Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## channels #4445 +/- ##
============================================
+ Coverage 89.38% 89.44% +0.06%
============================================
Files 435 437 +2
Lines 20392 20650 +258
============================================
+ Hits 18227 18471 +244
- Misses 2165 2179 +14 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
- Add `get_channel_stats_for_project/1` context function returning total channels and requests in a single LEFT JOIN query - Render a 2-card metrics grid (Total Channels / Total Requests) above the channel table on the index page - Fix delete confirmation: replace `phx-confirm` (silently dropped by the `<.button>` global-attrs whitelist) with `data-confirm` - Move "Create one in project settings" links inline with section titles in the form, always visible regardless of list emptiness - Add context unit tests for `get_channel_stats_for_project/1` - Add LiveView tests: stats cards, delete confirm attribute, settings links always visible, pre-selected auth methods, and a remove/keep/add auth method scenario
|
|
||
| defp apply_action(socket, :edit, %{"id" => id}) do | ||
| if socket.assigns.can_create_channel do | ||
| channel = Channels.get_channel!(id, include: [:channel_auth_methods]) |
There was a problem hiding this comment.
We need to scope by project as well, the only check for the project's scope is on mount - you would be able to inject a different id in here and skip the checks.
| %{"channel_state" => enabled?, "value_key" => channel_id}, | ||
| socket | ||
| ) do | ||
| channel = Channels.get_channel!(channel_id) |
There was a problem hiding this comment.
Same here, we aren't checking permissions here against the project. Even if the input/calling html is disabled, a crafted WS message could bypass security.
| <.td class="text-right"> | ||
| <div class="flex items-center justify-end gap-2"> | ||
| <.link | ||
| :if={@can_delete_channel} |
There was a problem hiding this comment.
We've got @can_create_channel being used for apply_action(socket, :edit, ...) and @can_delete_channel here on the template. Even if those permissions are the same, we should either pick one or make a @can_edit... and make sure we are consistent.
| end | ||
| end | ||
|
|
||
| defp save_channel(socket, :edit, params) do |
There was a problem hiding this comment.
We need some kind of check here and above as well for permissions.
- Add :update_channel permission to ProjectUsers policy - Add Channels.get_channel_for_project/2 to scope fetches to the current project in a single query - Add server-side authorization checks to toggle and delete handlers - Fix apply_action(:edit) to check can_edit_channel, not can_create_channel - Gate the enabled toggle on can_edit_channel in the template - Fix merge_selections/2 truthy semantics bug (|| on booleans) - Use to_form/1 for the changeset in the form component - Refactor toggle/delete handlers with with and private helpers
Allow configuring LiveDebugger's bind address and external URL for remote/container access via optional env vars in dev mode.
Channel requests and snapshots have foreign keys that must be cleared before their parent channels and projects are deleted.
The %Channel{id: nil} struct is truthy, so the && short-circuit
produced "edit-channel-" instead of falling through to :new. Add
an explicit check on selected_channel.id.
2 participants
Description
Channels CRUD UI. The channels menu item is only shown if you have enabled experimental features
Things yet to do:
Closes #4407
Closes #4400
Validation steps
AI Usage
Please disclose whether you've used AI anywhere in this PR (it's cool, we just
want to know!):
You can read more details in our
Responsible AI Policy
Pre-submission checklist
/reviewwith Claude Code)
(e.g.,
:owner,:admin,:editor,:viewer)