-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Api perm check 1281 #1282
Api perm check 1281 #1282
Conversation
I hope this PR does not bite PR #1279 ... |
I can look a the tests. They're mainly helpful for debugging code. SPECIFIC TEST: The test test_User_is_dataset_manager gives lots of log information. |
So what is the procedure for deployment? Get and Pull the branch (or just merge it first), then execute the new command in the venv, then create a new test db. If necessary, we can try the procedure steps out on both test servers to make sure it works. |
Thanks for cleaning up, @vanlummelhuizen :) . Two thoughts after reviewing the code:
|
At the moment signbank-dev has the branch batch_edit. So signbank-dev can be used for this branch. |
@vanlummelhuizen is there a migration missing? I've put this branch on signbank-dev I ran the remove_can_view_dataset command.
|
I'm working on this locally to add the migration and fix the test. |
I figured out what is wrong with the test. The test used to make a new dataset and grant and revoke permissions to it. (NOT use NGT.) For now, we probably need to remove or comment out this test. If I remember correctly it was set to tstMH for the dataset tests as well as the corpus tests. |
Deze branch zit nu op signbank-dev. Ooops. This branch is on signbank-dev now. |
@vanlummelhuizen @Woseseltops you can inspect the permissions now in the Admin on signbank-dev. It is this branch. But if you look at the permissions for NGT, some users that have change permission do not have view permission anymore! For example, Casper can change the dataset but NOT view the dataset. (This is wrong.) Divya can change AND view the dataset. More comical, @uklomp can CHANGE dataset Oefen, but she can't view it! (She's the only one that can't view it.) |
The tests for Dataset Manager ought to make use of this dataset:
instead of NGT. |
Okay, for Casper and @uklomp the permissions were also that before the new code. Neither had view permission. Probably we ought to make sure the original permissions are correct before applying the command. Note: The command was applied to signbank-dev first, before the deploy (restart with the code updates that check the permissions), and before the migration. Because the test mentioned above failed, and because the deploy after the command was run (the deploy invokes the tests), then the test was modified to comment out the offender, and the migration was created (because the deploy complained). Then the migration was done and restarted. This is kind of a chicken or the egg because removing the can_view_dataset from the Dataset model requires a migration. But the command requires that this exists. @Woseseltops if you want to try this out yourself, get a fresh copy of the database and try running it again. But again, this is chicken or the egg. I suggest to fix all the Object Permissions on the Dataset objects in the Admin to make the explicit can_view_dataset and view_dataset columns be the same. Plus if a particular user has change_dataset, the user should also have the two view permissions. |
I updated the perms by hand for a couple of datasets in the admin on But I think there needs to be a second command to apply first before this branch is deployed.
Then the newer view_dataset will be filled in in the Object Permissions table for the Dataset in the Admin. For this kind of command, a test can be made that confirms this,
Such a command can't be evaluated once the deploy is done. It's important to use explicit match, not "any" match. The main use of "any" is that staff and superusers can have extra permissions that are not shown in the table. I think we need this extra step before the other command to make sure the permissions are correct to start with. It's kind of chicken or egg because a migration is needed to remove the can_view_dataset permission, but then the objects will or will not be removed so the command won't work, or the code won't deploy because of references to deleted code. |
The alternative is to change it from a command into a data migration. This makes sure it is run once. After that we could create a migration that removes the can_view_dataset. About creating view permissions for users that have change permission: I think it does not matter if it is done before or after the command/data migration and the migration removing can_view_dataset, for the simple reason that the command/migrations do not touch upon change permissions. |
Okay, that sounds good. |
Outcome of my experiment with the |
No the info endpoint is a read only access, so the user should not need change permission. @vanlummelhuizen is going to make a migration to fix the permissions, so the table contents are changed at the same time as the model. Otherwise it doesn't work to deploy because once the model is changed, the code can't be run anymore because it references old preferences. So @vanlummelhuizen is going to write a migration that maps the values. |
@vanlummelhuizen I removed the migration that was needed but unwanted. This branch has been merged with all the recent updates so there are no conflicts. I put the "delete gloss" branch onto signbank-dev because the others were all busy. When you want to you can use it again for this request. I replaced the database with a new one that does not have that command applied. |
SAMENVATTING
It can be switched to this one in order to develop the migration (to replace the command) The test that was broken for this branch was commented out. So it's probably still broken. This should be made a draft until the migration is done. |
NEW UPDATE I created an empty signbank (see #1316) If you browse the changes to the code there are numerous changes to the permissions being tested or assigned. I did not delete the old permission can_view_dataset, but it is not used anymore. We still need to migrate the master signbank database. Because the permissions differ in #1316, I'm not sure what is going on, why there are different names for the permissions. To get the code to run, I kept putting print statements to inspect what permissions were being found and then adapt the code and make sure the tests match. (So both sides work.) (Maybe there is some context involved?) I'll try the revised code on a non-empty database, too. Then we still need a migration with data mapping from this branch. |
This branch should be completed before the empty database branch is delivered so the old permission is removed via migration. (#1316 #1270 ) |
This is now done as far as I am concerned. @Woseseltops @susanodd |
See also #1316 (comment) |
Merged with master, all the tests succeed (locally)! Copied the newest global signbank to signbank-dev. APPROVED! |
Did some work to get rid of the can_view_dataset permission.
When running tests, only signbank.dictionary.tests.ManageDatasetTests.test_User_is_dataset_manager fails, but that seems a bug in that test because it is trying to change a Dataset but it expect a message about whether the user can view a dataset.