Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make NavBarPolicy allow Feedback only for Admins #996

Merged
merged 2 commits into from
Nov 30, 2021
Merged

Make NavBarPolicy allow Feedback only for Admins #996

merged 2 commits into from
Nov 30, 2021

Conversation

bobmazanec
Copy link

@bobmazanec bobmazanec commented Nov 19, 2021
edited
Loading

Why

To fix #992, show the Feedback NavBar button only to Admins & Sys-Admins

I chose those approach after seeing that the route triggered by the Feedback button uses the SoftwareFeedbacksController is derived from AdminController, which allows actions only by users with either the admin or sys_admin role. That is, I inferred the UI was incorrectly offering the button.

What

Change NavBarPolicy#visible_buttons to include Feedback only for Users with either the admin or sys_admin.

How

Moved adding Feedback to the allow-list from the line with NavBarPolicy#visible_buttons's simple non-nil check to the line guarded with the call to ApplicationPolicy#can_admin?

Testing

The PR modifies existing examples, removing the expectation for Feedback's presence for neighbor cases.

With modified examples, without modified code - 2 failures

image

With modified examples & code - 0 failures

image

Rubocop - no change

image

Outstanding Questions, Concerns and Other Notes

More about the specs than the bug: in my dev/repro environment, I noticed that my new User had the unset role. This was different from neighbor, but both are "neither admin nor sys_admin", so I simply modified the existing contexts.

Accessibility

None that I'm aware of.

Security

Very slight improvement—now the UI "advertises" one fewer route to non-{,sys}admin users.

Meta

This is my first PR here.
I hope/believe I have read and understood the various guides, policies, etc. (humble apologies if not...)
Constructive feedback welcome, of course.

Pre-Merge Checklist

  • Security & accessibility have been considered
  • Tests have been added, or an explanation has been given why the features cannot be tested
  • Documentation and comments have been added to the codebase where required
  • Entry added to CHANGELOG.md if appropriate
  • Outstanding questions and concerns have been resolved
  • Any next steps have been turned into Issues or Discussions as appropriate

solebared
solebared reviewed Nov 30, 2021
View reviewed changes
Copy link
Collaborator

@solebared solebared left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this @bobmazanec ! 🙏🏾 .
Looks good, just one thought below.

app/policies/nav_bar_policy.rb Outdated
Comment on lines 14 to 16
def is_admin?(user)
user && (user.admin_role? || user.sys_admin_role?)
end
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ApplicationPolicy base class provides a can_admin? method that serves the same purpose. In fact, looking at line 8 above, you can probably add Feedback to the array there instead.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed—thanks for pointing that out (plus a little 🤦 😄)
Updated/simplified (e139258)

Anything else?

Thanks!

Use ApplicationPolicy#can_admin?
e139258 
Per comments on #996, use ApplicationPolicy#can_admin? rather than
duplicating it in NavBarPolicy#is_admin?
solebared
solebared approved these changes Nov 30, 2021
View reviewed changes
Copy link
Collaborator

@solebared solebared left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sweet, thanks for the quick turnaround!

@solebared solebared merged commit f56bc3a into rubyforgood:main Nov 30, 2021
@bobmazanec bobmazanec deleted the 992-feedback-button branch December 1, 2021 03:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@solebared solebared solebared approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Newly registered user is presented a Feedback option but not authorized to access it
2 participants
@bobmazanec @solebared