Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LCFS - Protect routes for compliance report #1654

Closed
areyeslo opened this issue Jan 9, 2025 · 0 comments
Closed

LCFS - Protect routes for compliance report #1654

areyeslo opened this issue Jan 9, 2025 · 0 comments
Assignees
Labels
Compliance Reporting Critical Ticket is critical and top priority Tested :) Testing passed

Comments

@areyeslo
Copy link
Collaborator

areyeslo commented Jan 9, 2025

Describe the Bug

Unauthorized users can access schedules for a compliance report without being allowed. For instance, Analyst users are not able to see compliance reports in Draft when accessing compliance-reporting route.
Image

However, the Analyst user can have access to the schedule through hitting the URL http://localhost:3000/compliance-reporting/2024/1:
Image

In addition, the unauthorized user can modify schedules:
Image

Expected Behaviour:
The unauthorized user can not see compliance reports details if it is not allowed. In addition, the user cannot modify unauthorized schedules based on its role and report status.

Actual Behaviour:
The unauthorized user can not access resources when providing the URL associated.

Implications
Users may attempt to edit reports that are not supposed to be editable, leading to confusion.
Violates expected behavior and compliance workflows.
Steps To Reproduce
User/Role: IDIR

Log in as an IDIR user.
Open a compliance report that is in "Draft" status.
Observe that there is no compliance reports displayed.
Access the compliance report details through URL

Additional Notes:
We might need to create a HOC to handle validation:

import React, { useEffect } from 'react';
import { useNavigate } from 'react-router-dom';
import { isAccessAllowed } from '@/utils/accessValidation';
import { ROUTES } from '@/constants/routes';

const withAccessValidation = (WrappedComponent) => {
  return (props) => {
    const navigate = useNavigate();
    const { currentUser, reportData } = props;

    useEffect(() => {
      if (!isAccessAllowed(currentUser, reportData)) {
        navigate(ROUTES.REPORTS);
      }
    }, [currentUser, reportData, navigate]);

    if (!isAccessAllowed(currentUser, reportData)) {
      return null;
    }

    return <WrappedComponent {...props} />;
  };
};

export default withAccessValidation;

and use it in the components:

export default withAccessValidation(ComplianceReportViewSelector)
@areyeslo areyeslo changed the title Protect routes for compliance report LCFS- Protect routes for compliance report Jan 10, 2025
@areyeslo areyeslo added Compliance Reporting Critical Ticket is critical and top priority labels Jan 10, 2025
@areyeslo areyeslo self-assigned this Jan 13, 2025
@RebekahRFord RebekahRFord changed the title LCFS- Protect routes for compliance report LCFS - Protect routes for compliance report Jan 20, 2025
@airinggov airinggov added the Tested :) Testing passed label Jan 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Compliance Reporting Critical Ticket is critical and top priority Tested :) Testing passed
Projects
None yet
Development

No branches or pull requests

2 participants