Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Refactor/user management capabilities within the generic data api #89

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation

@fulleni
Copy link
Member

@fulleni fulleni commented Nov 1, 2025
edited
Loading

Status

READY

Description

This pull request refactors the user management capabilities within the generic data API to improve security, clarify service responsibilities, and enhance the user update experience. It centralizes user creation and deletion to the authentication service and implements a robust, permission-aware update handler for user profiles, ensuring that only authorized fields can be modified by specific roles. Additionally, a secure, multi-step email update process has been added to the authentication service.

Type of Change

  • ✨ New feature (non-breaking change which adds functionality)
  • 🛠️ Bug fix (non-breaking change which fixes an issue)
  • ❌ Breaking change (fix or feature that would cause existing functionality to change)
  • 🧹 Code refactor
  • ✅ Build configuration change
  • 📝 Documentation
  • 🗑️ Chore
 

Updated the documentation for the `user.update` permission to explicitly state it is an administrator-level permission, distinguishing it from `user.update_owned`.
Removed `Permissions.userCreate` and `Permissions.userDelete` from the `_dashboardAdminPermissions` set. This change enforces the rule that administrators can only update users through the generic data API, while creation and deletion are handled exclusively by the authentication service.
Updated the `ModelConfig` for the `user` model to mark `POST` (create) and `DELETE` operations as `RequiredPermissionType.unsupported`. This change enforces that user lifecycle management is handled exclusively by the authentication service, not the generic data endpoint. Added comments to clarify the update logic flow.
Removed the 'user' model from the item creators and deleters maps, enforcing that user creation and deletion are handled exclusively by the authentication service.
Completely rewrote the custom updater for the 'user' model to be secure and architecturally sound. The new logic:
- Enforces that administrators can only update `appRole` and `dashboardRole`.
- Enforces that regular users can only update their own `feedDecoratorStatus`.
- Rejects attempts to update any other fields via this endpoint.
- Reads the pre-fetched user object and uses `copyWith` to apply only the allowed changes, creating a full, valid `User` object for the repository's `update` method. This resolves the previous partial update issue and aligns with the `DataRepository<T>` contract.
Added two new methods to `AuthService` to handle user email changes securely:
- `initiateEmailUpdate`: Checks if the new email is available, then generates and sends a verification code to the new address.
- `completeEmailUpdate`: Verifies the provided code and, upon success, updates the user's email in the database.
This ensures that a user must prove ownership of the new email address before the change is finalized, enhancing account security.
Refactored the custom user updater to correctly handle a full `User` object in the request body, aligning with the `DataRepository` contract and fixing the `500` error seen by the client.
The new logic performs a state comparison:
- It deserializes the incoming request body into a `User` object.
- It compares this object against the pre-fetched user from the database to identify which fields have changed.
- It verifies that only permitted fields (`appRole`/`dashboardRole` for admins, `feedDecoratorStatus` for users) have been modified.
- If validation passes, it proceeds with the update using the full `User` object from the request.
This fixes the bug while maintaining security and architectural consistency.
Copy link

Summary of Changes

Hello @fulleni, I'm Gemini Code Assist1 ! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the user management capabilities within the generic data API to improve security, clarify service responsibilities, and enhance the user update experience. It centralizes user creation and deletion to the authentication service and implements a robust, permission-aware update handler for user profiles, ensuring that only authorized fields can be modified by specific roles. Additionally, a secure, multi-step email update process has been added to the authentication service.

Highlights

  • User Management Centralization: User creation and deletion functionalities have been removed from the generic data API and are now exclusively handled by the authentication service, streamlining user lifecycle management.
  • Granular User Update Permissions: The user update mechanism has been significantly refactored to enforce strict, role-based field updates. Administrators can now only modify appRole and dashboardRole, while regular users are restricted to updating their own feedDecoratorStatus.
  • Email Update Workflow: A new two-step email update process has been introduced in the authentication service, requiring verification via a code sent to the new email address to enhance security.
  • Permission Refinement: Obsolete userCreate and userDelete permissions have been removed from the RBAC system, and associated admin role permissions have been updated to reflect the new division of responsibilities.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request is a significant and well-executed refactoring of user management capabilities. Moving user creation and deletion out of the generic data API and into the AuthService clarifies the separation of concerns. The new implementation for updating user data is much more secure and robust, effectively preventing mass assignment vulnerabilities by comparing object states. The addition of a secure, two-step email update process is also a great enhancement. I've found a couple of areas for improvement: one is a misleading comment, and the other is a potential race condition in the new email update logic. Overall, these are excellent changes that improve the security and maintainability of the codebase.

@fulleni fulleni merged commit 5eae9a0 into main Nov 1, 2025
1 check failed
@fulleni fulleni deleted the refactor/user-management-capabilities-within-the-generic-data-API branch November 1, 2025 07:11
@fulleni fulleni added this to the Foundation Edition milestone Nov 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants

AltStyle によって変換されたページ (->オリジナル) /