Smart actions not working anymore after upgrade to v8

At Inato, we are using forest-express-sequelize but we define our own express handlers. Sequelize is only used to create the data models and we don’t use it to connect to the database.

Expected behavior

When using smart actions, they should call our corresponding handler without any error.

Actual behavior

When using smart actions, we receive the error {"error":"Smart Action: failed to evaluate permissions"}
We can see in this file that it’s caused by _ensureRecordIdsInScope that instantiate a RecordsCounter to verify that the user has access to the smart action’s ids attribute.
As we don’t use sequelize to access the database, this is failing, hence the issue.

Failure Logs

Please include any relevant log snippets, if necessary.

Context

Please provide any relevant information about your setup.

  • Package Version: 8.0.4
  • Express Version: 4.17.1
  • Sequelize Version: 6.6.5
  • Database Dialect:
  • Database Version:
  • Project Name:
1 Like

Scopes are a feature that allow to hide records from users, depending on their team.
This is done server-side for security reasons.

When scopes are configured, the agent ensures that:

  • Charts, lists and relationships lists exclude out of scope records
  • Getting an out of scope record returns a 404
  • Users cannot call smart actions, nor update or delete out of scopes records

Your issue comes from the fact that, since the V8, the permissionMiddlewareCreator.smartAction() middleware will check that the query that comes from the browser does not try to update records which are out of scope.

This needs performing a query to the database, hence the call to sequelize.

If you are not using scopes, and wish to skip the check, you can replace all calls to permissionMiddlewareCreator.smartAction() by permissionMiddlewareCreator._checkPermission('actions')

For information:

  • _ensureRecordIdsInScope() is the private method that checks that the records are in scope.
  • _checkPermission('actions') is the private method that checks current user roles allow him to call the smart action.
  • smartAction() is the middleware you’ve been using, and does both.

This is not ideal, as those private methods are not part of the stable API, and may change between minors when you upgrade your agent next time

1 Like

@romaing Thanks for your answer.
This is the solution we had found and it’s working great now.
As you stated, though, I’m afraid using these ‘private’ methods will probably create other issues in the future so if you come up with better solutions later (like adding a parameter to smartAction() to check or not the scopes, or being able to give the scope checker methods as parameters…), please tell us :pray: !

On the long term, the architecture of those packages should change towards a more modular architecture which should fix those limitations (no timeline yet though)

2 Likes

Hi there. Is there any update on this? We have the same issue regarding smartActions on smart collections (i.e. where the backend is a REST API instead of a DB). We can go with the workaround as proposed but would be great to hear if there is a long term solution coming up