@adobe/helix-config-storage 1.15.4 → 2.0.1

package/CHANGELOG.md

@@ -1,3 +1,28 @@
+## [2.0.1](https://github.com/adobe/helix-config-storage/compare/v2.0.0...v2.0.1) (2025-03-03)
+
+
+### Bug Fixes
+
+* add review environment, popover and badges ([8a85edd](https://github.com/adobe/helix-config-storage/commit/8a85eddd7af9162b533eedefa479b744a792e072))
+* dependentRequired ([88d54ce](https://github.com/adobe/helix-config-storage/commit/88d54ce7c52c2a4ff3c49fd3b3870066f7360ec1))
+
+# [2.0.0](https://github.com/adobe/helix-config-storage/compare/v1.15.4...v2.0.0) (2025-03-03)
+
+
+### Bug Fixes
+
+* tetss ([2d6c782](https://github.com/adobe/helix-config-storage/commit/2d6c782e7685416fe329608254a763b48b2c2102))
+
+
+### Features
+
+* add access control around features, limits and modifying admin roles ([c3d4a20](https://github.com/adobe/helix-config-storage/commit/c3d4a2005fdc9f580e0149198bdc02ac0af7f17a))
+
+
+### BREAKING CHANGES
+
+* modifying access control needs 'isAdmin' flag to be set
+
 ## [1.15.4](https://github.com/adobe/helix-config-storage/compare/v1.15.3...v1.15.4) (2025-02-25)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-config-storage",
-  "version": "1.15.4",
+  "version": "2.0.1",
   "description": "Helix Config Storage",
   "main": "src/index.js",
   "types": "src/index.d.ts",

package/src/config-store.js

@@ -23,6 +23,7 @@ import {
 } from './utils.js';
 import { validate as validateSchema } from './config-validator.js';
 import { getMergedConfig } from './config-merge.js';
+import { ValidationError } from './ValidationError.js';
 
 const FRAGMENTS_COMMON = {
   content: 'object',
@@ -300,6 +301,28 @@ export class ConfigStore {
       ? `/orgs/${org}/${name || 'config'}.json`
       : `/orgs/${org}/${type}/${name}.json`;
     this.now = new Date();
+    this.isAdmin = false;
+    this.isOps = false;
+  }
+
+  /**
+   * Controls if setting the admin role is allowed.
+   * @param {boolean} v
+   * @returns {ConfigStore} this
+   */
+  withAllowAdmin(v) {
+    this.isAdmin = v;
+    return this;
+  }
+
+  /**
+   * Controls if setting ops related properties, like features and limits are allowed.
+   * @param {boolean} v
+   * @returns {ConfigStore} this
+   */
+  withAllowOps(v) {
+    this.isOps = v;
+    return this;
   }
 
   /**
@@ -370,6 +393,62 @@ export class ConfigStore {
     return validateSchema(data, this.type);
   }
 
