Handle global filter in routes #661
Conversation
There was a problem hiding this comment.
Pull request overview
This PR implements global filter handling in routes by adding a filterKey parameter to all Sharp routes. The filter key is used to maintain global filter state through URL parameters instead of session storage, enabling better support for multi-tenancy and URL-based filter state management.
Key Changes:
- Route restructuring: All Sharp routes now include a
filterKeyparameter (e.g.,/sharp/root/s-list/personinstead of/sharp/s-list/person) - Middleware addition: New
HandleGlobalFiltersmiddleware extracts filter values from URL and sets URL defaults - Filter state management: Global filters now store state in-memory per request rather than in session
- Test infrastructure: Unit tests now require
URL::defaults()setup to handle the new route parameter
Reviewed changes
Copilot reviewed 62 out of 64 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/routes/web.php | Added filterKey parameter to all web routes and redirect routes for backward compatibility |
| src/routes/api.php | Added filterKey parameter to API routes for embedded entity lists and dashboards |
| src/Http/Middleware/HandleGlobalFilters.php | New middleware that parses filterKey from URL and sets current filter values |
| src/Http/Context/SharpContext.php | Added globalFilterUrlSegmentValue() method to build filterKey URL segment |
| src/Http/Context/SharpBreadcrumb.php | Updated to include filterKey in breadcrumb URLs and skip it when parsing segments |
| src/Filters/GlobalRequiredFilter.php | Changed from session-based to in-memory filter value storage |
| src/Filters/GlobalFilters/GlobalFilters.php | Added defaultKey and valuesUrlSeparator static properties |
| src/Http/Controllers/*.php | Updated all controller methods to accept filterKey parameter |
| src/Data/Show/ShowConfigData.php | Added formEditUrl property to show config |
| src/Config/SharpConfigBuilder.php | Added HandleGlobalFilters middleware to common middleware stack |
| tests/Pest.php | Added URL::defaults setup for unit tests |
| tests/Unit/Utils/FakesBreadcrumb.php | Updated to skip filterKey when parsing URL segments |
| resources/js/utils/url.ts | Removed getAppendableParentUri() function (no longer needed) |
| resources/js/show/Show.ts | Removed formUrl getter (now provided by backend) |
| All test files | Updated test URLs to include /root/ filterKey segment |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| $this->authorizationManager->check('view', $entityKey, $instanceId); | ||
|
|
There was a problem hiding this comment.
DownloadController::show reads files using user-controlled disk and path query parameters (Storage::disk($disk)->get($path)) after only checking for existence. An authenticated user with view access can supply arbitrary values (e.g. disk=local&path=../.env) to download any file accessible to the configured storage disk, potentially exposing environment files, credentials, or other sensitive data. Restrict disk to an explicit allowlist and validate/normalize path against expected directories or model-owned paths before passing it to Storage for read or download.
No description provided.