Disable all commands for change if system-wide readonly

[chrjorgensen]

Changes

This PR will disable all commands used for changing content on the server, if the server has system-wide readonly.
This include terminals and run of actions, but not library list change command etc.

When the server is defined as readonly system-wide, the connected bar item will look like this:

Note the icon is now a shield, the menu show "System-wide read only" (hyperlink) and no action maintenance or terminal options are available.

EDIT: C4i will now ask for reload when the readonly value changes in the config.

EDIT: The readonly field has been moved to the Features section as the first option:

EDIT: The readonly connection setting is decribed in the PR #71 in the Docs repo.

EDIT: Save As will now fail with filesystem error if the connection is in readonly mode.

How to test this PR

1. Open a connection marked as readonly via system settings
2. Commands for changing server content is not available and is greyed out in the context menus
3. Remove the readonly attribute from the system settings and reconnect.
4. The commands for changing server content should now be available as usual.

Checklist

• have tested my change
• updated relevant documentation

[worksofliam]

Only one issue I found:

The deploy command still works even in readonly mode (should be a simple package.json addition)

Once that's done, I think we can merge.

Great work!

[worksofliam]

@chrjorgensen I saw you mentioned you're on holiday - let me take over this PR for you.

[worksofliam]

@sebjulliand I've added one small commit to this PR. Any chance you can have a review?

[sebjulliand]

Looks good and works fine overall @chrjorgensen , that's great; this is true protection 😉
However, I have a remark about the actions.
Also, (but that's a question) It seems odd that even opening a terminal is disabled. I know you can wreck havoc with a terminal, but not being able to open one in this context seems a bit too much. That's up for debate!

[chrjorgensen]

@sebjulliand Thanks for reviewing this - but there is no such thing as true protection! 😉

I gave this change a lot of thoughts - mostly from a system administrators point of view... and I think we should not leave any options open for the C4i user if the admin has defined the system as readonly in the systemwide settings file /etc/vscode/settings.json.

Allowing actions in readonly mode gives the user the option to create a new action, which circumvent the protection, e.g. RMVM, DLTPGM etc. The same goes for the terminals.

So this PR is created by a system admin 😅 and may seem harsh in its implementation. I'm open for a more granular control, distinguishing between system wide readonly and user defined readonly. This could be added in another PR?

Thoughts? 😃

[sebjulliand]

Fair enough @chrjorgensen ! I can agree with that.

May I request a small change in the description of this field, when defining an action:
Adding something like "does not apply to system wide read-only" here?

Just so that users don't get surprised when a system is completely protected.
Thanks!

[chrjorgensen]

@sebjulliand I agree and also think there should be a visible distinction between locally defined and system defined read only - I will work on that.

[chrjorgensen]

@sebjulliand You convinced me... 😉

Actions and terminals are now only prohibited when readonly is activated by system settings - when the connection is defined as readonly locally, these are available like before this change.

I have made some visual changes for system-wide readonly in the connected bar item:

Note the icon is now a shield, the menu show "System-wide read only" (hyperlink) and no action maintenance or terminal options are available.

Please give it a thorough test! 🙏

[sebjulliand]

Thanks @chrjorgensen , I finally took the time to test it and it's great now. I like that the user-defined protected mode leaves the actions and Terminals enabled.
It makes a lot of sense to lock everything down if it's at the system level - because the sysadmin wanted it and sysadmin is law 😎

I will just request two updates:

• When in read-only mode at the connection or system level, actions that can't run on protected targets can still be run. The conditions on this line should be updated like this:

    .filter(action => action.runOnProtected || (!targets.some(t => t.protected) && !instance.getConnection()?.getConfig().readOnlyMode))

• The additional test for read-only mode you put into IFSFs::write should be put into QSysFS::write as well 😉

Apart from that, it's all good! Thanks!

[chrjorgensen]

@sebjulliand I've fixed the two remaining issues - the action targets now gets the right value for protected and the Save As for members will not allow saving to the server.

🙏 😄

[chrjorgensen]

@sebjulliand WAIT - my branch was not up to date and was missing some changes!

I will fix this...

[chrjorgensen]

Fixed - hopefully no more issues... 🙏

[sebjulliand]

Looks good to me!
Approved an merge; thanks @chrjorgensen !