SCAL-239528 Implement restricting navigation for blocked embed routes #344
Conversation
shivam-kumar-ts
commented
Nov 7, 2025
shivam-kumar-ts
commented
- Implement restricting navigation for blocked embed routes
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
Summary of ChangesHello @shivam-kumar-ts, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request implements a significant feature for embedded ThoughtSpot applications, enabling granular control over user navigation. It allows developers to define specific routes that users are permitted to access within an embed, enhancing security and user experience by preventing navigation to unintended areas. The change includes new configuration parameters and a dedicated enum for managing these route restrictions. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a feature to restrict navigation for embedded routes. It adds allowedRoutes and accessDeniedMessage configurations to control access. The implementation looks correct, with corresponding changes in type definitions, the main embed class, and test files. I've found a few minor issues in the JSDoc comments and code formatting in src/types.ts and have provided suggestions to fix them. Overall, this is a good addition.
| /** | ||
| * Array of routes that are allowed to be accessed in the embedded app. | ||
| * When specified, navigation will be restricted to only these routes. | ||
| * Use Path.All to allow all routes without restrictions. | ||
| * | ||
| * Supported embed types: `AppEmbed`, `LiveboardEmbed`, `SageEmbed`, `SearchEmbed`, `SpotterAgentEmbed`, `SpotterEmbed`, `SearchBarEmbed` | ||
| * @example | ||
| * | ||
| * | ||
| * // Replace <EmbedComponent> with embed component name. For example, AppEmbed, SearchEmbed, or LiveboardEmbed | ||
| * const embed = new AppEmbed('#tsEmbed', { | ||
| * ... // other embed view config | ||
| * allowedRoutes: [Path.Home, Path.Search, Path.Liveboards], | ||
| * accessDeniedMessage: 'You do not have access to this page' | ||
| * }) | ||
| * * | ||
| * | ||
| * // Allow all routes | ||
| * const embed = new AppEmbed('#tsEmbed', { | ||
| * allowedRoutes: [Path.All] | ||
| * }) | ||
| * */ | ||
| allowedRoutes?: Path[]; | ||
| /** | ||
| * Custom message to display when a user tries to access a route | ||
| * that is not in the allowedRoutes list. | ||
| * | ||
| * Supported embed types: `AppEmbed`, `LiveboardEmbed`, `SageEmbed`, `SearchEmbed`, `SpotterAgentEmbed`, `SpotterEmbed`, `SearchBarEmbed` | ||
| * @default 'Access Denied' | ||
| * @example | ||
| * | ||
| * const embed = new AppEmbed('#tsEmbed', { | ||
| * allowedRoutes: [Path.Home, Path.Liveboards], | ||
| * accessDeniedMessage: 'You do not have permission to access this page. | ||
| * Please contact your administrator.' | ||
| * }) | ||
| * */ | ||
| accessDeniedMessage?: string; |
There was a problem hiding this comment.
The JSDoc comments for allowedRoutes and accessDeniedMessage have some formatting issues and an incorrect example. Additionally, the indentation for these new properties is inconsistent with the rest of the BaseViewConfig interface. Properties in this interface are indented with 4 spaces, but the new properties use 8 spaces.
- There are some extra empty lines and stray asterisks (
*) in the comment blocks which should be cleaned up. - The example for
accessDeniedMessagecontains a multi-line string literal which is invalid in JavaScript. It should be a single line string. - The indentation for
allowedRoutesandaccessDeniedMessageshould be 4 spaces to match the existing properties inBaseViewConfig.
/**
* Array of routes that are allowed to be accessed in the embedded app.
* When specified, navigation will be restricted to only these routes.
* Use Path.All to allow all routes without restrictions.
*
* Supported embed types: `AppEmbed`, `LiveboardEmbed`, `SageEmbed`, `SearchEmbed`, `SpotterAgentEmbed`, `SpotterEmbed`, `SearchBarEmbed`
* @example
*
* // Replace <EmbedComponent> with embed component name. For example, AppEmbed, SearchEmbed, or LiveboardEmbed
* const embed = new AppEmbed('#tsEmbed', {
* ... // other embed view config
* allowedRoutes: [Path.Home, Path.Search, Path.Liveboards],
* accessDeniedMessage: 'You do not have access to this page'
* })
*
* // Allow all routes
* const embed = new AppEmbed('#tsEmbed', {
* allowedRoutes: [Path.All]
* })
*/
allowedRoutes?: Path[];
/**
* Custom message to display when a user tries to access a route
* that is not in the allowedRoutes list.
