Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (7)
📝 WalkthroughWalkthroughThis PR enforces that Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
View Vercel preview at instant-www-js-sm-extra-fields-jsv.vercel.app. |
| :new-data user-data})))))) | ||
| :new-data user-data}))) | ||
|
|
||
| has-extra-fields? |
There was a problem hiding this comment.
I wonder if we really need this distinction.
I get that it could be a surprise to users, but I also feel it's surprising that the presence or absence of extraFields changes the create rule.
cc @dwwoelfel for thoughts too
2 participants
The
$userscreate permission check used the standard rule resolution path, which falls through to$defaultrules before reaching the$usersfallback. Apps with$defaultdeny-all rules (common pattern) had guest auth and other signup flows rejected because the$defaultrule was evaluated instead of the intended$userscreate fallback.Tests
Added tests for
$defaultand the extraFields-without-rule behavior. Also updated extraFields tests to set a create rule since they now require one.Backend changes
Changed
assert-create-permission!to only check the explicit$users.allow.createrule, skipping$defaultpaths entirely. New default user auth logic is:extraFieldssupplied: false (prevents unvalidated writes)extraFields: trueDocs/rules
Added a note in the users doc and instant-rules about
extraFieldsrequiring an explicit create rule.