DMPbelgium / roadmap

5 stars 1 forks source link

cannot download plan #82

Closed StCyr closed 8 months ago

StCyr commented 1 year ago

Please complete the following fields as applicable:

What version of the DMPRoadmap code are you running? (e.g. v2.2.0)

4.1.0

Expected behavior:

See actual behavior first to understand the issue

In my dashboard, 2 possibilities:

  1. either the list of my organization's plans contains only the plans created by other users of my organization, or;
  2. the list contains the same plans as described in the "actual behavior" but you can open all of them without error

Actual behavior:

In my dashboard, the list of my organisation's plans contains:

  1. The plans for which my organization is the primary research organization
  2. The plans created by other users of my organization.

(only plans whose visibility has been set to "organisation" ofc)

For the plans for which my organisation is the primary research organisation, you cannot open such a plan unless the user who created it is ALSO a user of your organisation

Steps to reproduce:

  1. Let's have 2 users X, and Y, both members of organisation A
  2. Let's have user X create a plan and set its primary research organisation to A
  3. Let's confirm that user Y can see the plan
  4. Let's have user X's organisation changed to organisation B
  5. Let's confirm that user Y cannot see the plan anymore

Though the plan's primary research organisation is set to A, user Y cannot see it because user X has been moved to another organisation

nicolasfranck commented 1 year ago

I do not understand. Are there plans missing?

From what I understand, it should show the following:

StCyr commented 1 year ago

ok, re-reading this issue, I understand it's not clear enough.

I've completed the "steps to reproduce" paragraph to make it clear enough I hope

nicolasfranck commented 1 year ago

I think there is a misconception here:

In short: access to a plan is explicitly mapped in table roles, not because you are part of the same organization.

StCyr commented 1 year ago

hmmm on test.dmponline.be, set yourself as working for Belnet, then try to download the "test" plan:

image

You get a blank page, and in the logs, I'll get this:

Sep 26 15:01:52 dmponline 9bc6d88a2440[1233]: I, [2023-09-26T13:01:52.471769 #16]  INFO -- : [5dd0d329-62d8-4e70-a66d-4fb778576dca] Started GET "/plans/64841/export.pdf?export%5Bquestion_headings%5D=true" for 193.190.130.1 at 2023-09-26 13:01:52 +0000
Sep 26 15:01:52 dmponline 9bc6d88a2440[1233]: I, [2023-09-26T13:01:52.474673 #16]  INFO -- : [5dd0d329-62d8-4e70-a66d-4fb778576dca] Processing by PlanExportsController#show as PDF
Sep 26 15:01:52 dmponline 9bc6d88a2440[1233]: I, [2023-09-26T13:01:52.474766 #16]  INFO -- : [5dd0d329-62d8-4e70-a66d-4fb778576dca]   Parameters: {"export"=>{"question_headings"=>"true"}, "plan_id"=>"64841"}
Sep 26 15:01:52 dmponline 9bc6d88a2440[1233]: E, [2023-09-26T13:01:52.511655 #16] ERROR -- : [5dd0d329-62d8-4e70-a66d-4fb778576dca] You are not authorized to perform this action.
Sep 26 15:01:52 dmponline 9bc6d88a2440[1233]: I, [2023-09-26T13:01:52.512251 #16]  INFO -- : [5dd0d329-62d8-4e70-a66d-4fb778576dca] Completed 406 Not Acceptable in 37ms (ActiveRecord: 14.5ms | Allocations: 5859)
Sep 26 15:01:52 dmponline 9bc6d88a2440[1233]: F, [2023-09-26T13:01:52.513138 #16] FATAL -- : [5dd0d329-62d8-4e70-a66d-4fb778576dca]   
Sep 26 15:01:52 dmponline 9bc6d88a2440[1233]: [5dd0d329-62d8-4e70-a66d-4fb778576dca] ActionController::UnknownFormat (ActionController::UnknownFormat):
Sep 26 15:01:52 dmponline 9bc6d88a2440[1233]: [5dd0d329-62d8-4e70-a66d-4fb778576dca]   
Sep 26 15:01:52 dmponline 9bc6d88a2440[1233]: [5dd0d329-62d8-4e70-a66d-4fb778576dca] app/controllers/application_controller.rb:189:in `render_respond_to_format_with_error_message'
Sep 26 15:01:52 dmponline 9bc6d88a2440[1233]: [5dd0d329-62d8-4e70-a66d-4fb778576dca] app/controllers/application_controller.rb:37:in `user_not_authorized'
Sep 26 15:01:52 dmponline 9bc6d88a2440[1233]: I, [2023-09-26T13:01:52.572407 #16]  INFO -- : [f73e7576-4513-424b-9c2b-f3b5efecd6f9] Started GET "/favicon.ico" for 193.190.130.1 at 2023-09-26 13:01:52 +0000
Sep 26 15:01:52 dmponline 9bc6d88a2440[1233]: F, [2023-09-26T13:01:52.574447 #16] FATAL -- : [f73e7576-4513-424b-9c2b-f3b5efecd6f9]   
Sep 26 15:01:52 dmponline 9bc6d88a2440[1233]: [f73e7576-4513-424b-9c2b-f3b5efecd6f9] ActionController::RoutingError (No route matches [GET] "/favicon.ico"):
Sep 26 15:01:52 dmponline 9bc6d88a2440[1233]: [f73e7576-4513-424b-9c2b-f3b5efecd6f9]   

This happens because Lisa created this plan while working for Belnet and is now set to be working for UGent.

This is a bug: either the plan shouldn't appear in the list, or it should be downloadable (or at the very least, the user shall receive an error message explaining the reason why the plan cannot be downloaded)

PS: If you now change lisa's organisation back to Belnet, you'll be able to download the plan

nicolasfranck commented 1 year ago

There are a few problems here:

In short: the policy of organizational visible plans and the exports do not work well together. That parameter export[form]=true is there to make a difference between requests coming from the "plan download page" where settings can be chosen, and requests coming from outside (public!) where settings cannot be chosen (it relies on default values).

nicolasfranck commented 1 year ago

I have put an detailed issue here: https://github.com/DMPRoadmap/roadmap/issues/3345 Added my thoughts also

nicolasfranck commented 1 year ago

@StCyr

I have pushed a preliminary fix here: https://github.com/DMPbelgium/roadmap/commit/9c2ef9f9bb4bd2c8cb58bbb3bc9c3ce6303186bb

It is done in the override file config/initializers/ugent.rb where all the rest of the overrides are. I am interested in the ideas of the dmproadmap team too.

StCyr commented 1 year ago

I've rebuild test.dmponline.be.

it seems to be working now

TheLisaVL commented 8 months ago

Fixed in the december '23 update