*
* Supported embed types: `AppEmbed`, `LiveboardEmbed`, `SageEmbed`, `SearchEmbed`, `SpotterAgentEmbed`, `SpotterEmbed`, `SearchBarEmbed`
* @default 'Access Denied'
* @example
*
* const embed = new AppEmbed('#tsEmbed', {
* allowedRoutes: [Path.Home, Path.Liveboards],
* accessDeniedMessage: 'You do not have permission to access this page. Please contact your administrator.'
* })
*/
accessDeniedMessage?: string;
src/types.ts
Outdated
| * allowedRoutes: [Path.Home, Path.Search, Path.Liveboards], | ||
| * accessDeniedMessage: 'You do not have access to this page' | ||
| * }) | ||
| * * @version SDK: 1.45.0 | ThoughtSpot: * |
There was a problem hiding this comment.
There's a formatting issue in the JSDoc for the Path enum. The @version tag has an extra asterisk at the beginning of the line, which might affect how documentation is generated.
* @version SDK: 1.45.0 | ThoughtSpot: *
commit: |
shivam-kumar-ts
force-pushed
the
SCAL-239528
branch
21 times, most recently
from
3c6f49a to
bd559cd
Compare
|
|
||
| // Pinboard/Liveboard | ||
| Pinboard = '/insights/pinboard/:pinboardId', | ||
| VizBoard = '/insights/pinboard/:pinboardId/:vizId', |
There was a problem hiding this comment.
We also have tabs keyword in the URL
src/embed/ts-embed.ts
Outdated
| message: customActionsResult.errors, | ||
| }); | ||
| } | ||
| const blockedAndAllowedRoutesResult = getBlockedAndAllowedRoutes( this.viewConfig?.routeBlocking, { embedComponentType: (this.viewConfig as any).embedComponentType || '', liveboardId: (this.viewConfig as any).liveboardId, vizId: (this.viewConfig as any).vizId, activeTabId: (this.viewConfig as any).activeTabId, pageId: (this.viewConfig as any).pageId, path: (this.viewConfig as any).path }); |
There was a problem hiding this comment.
Can you simplify this - also if possible remove any insteances.
src/embed/ts-embed.ts
Outdated
| message: customActionsResult.errors, | ||
| }); | ||
| } | ||
| const blockedAndAllowedRoutesResult = getBlockedAndAllowedRoutes( this.viewConfig?.routeBlocking, { embedComponentType: (this.viewConfig as any).embedComponentType || '', liveboardId: (this.viewConfig as any).liveboardId, vizId: (this.viewConfig as any).vizId, activeTabId: (this.viewConfig as any).activeTabId, pageId: (this.viewConfig as any).pageId, path: (this.viewConfig as any).path }); |
There was a problem hiding this comment.
what does this do ?? can you please refactor this
| * ``` | ||
| * @version SDK: 1.45.0 | ThoughtSpot: 26.2.0.cl | ||
| */ | ||
| export enum NavigationPath { |
There was a problem hiding this comment.
clean up this, only put the most used pages here, that customer has access to in embed.
| const { embedComponentType, liveboardId, vizId, activeTabId, pageId, path } = config; | ||
|
|
||
| switch (embedComponentType) { | ||
| case 'LiveboardEmbed': { |
There was a problem hiding this comment.
is there no enum for this ?
| path?: string; | ||
| } | ||
|
|
||
| const EMBED_COMPONENT_GENERIC_PATHS: Record<string, string[]> = { |
There was a problem hiding this comment.
all this should be part of the embed component
| /** | ||
| * Generate specific allowed routes based on the embed configuration | ||
| */ | ||
| export const generateAutoAllowedRoutes = (config: RouteGenerationConfig): string[] => { |
There was a problem hiding this comment.
Why is it called autoAllowed? can you confirm.
| const routes: string[] = []; | ||
|
|
||
| if (liveboardId) { | ||
| routes.push(`/embed/viz/${liveboardId}`); |
There was a problem hiding this comment.
this should be part of liveboard component
shivam-kumar-ts
force-pushed
the
SCAL-239528
branch
6 times, most recently
from
4934fed to
3ca4890
Compare
…detection for blocked routes
…ve blocked route conflict detection
…ate route generation
…mbed configuration validation and processing
shivam-kumar-ts
force-pushed
the
SCAL-239528
branch
from
3ca4890 to
4509300
Compare
|
SonarQube Quality Gate
|