+  /**
+   * Checks if the permissions allow to update the config.
+   * @param {AdminConfig} ctx
+   * @param {object} oldConfig
+   * @param {object} newConfig
+   * @returns {Promise<void>}
+   */
+  async validatePermissions(ctx, oldConfig, newConfig) {
+    // prevent setting the ops role
+    if (newConfig.access?.admin?.role?.ops) {
+      throw new ValidationError('invalid role: ops');
+    }
+    // ops can do everything
+    if (this.isOps) {
+      return;
+    }
+    // required admin to set admin role
+    if (!this.isAdmin) {
+      if (this.type === 'org') {
+        const getAdmins = (users) => users
+          .filter((user) => user.roles.includes('admin'))
+          .map((user) => user.email)
+          .sort((a, b) => a.localeCompare(b));
+        // get the users with the admin role
+        const oldAdmins = getAdmins(oldConfig?.users ?? []);
+        const newAdmins = getAdmins(newConfig?.users ?? []);
+        if (oldAdmins.join() !== newAdmins.join()) {
+          throw new StatusCodeError(403, 'not allowed to modify admin role');
+        }
+      } else {
+        // check for changed admin roles
+        const oldAdmins = (oldConfig?.access?.admin?.role?.admin || [])
+          .sort((a, b) => a.localeCompare(b));
+        const newAdmins = (newConfig?.access?.admin?.role?.admin || [])
+          .sort((a, b) => a.localeCompare(b));
+        if (oldAdmins.join() !== newAdmins.join()) {
+          throw new StatusCodeError(403, 'not allowed to modify admin role');
+        }
+      }
+    }
+
+    // check for changed features or limits
+    if (this.type !== 'org') {
+      const oldFeatures = oldConfig?.features ?? {};
+      const newFeatures = newConfig?.features ?? {};
+      if (!isDeepStrictEqual(oldFeatures, newFeatures)) {
+        throw new StatusCodeError(403, 'not allowed to modify features');
+      }
+      const oldLimits = oldConfig?.limits ?? {};
+      const newLimits = newConfig?.limits ?? {};
+      if (!isDeepStrictEqual(oldLimits, newLimits)) {
+        throw new StatusCodeError(403, 'not allowed to modify limits');
+      }
+    }
+  }
+
   async create(ctx, data, relPath = '') {
     if (relPath) {
       throw new StatusCodeError(409, 'create not supported on substructures.');
@@ -396,6 +475,7 @@ export class ConfigStore {
     this.#updateTimeStamps(data);
     const config = await this.getAggregatedConfig(ctx, data);
     await this.validate(ctx, config);
+    await this.validatePermissions(ctx, {}, config);
     await storage.put(this.key, JSON.stringify(data), 'application/json');
     await this.purge(ctx, null, config);
   }
@@ -576,6 +656,7 @@ export class ConfigStore {
     }
 
     await this.validate(ctx, newConfig);
+    await this.validatePermissions(ctx, oldConfig, newConfig);
     await storage.put(this.key, JSON.stringify(config), 'application/json');
     await this.purge(ctx, oldConfig, newConfig);
     return ret ?? redact(data, frag);

package/src/schemas/sidekick.schema.json

@@ -26,7 +26,7 @@
           "type": "array",
           "items": {
             "type": "string",
-            "enum": ["any", "dev", "admin", "edit", "preview", "live", "prod"]
+            "enum": ["any", "dev", "admin", "edit", "preview", "live", "prod", "review"]
           },
           "description": "The environments to display this plugin in",
           "default": "any"
@@ -69,6 +69,14 @@
           "type": "string",
           "description": "he dimensions and position of a palette box"
         },
+        "isPopover": {
+          "type": "boolean",
+          "description": "Opens the URL in a popover instead of a new tab"
+        },
+        "popoverRect": {
+          "type": "string",
+          "description": "The dimensions of a popover, delimited by a semicolon (width, height)"
+        },  
         "titleI18n": {
           "type": "object",
           "description": "The button text in other supported languages",
@@ -88,6 +96,30 @@
         "passReferrer": {
           "type": "boolean",
           "description": "Append the referrer URL as a query param on new URL button click"
+        },
+        "isBadge": {
+          "type": "boolean",
+          "description": "Opens the URL in a palette instead of a new tab"
+        },
+        "badgeVariant": {
+          "type": "string",
+          "description": "The variant of the badge following the Adobe Spectrum badge variants",
+          "enum": [
+            "gray",
+            "red",
+            "orange",
+            "yellow",
+            "chartreuse",
+            "celery",
+            "green",
+            "seafoam",
+            "cyan",
+            "blue",
+            "indigo",
+            "purple",
+            "fuchsia",
+            "magenta"
+          ]
         }
       },
       "required": [
@@ -95,7 +127,10 @@
       ],
       "dependentRequired": {
         "isPalette": ["url"],
-        "paletteRect": ["isPalette"]
+        "paletteRect": ["isPalette"], 
+        "isPopover": ["url"],
+        "popoverRect": ["isPopover"], 
+        "badgeVariant": ["isBadge"]
       }
     }
   },