. If the user is logged in,
the server renders the feature list markup with a |whitelisted| attribute [
src]:
<chromedash-featurelist whitelisted></chromedash-featurelist>
Inside that element, when |whitelisted| is present each feature includes a link to edit it: [
src]:
<a href="/admin/features/edit/{{
feature.id}}" hidden?="{{!whitelisted}}">edit</a>
That <a> gets distributed into the Shadow DOM of another element, <li is="chromedash-feature">. If <chromedash-feature> sees an element with class="edit come through, it renders it (
<content select=".edit">) where it needs to.
What I like about this setup is that 1.) <chromedash-feature> doesn't need to know anything about the user's logged in state. It just renders any light dom nodes it cares about, and 2.) A single |whitelisted| property on <chromedash-featurelist whitelisted>
controls the whole dance.
Don't get me wrong...this is NOT a security feature. One could easily set chromeFeatureList.whitelisted = true in the console and turn on the edit links. The protection comes from the server requiring authentication for the handler.
Anyways, thought this was worth sharing. I'd love to see more exploration in this area.