Stats
Actions
Tags
From shesha-utils
Uses Playwright to set permissions on unsecured Shesha API endpoints via the permissioned-objects admin UI. Restricts write operations to app:Configurator. Use when the user wants to harden, secure, or lock down API endpoints, fix permissioned-objects, restrict access to admin-only services, or add authorization to unprotected app services in a Shesha application.
How this skill is triggered — by the user, by Claude, or both
Slash command
/shesha-utils:harden-permissionsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Automates permission changes on the Shesha permissioned-objects page (`/dynamic/Shesha/permissioned-objects`) using Playwright.
Automates permission changes on the Shesha permissioned-objects page (/dynamic/Shesha/permissioned-objects) using Playwright.
Playwright must be installed globally (npm i -g @playwright/test). Verify with npx playwright --version.
Ask the user for:
http://localhost:3000)Run the script in dry-run mode first to preview changes:
node <skill-dir>/scripts/harden-permissions.js <baseUrl> <username> '<password>' --dry-run
After user confirms, run without --dry-run:
node <skill-dir>/scripts/harden-permissions.js <baseUrl> <username> '<password>'
Report the results. If any endpoints fail, note them for manual follow-up.
Requires permissions + app:ConfiguratorAll endpoints in these services become admin-only:
Any authenticated + method-level app:Configurator on write opsRead endpoints stay open to logged-in users. Write operations require app:Configurator:
| Service | Restricted methods |
|---|---|
| Area | Create, Delete, Update, MoveArea |
| ConfigurableComponent | Create, Delete, Update, UpdateSettings |
| EntityConfig | Create, Delete, Update, RemoveConfigurationsOfMissingClasses |
| EntityProperty | Create, Delete, Update |
| ReferenceList | Create, Delete, Update, ClearCacheFull |
| ShaRole | Create, Delete, Update |
| Notification | Publish |
| NotificationMessage | Create, Delete, Update |
| QuestionAnswers | Delete |
| Service | Methods | Access |
|---|---|---|
| Session | ClearPermissionsCache | app:Configurator |
| UserManagement | Create, CompleteRegistration | app:Configurator |
Edit the CHANGES array in scripts/harden-permissions.js to add/remove services or endpoints.
(permissioned) in the UI[AbpAllowAnonymous] endpoints (password reset, login)Aaaaaaa test service (flag for removal instead)npx claudepluginhub boxfusion/boxfusion-plugins --plugin shesha-utilsGuides creation, editing, and verification of skills for AI coding agents using test-driven development with subagent scenarios. Use when authoring or debugging skills.