kit icon indicating copy to clipboard operation
kit copied to clipboard

Published 20 hours ago verified publisher icon sveltejs

fix: return updated layout data if child uses `parent`

Open teemingc opened this issue 1 year ago • 6 comments

fixes https://github.com/sveltejs/kit/issues/9355

This PR changes the server data to return the updated layout data from a layout node if a child load function uses parent. Previously, the child load function would receive the updated data from parent, but the layout node would still return the stale data.

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • [x] It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • [x] This message body should clearly illustrate what problems it solves.
  • [x] Ideally, include a test that fails without this PR but passes with it.

Tests

  • [x] Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • [x] If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Edits

  • [x] Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.

teemingc avatar Nov 29 '24 03:11 teemingc

🦋 Changeset detected

Latest commit: b2880faa658b74c4f96736eabb99d7ebbf9cef1d

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

changeset-bot[bot] avatar Nov 29 '24 03:11 changeset-bot[bot]

I don't know how I feel about changing this. If the parent load function does not have anything in it that makes it officially rerun, I don't think we should let it rerun indirectly via await parent(). If await parent() happens to create new data then that's more of a misuse of the parent load function. We only need to re-request the parent data on the server because there's no way to pass the parent data back into the load function endpoint when we call it, so the parent knowledge has to be re-constructed. On the client that's not the case with the universal loaders, so it would make a confusing difference.

dummdidumm avatar Jan 31 '25 10:01 dummdidumm

We only need to re-request the parent data on the server because there's no way to pass the parent data back into the load function endpoint when we call it, so the parent knowledge has to be re-constructed.

Should we try to pursue some form of this (passing the parent data from the client to the server) so that the parent data is consistent?

If await parent() happens to create new data then that's more of a misuse of the parent load function.

There could also be cases where it isn't a misuse. For example: an admin updates a user's settings, causing the parent load function to return new data when the parent data is reconstructed. This would cause the layout data to be stale while the child load uses fresh data.

teemingc avatar Feb 03 '25 04:02 teemingc

I don't know how I feel about changing this. If the parent load function does not have anything in it that makes it officially rerun, I don't think we should let it rerun indirectly via await parent().

If parent load functions do not rerun on await parent(), wouldn't that introduce a security issue for what several people are suggesting (and presumably doing) with it in #6315? A lot of people describe it as a viable way to ensure layouts that perform auth always rerun their load functions (and auth checks), particularly on page navs between routes that both fall under the same layout when the load function wouldn't otherwise rerun.

dslatkin avatar Mar 14 '25 03:03 dslatkin

You need to ensure that your layout reruns on every page change (by for example depending on the url) then it's safe - that issue is largely unrelated to this one

dummdidumm avatar Mar 14 '25 10:03 dummdidumm

Ah I see, that makes sense, thanks, sorry for the confusion. Basically the rerun is to make sure an auth check happens in the first place (which can otherwise throw a 403 or something if it fails) and any awaiting of parents is to make sure the data from that auth check is available to a child load function that might need it

dslatkin avatar Mar 14 '25 16:03 dslatkin

Given the direction we're moving — i.e. remote functions — I think it's probably better to avoid making this sort of change. I'll move the PR to draft for now, so that it's not in the queue

Rich-Harris avatar Sep 16 '25 00:09 Rich-Harris

Just to make sure no one that comes across this thread uses this to secure their load functions:

You need to ensure that your layout reruns on every page change (by for example depending on the url) then it's safe

Relying on a url dependeny in the parent load function and not calling await parent() in the child load function is not safe. If the child load does not call await parent() you can fetch the data it returns without the parent load function being called through a .../__data.json?x-sveltekit-invalidated=01 request.

PatrickG avatar Sep 16 '25 01:09 PatrickG