GC Digital Talent is the new recruitment platform for digital and tech jobs in the Government of Canada. // Talents numériques du GC est la nouvelle plateforme de recrutement pour les emplois numériques et technologiques au gouvernement du Canada.
Our custom ProtectedRequestUserChecker class adds an extra layer to the Laratrust isAbleTo check. If a permission would require any role besides Applicant or Base roles, it fails unless the request came from the Protected endpoint.
However, in the case of an array of permissions being passed in, it seems to always fail. The default behaviour of this method is to pass as long as the user has one of the permissions (unless a second parameter of true is passed in).
🦋 Expected Behaviour
If an array of permissions is passed in, without a second parameter of true, then ProtectedRequestUserChecker should evaluate each permission separately. As long as any one permission belongs to the user and is unprivileged, then it should succeed even outside of a privileged request.
🕵️ Details
This is related to #11144 and #11143.
📋 Steps to Reproduce
Open a laravel tinker session php artisan tinker
Find applicant user $applicant = User::where('email', 'applicant@test.com')->first()
Compare the results of $applicant->isAbleTo('view-own-application') and `$applicant->isAbleTo(['view-own-application'])
🙋♀️ Proposed Solution
Split the array internally (privileged and unprivileged) and check them separately.
✅ Acceptance Criteria
A set of assumptions which, when tested, verify that the bug was addressed.
[ ] If an array of permissions is passed in to user->isAbleTo(), without a second parameter of true, then ProtectedRequestUserChecker should evaluate each permission separately. As long as any one permission belongs to the user and is unprivileged, then it should succeed even outside of a privileged request.
[ ] If the second param of trueis passed in, if should return true if and only if:
The user has every permission
each permission is non-privileged OR the request came from the secure endpoint
[ ] PHPUnit test that check that isAbleTo works as expected with arrays and single permission, on protected and nonprotected endpoints
🐛 Bug
Our custom ProtectedRequestUserChecker class adds an extra layer to the Laratrust isAbleTo check. If a permission would require any role besides Applicant or Base roles, it fails unless the request came from the Protected endpoint.
However, in the case of an array of permissions being passed in, it seems to always fail. The default behaviour of this method is to pass as long as the user has one of the permissions (unless a second parameter of
true
is passed in).🦋 Expected Behaviour
If an array of permissions is passed in, without a second parameter of
true
, then ProtectedRequestUserChecker should evaluate each permission separately. As long as any one permission belongs to the user and is unprivileged, then it should succeed even outside of a privileged request.🕵️ Details
This is related to #11144 and #11143.
📋 Steps to Reproduce
php artisan tinker
$applicant = User::where('email', 'applicant@test.com')->first()
$applicant->isAbleTo('view-own-application')
and `$applicant->isAbleTo(['view-own-application'])🙋♀️ Proposed Solution
Split the array internally (privileged and unprivileged) and check them separately.
✅ Acceptance Criteria
A set of assumptions which, when tested, verify that the bug was addressed.
user->isAbleTo()
, without a second parameter oftrue
, then ProtectedRequestUserChecker should evaluate each permission separately. As long as any one permission belongs to the user and is unprivileged, then it should succeed even outside of a privileged request.true
is passed in, if should return true if and only if: