fix(next): exclude permissions from page response when unauthenticated (#13796)

jacobsfletch · web-flow · commit 8113d3bdef16 · 2025-09-12T20:57:03.000Z
Similar spirit as #13714. Permissions are embedded into the page response, exposing some field names to unauthenticated users. For example, when setting `read: () => false` on a field, that field's name is now included in the response due to its presence in the permissions object. We now search the HTML source directly in the test, similar to "view source" in the browser, which will be much effective at preventing regression going forward. --- - To see the specific tasks where the Asana app for GitHub is being used, see below: - https://app.asana.com/0/0/1211347942663256
diff --git a/packages/next/src/layouts/Root/index.tsx b/packages/next/src/layouts/Root/index.tsx
@@ -122,7 +122,7 @@ export const RootLayout = async ({
           languageCode={languageCode}
           languageOptions={languageOptions}
           locale={req.locale}
-          permissions={permissions}
+          permissions={req.user ? permissions : null}
           serverFunction={serverFunction}
           switchLanguageServerAction={switchLanguageServerAction}
           theme={theme}
diff --git a/test/auth/config.ts b/test/auth/config.ts
@@ -190,8 +190,14 @@ export default buildConfigWithDefaults({
           label: 'Auth Debug',
         },
         {
+          // This is a uniquely identifiable field that we use to ensure it doesn't appear in the page source when unauthenticated
+          // E.g. if the user is authenticated, it will appear in the both the client config
           name: 'shouldNotShowInClientConfigUnlessAuthenticated',
           type: 'text',
+          access: {
+            // Setting this forces the field to show up in the permissions object
+            read: () => true,
+          },
         },
       ],
     },
diff --git a/test/auth/e2e.spec.ts b/test/auth/e2e.spec.ts
@@ -182,13 +182,17 @@ describe('Auth', () => {
         await saveDocAndAssert(page, '#action-save')
       })
 
-      test('should protect the client config behind authentication', async () => {
+      test('should protect field schemas behind authentication', async () => {
         await logout(page, serverURL)
 
-        // This element is absolutely positioned and `opacity: 0`
+        // Inspect the page source (before authentication)
+        const loginPageRes = await page.goto(`${serverURL}/admin/login`)
+        const loginPageSource = await loginPageRes?.text()
+        expect(loginPageSource).not.toContain('shouldNotShowInClientConfigUnlessAuthenticated')
+
+        // Inspect the client config (before authentication)
         await expect(page.locator('#unauthenticated-client-config')).toBeAttached()
 
-        // Search for our uniquely identifiable field name
         await expect(
           page.locator('#unauthenticated-client-config', {
             hasText: 'shouldNotShowInClientConfigUnlessAuthenticated',
@@ -199,13 +203,19 @@ describe('Auth', () => {
 
         await page.goto(serverURL + '/admin')
 
+        // Inspect the client config (after authentication)
         await expect(page.locator('#authenticated-client-config')).toBeAttached()
 
         await expect(
           page.locator('#authenticated-client-config', {
             hasText: 'shouldNotShowInClientConfigUnlessAuthenticated',
           }),
         ).toHaveCount(1)
+
+        // Inspect the page source (after authentication)
+        const dashboardPageRes = await page.goto(`${serverURL}/admin`)
+        const dashboardPageSource = await dashboardPageRes?.text()
+        expect(dashboardPageSource).toContain('shouldNotShowInClientConfigUnlessAuthenticated')
       })
 
       test('should allow change password', async () => {
