taking the responsibility of the association we don’t need delete permissions on that table because jonction table are not always visible and controlled within Forest Admin (the admin panel)…

(In your case you will only need Edit right to perform association and disassociation.)

Let’s us know if it’s clearer to you.

Kind regards,
Morgan

morganperre · October 9, 2024, 9:06am

To add further reading.

Taking this simple example from Sequelize. Establishing a Many-to-Many relationship between User and Profile using the Grant model as the through table.

User.belongsToMany(Profile, { through: Grant });
Profile.belongsToMany(User, { through: Grant });

This list of permissions is enough to perform everything regarding association and disassociation.

Kind regards,
Morgan

Topic		Replies	Views
Migration to `@forestadmin/agent` - one-to-many relationship with a computed field Help me!	3	41	August 28, 2024
Is it possible to allow only "delete" inhibiting the "disassociate" in a relationship? Help me! howtos	10	294	October 8, 2024
Collection permission issue with related data tables Help me!	3	249	October 13, 2021
How to protect a specific linked relationship field for modification but allow for creation Help me!	3	304	February 22, 2021
How to make belongsTo editable in relationship? Help me! belongs-to	9	275	August 3, 2023

Migration to @forestadmin/agent - permission problems with disassociate relationship

Related topics