Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: Add template display name (backend)#4966

Merged
mtojek merged 30 commits into
coder:mainfrom
mtojek:3321-template-space-b
Nov 10, 2022
Merged

feat: Add template display name (backend)#4966
mtojek merged 30 commits into
coder:mainfrom
mtojek:3321-template-space-b

Conversation

@mtojek

@mtojek mtojek commented Nov 9, 2022

Copy link
Copy Markdown
Member

Issue: #3321

This PR adds the display_name template property to the CLI/backend.

I will modify the site code (frontend) in the follow-up PR:

  1. Modify Template Settings form.
  2. Adjust field validation.
  3. Use display_name wherever possible.

If it's unsafe to split the change into 2 PRs, please let me know and I will iterate on this one.

@mtojek mtojek self-assigned this Nov 9, 2022
@mtojek mtojek changed the title feat: Add template display name feat: Add template display name (backend) Nov 9, 2022
@mtojek mtojek requested a review from a team November 9, 2022 14:07
@mtojek mtojek marked this pull request as ready for review November 9, 2022 14:08
@mtojek mtojek requested a review from a team as a code owner November 9, 2022 14:08
@mtojek mtojek requested review from a team and Kira-Pilot and removed request for a team and Kira-Pilot November 9, 2022 14:08

@mafredri mafredri left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good for the most part, had a few questions and suggestions.

Comment thread cli/templateedit.go
Comment thread cli/templateedit_test.go Outdated
Comment thread cli/templateedit_test.go
Comment thread cli/templateedit_test.go Outdated
Comment thread coderd/database/migrations/000072_template_display_name.up.sql Outdated
Comment thread coderd/httpapi/name.go Outdated

@Kira-Pilot Kira-Pilot left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FE ✅

Comment thread cli/templateedit.go
@@ -57,6 +59,7 @@ func templateEdit() *cobra.Command {
}

cmd.Flags().StringVarP(&name, "name", "", "", "Edit the template name")

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about changing name to slug instead? We could make this naming consistent as well across all objects. This can happen in another PR, just thinking about the API moving forward.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's an interesting idea, let me think loud...

We could define a policy that every database object has a mandatory unique ID, unique slug, and optional display name. Potentially slugs can be used as source data for a global search feature and we won't need to index descriptions, like in OSX cmd+space.

This can happen in another PR, just thinking about the API moving forward.

Yup, I can raise an issue and we can continue the discussion there. Otherwise, it will be scattered across different comments :)

@mtojek mtojek requested a review from mafredri November 10, 2022 09:14
Comment thread coderd/httpapi/name.go Outdated
Comment thread coderd/httpapi/name_test.go Outdated
Comment thread coderd/httpapi/name_test.go Outdated
{"-a1b2c3d4e5f6g7h8i9j0k", false},
{"a1b2c3d4e5f6g7h8i9j0k-", false},
{"BANANAS_wow", false},
{"test--now", false},

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are these not valid for a human readable name? I mean, they're not pretty but a user wants what a user wants.. 😂

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh that's basically because of character set _-. I think that you're right, let's extend the regexp.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I replaced the regexp with a more free form: ^[a-zA-Z0-9](.*[^ ])?$. We can translate it to:

  • must start with a-z, A-Z, 0-9
  • can't end with a space
  • everything in the middle is allowed.

Although, I'm not sure if it's safe enough...

@mafredri mafredri Nov 10, 2022

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need to sanitize the input here, tbh. For instance, what if someone wants for the display name to be a bunch of emojis? Sanitation shouldn't really be a problem in the frontend unless someone is doing something weird with React.

Or what say you @coder/frontend? Is it bad if we don't limit display names to "safe" characters?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For instance, what if someone wants for the display name to be a bunch of emojis?

That is correct, but should preserve the basic sanitation level. For instance: <space><space> or M<space><space><space> doesn't make any logical sense.

unless someone is doing something weird with React.

.. or customers are writing unsafe characters to logs (e.g. audit or access logs). Using emojis and allowing for a wide set of characters may increase the "shellshock" attack risk. This may not be applicable in our case, but still a security concern.

I guess that we perform proper sanitization, so it won't be easy to inject the XSS snippet.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about just blocking whitespace at the beginning and ends? I think people will want to use emojis in names (we probably will too).

@mtojek mtojek Nov 10, 2022

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's an option to introduce this pattern, but then we need to verify if it doesn't introduce any extra risk, something like "shellshock" against audit logs. I believe that we can track this effort in a separate issue.

EDIT:

It looks like the majority prefers a more permissive pattern, so I adjusted the validation.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some thoughts from the FE:

  • To my knowledge, we don't sanitize other fields. It would be nice to have some consistency however we decide to move forward. Some documentation would be nice, too.
  • React escapes any values embedded in JSX before rendering them, unless you use dangerouslySetInnerHTML.
  • Current approach looks fine to me.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, Kira!

Comment thread cli/templateedit_test.go Outdated

@mafredri mafredri left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only thing left is the "Do we limit display names?" question. I personally don't think we should, but if other feel different then I won't object.

Other than that, I think this PR is good to go. 👍🏻

@mtojek

mtojek commented Nov 10, 2022

Copy link
Copy Markdown
Member Author

I updated the validation to be more permissive: ^[^\s](.*[^\s])?$. I have also updated test pattern examples.

@mtojek mtojek enabled auto-merge (squash) November 10, 2022 20:46
@mtojek mtojek disabled auto-merge November 10, 2022 20:46
@mtojek mtojek merged commit 2042b57 into coder:main Nov 10, 2022
@github-actions github-actions Bot locked and limited conversation to collaborators Nov 10, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants