Skip to content

Fix country dashboard sharing: restrict access to project users/groups#581

Open
Ramon-Jimenez wants to merge 9 commits intodevelopmentfrom
fix/country-dashboard-sharing
Open

Fix country dashboard sharing: restrict access to project users/groups#581
Ramon-Jimenez wants to merge 9 commits intodevelopmentfrom
fix/country-dashboard-sharing

Conversation

@Ramon-Jimenez
Copy link
Copy Markdown
Contributor

@Ramon-Jimenez Ramon-Jimenez commented Apr 16, 2026
edited
Loading

Summary

  • Country dashboards were set to public read+write (rw------), allowing any user to see and edit all country dashboards regardless of their project assignments.
  • Changed CountryDashboard.getSharing() to set publicAccess: "--------" and restrict access to the aggregated users and user groups from all projects within that country — matching the pattern already used by project dashboards via ProjectSharing.
  • Added migration task 10 to regenerate all existing country dashboards with the corrected sharing settings.

Closes ClickUp task: #869cxxxvv

Test plan

  • All existing tests pass (48/48)
  • Test fixture updated to reflect new sharing structure
  • Verify on a DHIS2 instance that country dashboards are no longer visible to users without project assignments in that country
  • Verify that users with project assignments in a country can still see the country dashboard
  • Run migration 10 on a test instance and confirm existing dashboards are updated

🤖 Generated with Claude Code

@Ramon-Jimenez @claude
fix country dashboard sharing: restrict access to project users/groups
5f81770 
Country dashboards were set to public read+write access (rw------),
allowing any user to see all country dashboards regardless of their
project assignments. Now sharing is restricted to the aggregated
users and user groups from all projects within the country, matching
the pattern already used by project dashboards via ProjectSharing.

Adds migration 10 to regenerate all existing country dashboards with
the corrected sharing settings.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@bundlemon
Copy link
Copy Markdown

bundlemon Bot commented Apr 16, 2026
edited
Loading

BundleMon

No change in files bundle size

Groups updated (1)
Status Path Size Limits
Build Folder
./**/*
 5.5MB (+2.46KB +0.04%) +20%

Final result: ✅

View report in BundleMon website ➡️

Current branch size history | Target branch size history

@Ramon-Jimenez Ramon-Jimenez requested a review from eperedo April 16, 2026 12:04
eperedo
eperedo approved these changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@eperedo eperedo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, but the migration will take a lot of time. Check my comment for further details

Comment thread src/migrations/tasks/10.fix-country-dashboard-sharing.ts Outdated
const config = await getConfig(api);
const projectIds = await getProjectIds(api, config, debug);
debug(`Projects count: ${projectIds.length}`);
await saveProjectDashboards(api, config, debug, projectIds);
Copy link
Copy Markdown
Contributor

@eperedo eperedo Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This migration is working, but it'll take a lot of time (about 2.5 hours) because it's fetching all the projects (including all the metadata related to these) and then updating the new permissions for all the dashboards.

@eperedo
Copy link
Copy Markdown
Contributor

eperedo commented Apr 19, 2026

I've added the script:

npx tsx src/scripts/fix-country-dashboard-sharing.ts --url http://domain.com --auth="user:password"

By default it'll run in dry-run mode. To persist changes to the server add the --persist flag

npx tsx src/scripts/fix-country-dashboard-sharing.ts --url http://domain.com --auth="user:password" --persist

It take around 2 minutes to update all the country dashboards.

@Ramon-Jimenez Ramon-Jimenez marked this pull request as ready for review April 23, 2026 08:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eperedo eperedo eperedo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Ramon-Jimenez @eperedo