AO3-6218 Allow certain admins to access all collection and challenge pages usually reserved for owners#5592
Conversation
…pages usually reserved for owners
Bilka2
left a comment
Bilka2
left a comment
There was a problem hiding this comment.
Please use pundit for the access control. You can find our existing policies in the app/policies folder if you'd like examples. The other issues on the admin role Epic also have examples of pundit implementations.
Since this is a rather big PR already just with the permission changes, I would prefer if you didn't action unrelated rubocop issues, like the i18n changes you did here. The risk that something accidentally breaks is just too big there to include it all with the permission changes.
For the specs, please use the an action only authorized admins can access shared example if possible, it tests a lot of admin roles automatically. Examples for it's use can be found all across the admin role tests.
github-actions
bot
added
Coder Has Actioned Review
and removed
Reviewed: Action Needed
labels
not-varram
force-pushed
the
AO3-6218-Allow-certain-admins-to-access-all-collection
branch
from
b01187c to
e408677
Compare
|
Hey- I dont have a way to get this out of "Coder has reviewed action" tag but I'm still working on it. |
|
it's ready to be reviewed :) |
Bilka2
left a comment
Bilka2
left a comment
There was a problem hiding this comment.
Thank you for working on this! This looks pretty good already, I just have a few nitpicks
I wanted to note that this doesn't touch anything in the views, so there are a bunch of links/buttons that will show for owners but not authorized admins, e.g. the links the collection sidebar. Please keep it that way! We'll make separate Jira issues to add these links into the pages for the authorized admins later, since this PR is already quick big to code/review/test
| before_action :users_or_privileged_collection_admin_only, only: [:edit] | ||
| before_action :load_collection_from_id, only: [:show, :edit, :update, :destroy, :confirm_delete] | ||
| before_action :collection_owners_only, only: [:edit, :update, :destroy, :confirm_delete] | ||
| before_action :collection_owners_or_privileged_admins_only, only: [:edit] |
There was a problem hiding this comment.
Shouldn't it be enough to list edit only in collection_owners_or_privileged_admins_only?
I suppose the duplication comes from edit being listed in users_only, but from what I can tell both it and update can be removed from there
| elsif logged_in_as_admin? | ||
| admin_only_access_denied and return | ||
| else | ||
| flash[:error] = ts("You don't have permission to see that, sorry!") | ||
| redirect_to collections_path and return |
There was a problem hiding this comment.
| elsif logged_in_as_admin? | |
| admin_only_access_denied and return | |
| else | |
| flash[:error] = ts("You don't have permission to see that, sorry!") | |
| redirect_to collections_path and return | |
| else | |
| admin_only_access_denied and return if logged_in_as_admin? | |
| flash[:error] = ts("You don't have permission to see that, sorry!") | |
| redirect_to collections_path and return |
is more readable to me? very style/opinion based though, so definitely tell me no here if you disagree, the existing code is also fine
| class CollectionParticipantsController < ApplicationController | ||
| before_action :users_only | ||
| before_action :users_only, except: [:index] | ||
| before_action :users_or_privileged_collection_admin_only, only: [:index] |
There was a problem hiding this comment.
Shouldn't it be enough to list index only in collection_maintainers_or_privileged_admins_only?
| redirect_to "/" and return | ||
| end | ||
| unless @collection.challenge_type == "PromptMeme" || (@collection.challenge_type == "GiftExchange" && @collection.challenge.user_allowed_to_see_requests_summary?(current_user)) | ||
| unless @collection.challenge_type == "PromptMeme" || privileged_collection_admin? || (@collection.challenge_type == "GiftExchange" && @collection.challenge.user_allowed_to_see_requests_summary?(current_user)) |
There was a problem hiding this comment.
What do you think about combining the admin check into user_allowed_to_see_requests_summary? (and maybe renaming the method)?
That would make this a bit shorter here
|
|
||
| before_action :users_only | ||
| before_action :users_only, except: [:index, :show] | ||
| before_action :users_or_privileged_collection_admin_only, only: [:index, :show] |
There was a problem hiding this comment.
Shouldn't it be enough to list index and show only in collection_maintainers_or_privileged_admins_only?
In fact the whole before_action :users_only also seems useless to me, since everything is either collection_maintainers_or_privileged_admins_only or collection_maintainers_only
There was a problem hiding this comment.
Also, shouldn't it only be index that's allowed for admins?
| policy(Collection).access? | ||
| end | ||
|
|
||
| def users_or_privileged_collection_admin_only |
There was a problem hiding this comment.
| def users_or_privileged_collection_admin_only | |
| def users_or_privileged_collection_admins_only |
it's inconsistent :(
| not_allowed(@collection) unless user_scoped? || @challenge.user_allowed_to_see_assignments?(current_user) || privileged_collection_admin? | ||
|
|
||
| @claims = ChallengeClaim.unposted_in_collection(@collection) | ||
| @claims = @claims.where(claiming_user_id: current_user.id) if user_scoped? |
There was a problem hiding this comment.
This will error 500 for admins, won't it?
| describe "admin access to assignments pages" do | ||
| authorized_roles = %w[support policy_and_abuse superadmin].freeze | ||
| let(:gift_exchange) { create(:gift_exchange, assignments_sent_at: Faker::Time.backward) } | ||
| let(:user) { other_user } |
There was a problem hiding this comment.
while you're in this file, could you check whether bookmark_search: true, collection_search: true, work_search: true could be removed from the topmost describe? I have no idea why those are there
| let(:gift_exchange) { create(:gift_exchange, assignments_sent_at: Faker::Time.backward) } | ||
| let(:user) { other_user } | ||
|
|
||
| before { fake_logout } |
There was a problem hiding this comment.
Is this required? I'd expect the admin login from the it_behaves_like to override the user login that's define in this file
2 participants
Pull Request Checklist
as the first thing in your pull request title (e.g.
AO3-1234 Fix thing)until they are reviewed and merged before creating new pull requests.
Issue
https://otwarchive.atlassian.net/browse/AO3-6218
Purpose
Allow admins with
support,policy_and_abuse, orsuperadminroles to access owner/maintainer collection and challenge pages for viewing/troubleshooting, without granting write permissions.Implemented via shared controller helpers and action-level filter changes so read routes are opened for those roles while create/update/destroy paths remain owner/maintainer-only.
Testing Instructions
Automated coverage was added/updated for the affected controllers to verify:
(Functional QA flow is already documented in the Jira ticket.)
Credit
varram (he/him)