A central place that engineering students at Queen's University can come to manage various different aspects of their life as a student. :collision: :feet:
All scheduled interviews for all organizations show up on the calendar when a manager tries to schedule an interview.
Expected Behavior
Should only show the interviews that manager has scheduled.
Actual Behavior
Instead shows all interviews that any manager has scheduled (This is a problem for confidentiality).
Steps to Reproduce
Schedule interviews with different manager accounts. A manager should only be able to see the interviews they have scheduled.
Navigate to any page with the calendar (for example, dash.engsoc.queensu.ca/interviews/manage) and you will see all scheduled interviews, not just the ones pertinent to that specific account.
NOTE: An admin account should be able to see all scheduled interviews, so this behaviour is ok on the dash.engsoc.queensu.ca/interviews/admin page.
NOTE: It seems in the code, the current token used to populate the calendars is @interviews
In app/views/interviews/new.html.erb, line 16
<%= render 'calendar', interviews: @interviews %>
replacing the @interviews variable with an empty JSON as below results with an empty calendar.
<%= render 'calendar', interviews: {} %>
Perhaps there is another variable that only holds the relevant interviews? Or a way to check permissions on the interviews?
Just throwing it out there, I am unfamiliar with the code so I realize it may not be that simple!
Description
All scheduled interviews for all organizations show up on the calendar when a manager tries to schedule an interview.
Expected Behavior
Should only show the interviews that manager has scheduled.
Actual Behavior
Instead shows all interviews that any manager has scheduled (This is a problem for confidentiality).
Steps to Reproduce
Schedule interviews with different manager accounts. A manager should only be able to see the interviews they have scheduled.
Navigate to any page with the calendar (for example, dash.engsoc.queensu.ca/interviews/manage) and you will see all scheduled interviews, not just the ones pertinent to that specific account.
NOTE: An admin account should be able to see all scheduled interviews, so this behaviour is ok on the dash.engsoc.queensu.ca/interviews/admin page.
NOTE: It seems in the code, the current token used to populate the calendars is @interviews
In app/views/interviews/new.html.erb, line 16
<%= render 'calendar', interviews: @interviews %>
replacing the @interviews variable with an empty JSON as below results with an empty calendar.
<%= render 'calendar', interviews: {} %>
Perhaps there is another variable that only holds the relevant interviews? Or a way to check permissions on the interviews?
Just throwing it out there, I am unfamiliar with the code so I realize it may not be that simple!
Environment