IBX-7275: Exposed base admin UI configuration in REST API #1027
Conversation
ciastektk
force-pushed
the
ibx-7275-exposed-base-admin-ui-configuration-in-rest-api
branch
from
de08ce0 to
4ab0e0f
Compare
ciastektk
added
Doc needed
ciastektk
force-pushed
the
ibx-7275-exposed-base-admin-ui-configuration-in-rest-api
branch
from
265451b to
94705df
Compare
|
Kudos, SonarCloud Quality Gate passed!
|
There was a problem hiding this comment.
@ciastektk Have you reviewed all data that could be returned for security implications, since this is not authenticated?
Is it public because that's easier, or because it strictly has to be?
Does it dump the entire config, or only what is strictly required by DAM?
Could you consider making it configurable, so those who don't need this for DAM can block it?
Some clients have reacted in the past about making content type info public, but that's already done in dedicated endpoints anyway, I think. So they'd have to disable rest entirely in the frontend to stop it.
|
If this dumps the entire config, another risk is if we later add some new config setting that is sensitive - and we forget that this endpoint is exposing all of it. A good reason to only expose what is specifically required. |
|
@ciastektk, @mnocon I have checked (the output in the description) and not found anything that is dangerous by itself. Some "known unknowns" exist:
|
There was a problem hiding this comment.
I've also looked into the data returned - there are only two differences:
- Data for Anonymous does not contain information about sections
- Data for Anonymous does not contain information about the current user
Both make sense to me
In case we're ok (for now) with this technical design - QA Approved!
|
We need to thing about next steps in terms of Providers, what kind of data should be exposed and of course how to secure current solution. This endpoint is very important because most of the data are used by UDW and frontend part changes of Image picker needs to be adjusted. For now, we decided to merge it as is. |
ciastektk
deleted the
ibx-7275-exposed-base-admin-ui-configuration-in-rest-api
branch
Endpoint
[GET] /api/ibexa/v2/application-configThis PR adds dedicated endpoint to get base admin ui config in REST API. The same configuration is stored in
window.ibexa.adminUIConfig.Response
JSON
{ "ApplicationConfig": { "_media-type": "application/vnd.ibexa.api.ApplicationConfig+json", "multiFileUpload": { "locationMappings": [], "defaultMappings": [ { "mimeTypes": [], "contentTypeIdentifier": "image", "contentFieldIdentifier": "asset", "nameFieldIdentifier": "title" } ], "fallbackContentType": { "contentTypeIdentifier": "image", "contentFieldIdentifier": "asset", "nameFieldIdentifier": "title" }, "maxFileSize": 5242880 }, "sortFieldMappings": { "PATH": "LocationPath", "PUBLISHED": "DatePublished", "MODIFIED": "DateModified", "SECTION": "SectionIdentifier", "DEPTH": "LocationDepth", "PRIORITY": "LocationPriority", "NAME": "ContentName", "NODE_ID": "LocationId", "CONTENTOBJECT_ID": "ContentId" }, "sortOrderMappings": { "ASC": "ascending", "DESC": "descending" }, "imageVariations": { "original": null, "reference": { "reference": null, "filters": { "geometry/scaledownonly": [ 600, 600 ] } }, "small": { "reference": "reference", "filters": { "geometry/scaledownonly": [ 100, 100 ] } }, "tiny": { "reference": "reference", "filters": { "geometry/scaledownonly": [ 30, 30 ] } }, "medium": { "reference": "reference", "filters": { "geometry/scaledownonly": [ 200, 200 ] } }, "large": { "reference": "reference", "filters": { "geometry/scaledownonly": [ 300, 300 ] } }, "ezplatform_admin_ui_profile_picture_user_menu": { "reference": "reference", "filters": { "geometry/scaledownonly": [ 30, 30 ], "geometry/crop": [ 30, 30, 0, 0 ] }, "post_processors": [] } }, "contentEditFormTemplates": [], "user": { "user": null, "profile_picture_field": null }, "languages": { "mappings": { "eng-GB": { "name": "English (United Kingdom)", "id": 2, "languageCode": "eng-GB", "enabled": true } }, "priority": [ "eng-GB" ] }, "contentTypes": { "Content": [ { "id": 1, "identifier": "folder", "name": "Folder", "isContainer": true, "thumbnail": "/bundles/ibexaadminui/img/ibexa-icons.svg#folder", "href": "/api/ibexa/v2/content/types/1" } ], "Users": [ { "id": 4, "identifier": "user", "name": "User", "isContainer": false, "thumbnail": "/bundles/ibexaadminui/img/ibexa-icons.svg#user", "href": "/api/ibexa/v2/content/types/4" }, { "id": 3, "identifier": "user_group", "name": "User group", "isContainer": true, "thumbnail": "/bundles/ibexaadminui/img/ibexa-icons.svg#user_group", "href": "/api/ibexa/v2/content/types/3" } ], "Media": [ { "id": 13, "identifier": "image", "name": "Image", "isContainer": false, "thumbnail": "/bundles/ibexaadminui/img/ibexa-icons.svg#image", "href": "/api/ibexa/v2/content/types/13" } ] }, "universalDiscoveryWidget": { "startingLocationId": 1 }, "subItems": { "limit": 10 }, "imageAssetMapping": { "contentTypeIdentifier": "image", "contentFieldIdentifier": "image", "nameFieldIdentifier": "name", "parentLocationId": 51 }, "notifications": { "error": { "timeout": 0 }, "warning": { "timeout": 0 }, "info": { "timeout": 0 }, "success": { "timeout": 5000 } }, "timezone": "UTC", "dateFormat": { "fullDateTime": "LLLL dd, yyyy HH:mm", "fullDate": "LLLL dd, yyyy", "fullTime": "HH:mm", "shortDateTime": "dd/MM/yyyy HH:mm", "shortDate": "dd/MM/yyyy", "shortTime": "HH:mm" }, "autosave": { "enabled": false, "interval": 60000 }, "userContentTypes": [ "user" ], "sections": [], "locations": { "media": 43, "contentStructure": 2, "users": 5 }, "iconPaths": { "iconSets": { "public_icons": "/bundles/ibexaadminui/img/ibexa-icons.svg", "streamlineicons": "/bundles/ibexaicons/img/all-icons.svg" }, "defaultIconSet": "streamlineicons" }, "backOfficeLanguage": "en", "backOfficePath": "/", "suggestions": { "minQueryLength": 3, "resultLimit": 5 }, "contentTree": { "loadMoreLimit": 30, "childrenLoadMaxLimit": 200, "treeMaxDepth": 10, "allowedContentTypes": [], "ignoredContentTypes": [], "treeRootLocationId": 2, "contextualTreeRootLocationIds": [ 2, 5, 43, 48, 57 ] }, "imageEditor": { "config": { "actionGroups": { "default": { "label": "Default", "actions": { "crop": { "priority": 300, "buttons": { "1_1": { "label": "1:1", "ratio": { "x": 1, "y": 1 }, "priority": 0, "visible": true }, "3_4": { "label": "3:4", "ratio": { "x": 3, "y": 4 }, "priority": 0, "visible": true }, "4_3": { "label": "4:3", "ratio": { "x": 4, "y": 3 }, "priority": 0, "visible": true }, "16_9": { "label": "16:9", "ratio": { "x": 16, "y": 9 }, "priority": 0, "visible": true }, "custom": { "label": "Custom", "priority": 0, "visible": true } }, "visible": true }, "flip": { "priority": 200, "visible": true, "buttons": [] }, "focal-point": { "priority": 100, "visible": true, "buttons": [] } } } }, "imageQuality": 0.92 } } } }XML
Customize configuration option
Config Providers are extendable and allows to add extra data to configuration, so custom Generators with abstraction layer have been also added. That allows to customize configuration parameter in REST for specific namespace. Namespace is a key used in service tag e.g.:
multiFileUpload(ref: https://github.com/ibexa/admin-ui/blob/main/src/bundle/Resources/config/services/ui_config/common.yaml#L21).Checklist:
$ composer fix-cs)