Open r-bartlett-gsa opened 2 months ago
Split into two stories
@r-bartlett-gsa @jarahameador Alejandro and I have a question regarding the first piece of Acceptance Criteria. What exactly should the non-gov challenge manager be prevented from seeing? It doesn't look like the the portal shows any PII in each submission outside of what could be attached as part of the submission (which we cannot see the contents of from a coding perspective).
Edit to add answer: Non-gov challenge managers should not be able to view submissions through the portal at all. This includes disabling the 'View Submissions' button and hiding the table of all submissions, as the page with the submissions table is possible to access with a direct URL. These changes will also prevent the challenge manager from downloading submissions.
New AC's added 8/27 are completed https://docs.google.com/document/d/1oScGqF9NdV6DLQMqUaqN8tEhnGFSqxi3C8VEt_CPjpc/
The new version is already deployed to Staging
@jdonis Please let me know login credentials and URL for testing purposes. Thanks!
@jdonis Please let me know login credentials and URL for testing purposes. Thanks!
@mhotch24
https://challenge-portal-staging.app.cloud.gov/sign-in/new
I just activated your GSA account to sign in to Staging you have admin rights, to test as a non-gov you need to sign in using any other email, the next step is to add that account as a challenge manager.
Please let me know if you have any doubts.
@jdonis my account is still pending recertification. Can you approve it or do I need to ask someone else?
@jdonis my account is still pending recertification. Can you approve it or do I need to ask someone else?
@mhotch24 both accounts done!
@jdonis We have a color contrast fail. Please change the table header colors to 'primary-dark' | 'blue-warm-70v' | $theme-color-primary-dark | #1a4480
@r-bartlett-gsa , a11y test complete. Per convo, bypassing cross browser testing. Now to you for AC testing.
@jdonis / @TCKapGrp The AC for this user story is not met, and it needs to go back to Doing. As a non-gov CM I am able to access submissions by entering the URLs of submissions list and details pages:
Can you please share a screenshot of the security log showing the challenge_manager_ng designation.
Does the following AC mean that the non gov challenge manager is not able to submit edits to the challenge?
Additional AC added 8/27 - A _ng CM can not submit a challenge for approval
When I read that AC, I assume it is linked to the AC that does not allow the non-gov CM to create a new challenge and hence is not able to submit the challenge for approval. If that is the case, then the new added AC is met.
However, the message on the portal says this: And that is not true. As a non-gov CM I was able to edit the challenge, and the challenge edits were submitted. That message is not needed, because it is not accurate.
@kkrug I'm still seeing the same issues on staging:
User story
As a security officer, in order to ensure only users with verified identities have access to controlled or sensitive information, I would like to restrict non-government user access, regardless of assigned user role, to submissions and public solvers data.
Acceptance criteria:
Note: public solvers with non .gov or .mil accounts continue have access to submissions and public solvers data they inputted into challenge.gov
Definition of Done
Doing (dev team)
[x] Move card to testing column in the board
Staging
[ ] Color contrast compliance[ ] Cross browser testing - UI rendering is performant on below listed devices/browsers (Tracy or Marni)- [ ] Windows/Chrome- [ ] Windows/Edge- [ ] Mac/Chrome- [ ] Mac/Safari- [ ] iOS/Safari[ ] Move to production column in the board
Production