fix: block normal users from viewing secret dataset API keys#28515
fix: block normal users from viewing secret dataset API keys#28515honjo-hiroaki-gtt wants to merge 10 commits intolanggenius:mainfrom
Conversation
dosubot
bot
added
the
size:M
Summary of ChangesHello @honjo-hiroaki-gtt, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances security by implementing robust access control for secret API keys. It introduces both backend and frontend changes to ensure that only authorized users (specifically workspace editors or dataset operators for dataset API keys, and workspace editors for general secret keys) can view or generate these sensitive credentials. This prevents normal users or viewers from accessing API key information, thereby aligning the user interface with the new, stricter access policies. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds permission checks for viewing API keys, a crucial security enhancement. For datasets, it restricts access to editors and dataset operators, while for other resources like apps, it limits access to editors. The UI is updated accordingly to hide API key management from unauthorized users. The implementation is mostly correct, but I've found a critical security vulnerability: the new permission checks only apply to listing keys (GET), while creating (POST) and deleting (DELETE) keys seem to be unprotected. I've also added a suggestion to improve the code's readability.
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
…taset-apikey-visibility # Conflicts: # api/controllers/console/apikey.py
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request effectively addresses the security concern of unauthorized access to dataset API keys. The backend changes correctly implement role-based access control for API key operations, ensuring that only users with appropriate permissions can view, create, or delete them. The frontend changes align with this by conditionally rendering the UI elements related to API key management, which improves the user experience by not showing options that are not available to them. The implementation is solid and follows best practices. I have one suggestion to improve the naming of a variable in the frontend for better code clarity and maintainability.
| const [isSecretKeyModalVisible, setIsSecretKeyModalVisible] = useState(false) | ||
|
|
||
| const isCurrentWorkspaceManager = useAppContextSelector(state => state.isCurrentWorkspaceManager) | ||
| const isDatasetApiKeyVisible = useAppContextSelector(state => state.isCurrentWorkspaceEditor || state.isCurrentWorkspaceDatasetOperator) |
There was a problem hiding this comment.
For better code clarity and maintainability, consider renaming isDatasetApiKeyVisible to something that more accurately reflects the permission being checked, such as canManageDatasetApiKeys. This name aligns better with the concept of checking a user's role for managing API keys, rather than just controlling UI visibility. You would need to update its usages in this file as well.
Additionally, the logic state.isCurrentWorkspaceEditor || state.isCurrentWorkspaceDatasetOperator is equivalent to the backend's is_dataset_editor permission. It would be ideal to encapsulate this logic within the AppContext as a single selector, for example isCurrentWorkspaceDatasetEditor, to promote reusability and keep permission logic centralized.
| const isDatasetApiKeyVisible = useAppContextSelector(state => state.isCurrentWorkspaceEditor || state.isCurrentWorkspaceDatasetOperator) | |
| const canManageDatasetApiKeys = useAppContextSelector(state => state.isCurrentWorkspaceEditor || state.isCurrentWorkspaceDatasetOperator) |
There was a problem hiding this comment.
@gemini-code-assist
Thanks for the feedback! I’ve renamed the variable to canManageDatasetApiKeys and added the centralized selector isCurrentWorkspaceDatasetEditor in AppContext to align the permission check. Changes are pushed—could you take another look?
/gemini review
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request effectively restricts access to dataset API keys for users with normal/viewer roles, both on the backend and frontend. The changes are well-aligned with the goal of enhancing security. The backend logic correctly enforces permissions for creating, viewing, and deleting API keys based on user roles and resource type. The frontend conditionally renders UI elements for API key management, providing a consistent user experience.
I've included a couple of suggestions to improve code maintainability and readability. One is to refactor a new permission flag in the React context to be more declarative and avoid repeating logic. The other points out some code duplication in the Python backend's new permission-checking methods, which could be consolidated to prevent potential inconsistencies in the future.
| def _has_permission(self, user): | ||
| if self.resource_type == "dataset": | ||
| return user.is_dataset_editor | ||
| return user.is_admin_or_owner |
There was a problem hiding this comment.
This _has_permission method is very similar to the one in BaseApiKeyListResource on line 55. This duplication could lead to maintenance issues in the future (e.g., if permission logic for datasets changes, it would need to be updated in two places). Consider refactoring to a shared utility function to centralize the permission logic.
There was a problem hiding this comment.
@gemini-code-assist
Thanks for the suggestion! I’ve centralized the dataset permission check into _has_dataset_permission and now both BaseApiKeyListResource and BaseApiKeyResource call it, removing the duplicated logic. Changes are pushed. Please take another look.
There was a problem hiding this comment.
That's an excellent solution! Centralizing the _has_dataset_permission function and having both BaseApiKeyListResource and BaseApiKeyResource utilize it effectively removes the duplication and improves maintainability, as suggested. The changes look good.
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request aims to restrict access to dataset API keys. The backend changes in api/controllers/console/apikey.py introduce a new permission model for API key access, which is a good step towards centralized authorization logic. The frontend changes in web/app/components/datasets/extra-info/service-api/card.tsx and web/context/app-context.tsx correctly implement the UI restrictions for dataset API keys.
However, I've found a couple of issues where the changes also affect API key flows for applications, which contradicts the PR description's statement that 'other API key flows [are] unchanged'. My review includes suggestions to address these inconsistencies. Please review them and clarify the intended scope of this PR.
api/controllers/console/apikey.py
Outdated
| if not self._has_permission(current_user): | ||
| raise Forbidden() |
There was a problem hiding this comment.
This permission check introduces a new restriction on listing API keys for non-dataset resources (e.g., apps), requiring edit permissions where none were needed before. This contradicts the PR's goal of leaving 'other API key flows unchanged'.
For the get method, the permission check should only apply to datasets to maintain existing behavior for other resources.
| if not self._has_permission(current_user): | |
| raise Forbidden() | |
| if self.resource_type == "dataset" and not _has_dataset_permission(current_user): | |
| raise Forbidden() |
There was a problem hiding this comment.
@gemini-code-assist
Thanks for catching that. I reverted the new restriction so the GET permission check now applies only to datasets and leaves other resources unchanged. Changes are pushed. Please recheck.
There was a problem hiding this comment.
Thank you for the update! I've reviewed the changes in api/controllers/console/apikey.py, and the permission check for the get method now correctly applies only to datasets, aligning with the original behavior for other resources. This resolves the issue. Well done!
| if (!isCurrentWorkspaceEditor) | ||
| return null |
There was a problem hiding this comment.
This change restricts access to app API keys to workspace editors. This is a change to the app API key flow, which the PR description states should be 'unchanged'. If this change is intended, the PR description should be updated to reflect the expanded scope. Otherwise, this check should be removed to preserve the existing behavior for app API keys.
There was a problem hiding this comment.
@gemini-code-assist
Good point. I removed the workspace-editor gate from the app secret key button to preserve the previous app API key flow. Updated code is pushed. Please take another look.
There was a problem hiding this comment.
Thanks for confirming the fix, @honjo-hiroaki-gtt. I've reviewed the updated code and it looks good.
2 participants
Summary
Fixes #28514.
Screenshots
Checklist
dev/reformat(backend) andcd web && npx lint-staged(frontend) to appease the lint gods