Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add simple auth to all admin-only controllers #837

Merged
merged 1 commit into from
Jan 26, 2021
Merged

Add simple auth to all admin-only controllers #837

merged 1 commit into from
Jan 26, 2021

Conversation

solebared
Copy link
Collaborator

@solebared solebared commented Jan 23, 2021
edited
Loading

Why

Gives all admin-only controllers rudimentary authorization by inheriting from AdminController.

See #835 for background.

Pre-Merge Checklist

  • All new features have been described in the pull request
  • Security & accessibility have been considered
  • High quality tests have been added, or an explanation has been given why the features cannot be tested
  • All outstanding questions and concerns have been resolved
  • Any next steps that seem like good ideas have been created as issues for future discussion & implementation

Testing

This is part of the work to re-open user registration.
Once all that work is ready, we'll need to do some extensive manual regression testing.

Specific review requests

Most importantly, please check whether all these controllers are actually only for admin use.

Next Steps

?

Outstanding Questions, Concerns and Other Notes

?

solebared
solebared commented Jan 23, 2021
View reviewed changes
app/models/listing.rb
@@ -67,7 +67,7 @@ def status
elsif matches_as_provider.any?
status = matches_as_provider.map{|m| m.completed?}.any? ? 'completed' : 'matched'
end
update_attributes(state: status)
update(state: status)
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gets rid of an annoying deprecation warning :)

solebared
solebared commented Jan 23, 2021
View reviewed changes
spec/requests/listings_spec.rb
@@ -13,7 +13,7 @@
location_attributes: { zip: '12e45' },
}}

before { sign_in create(:user) }
before { sign_in create(:user, :admin) }
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe ListingController is only currently used by admins?

@solebared solebared mentioned this pull request Jan 23, 2021
Merged
10 tasks
@solebared solebared mentioned this pull request Jan 26, 2021
Merged
30 tasks
Base automatically changed from secure-admin-resources to main January 26, 2021 15:25
@solebared
Add simple auth to all admin-only controllers
050a237 
Inheriting from AdminController gives us rudimentary authorization based
on user role (must be admin or sysadmin). See #835.

Also changes one occurrence of the deprecated `update_attributes` ->
`update`.
maebeale
maebeale approved these changes Jan 26, 2021
View reviewed changes
Copy link
Collaborator

@maebeale maebeale left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perfecto! Some of these are likely to need to come out of this category, but until we have the relevant functionality, all of these should be restricted to admin/sys_admin only. Tks!

@solebared solebared merged commit 35d55b9 into main Jan 26, 2021
@solebared solebared deleted the inherit-admin-controller branch January 26, 2021 22:49
@maebeale maebeale mentioned this pull request Mar 3, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maebeale maebeale maebeale approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@solebared @maebeale