fix(devices): address cubic review on device-import display (#3308)#3311
Merged
Conversation
…3308) - agent-devices + fleet-hosts routes: enforce RBAC with requireApiPermission (member:read, matching the People page) instead of a session-only check, so the device/integration data can't be read by an active-org session that lacks people access (P1) - CSV export: use the shared isComplianceTracked() so Fleet devices aren't wrongly marked "not_tracked"/"n/a" — keeps CSV consistent with the UI (P2) - DRY: move shared device presentation helpers (PLATFORM_LABELS, CHECK_FIELDS, formatTimeAgo, isDeviceOnline, stale + not-tracked copy) into device-source, and a shared NotTrackedBadge — used by both the list and details views (P3) - Source filter: key options by a stable source id (sourceKey) instead of the display label, so two providers sharing a name don't collapse into one (P3) Tests: devices suite + agent-devices route (81) green; typecheck clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_015iDU78gxNH9Wp9sex1BDLS
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
|
🎉 This PR is included in version 3.94.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses the cubic findings on the Production Deploy PR #3308 (all on the device-import display work from #3305).
Fixes
api/people/agent-devices(and its twinapi/people/fleet-hosts) only checked for an active session, so any authenticated member of an org could fetch all org device + integration data regardless of role. Both now userequireApiPermission(req, 'member', 'read')— the same contract as the People area (requireRoutePermission('people')).not_tracked/n/abecause it usedsource === 'device_agent'directly. Switched to the sharedisComplianceTracked()so the CSV matches the rest of the UI (only integration imports are untracked).PLATFORM_LABELS,CHECK_FIELDS,formatTimeAgo,isDeviceOnline, stale + not-tracked copy) intolib/device-source, and extracted a sharedNotTrackedBadge— used by both the list (DeviceListCells) and details (DeviceDetails) views so copy/labels/thresholds can't drift.sourceKey(device_agent/fleet/integration:<slug>), label shown separately.Notes
fleet-hostswasn't flagged (not in feat(devices): show integration-imported devices in People tab + Intune/JumpCloud device sync #3305's diff) but has the identical RBAC gap next to the fixed route, so it's guarded here too.agent-devicesroute test (81 total) pass; typecheck clean on all changed files.🤖 Generated with Claude Code
Summary by cubic
Tightened API access and fixed device-import display issues. RBAC now matches People permissions, CSV tracking is consistent with the UI, and the source filter no longer merges providers.
Bug Fixes
Refactors
Written for commit 9056d1b. Summary will update on new commits.