Make NavBarPolicy allow Feedback only for Admins #996
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why
To fix #992, show the
Feedback
NavBar button only to Admins & Sys-AdminsI chose those approach after seeing that the route triggered by the
Feedback
button uses theSoftwareFeedbacksController
is derived fromAdminController
, which allows actions only by users with either theadmin
orsys_admin
role. That is, I inferred the UI was incorrectly offering the button.What
Change
NavBarPolicy#visible_buttons
to includeFeedback
only forUser
s with either theadmin
orsys_admin
.How
Moved adding
Feedback
to the allow-list from the line withNavBarPolicy#visible_buttons
's simple non-nil
check to the line guarded with the call toApplicationPolicy#can_admin?
Testing
The PR modifies existing examples, removing the expectation for
Feedback
's presence forneighbor
cases.With modified examples, without modified code - 2 failures
With modified examples & code - 0 failures
Rubocop - no change
Outstanding Questions, Concerns and Other Notes
More about the specs than the bug: in my dev/repro environment, I noticed that my new
User
had theunset
role. This was different fromneighbor
, but both are "neitheradmin
norsys_admin
", so I simply modified the existingcontext
s.Accessibility
None that I'm aware of.
Security
Very slight improvement—now the UI "advertises" one fewer route to non-{,sys}admin users.
Meta
This is my first PR here.
I hope/believe I have read and understood the various guides, policies, etc. (humble apologies if not...)
Constructive feedback welcome, of course.
Pre-Merge Checklist