Open damisul opened 2 months ago
abartov
commented
2 months ago Are you sure this happens? It does not happen in production, and there is explicit conditional code in the metadata box view that tests whether current_user.editor? or not. Perhaps you are shown this because you have logged in using the Developer button, which makes you an admin automatically?
damisul
commented
2 months ago Yes it surely happens. The problem is that in view we only check if user has editor bit:
- if current_user && current_user.editor?But in corresponding action we additionally check that user has specific flags :
before_action only: [:list, :show, :remove_link, :edit_metadata, :add_aboutnesses] do |c| c.require_editor('edit_catalog') end
before_action only: [:edit, :update] do |c| c.require_editor(['edit_catalog', 'conversion_verification', 'handle_proofs']) endBenefit of framwork like Pundit is that it will allow to write clear rules like ManifestationPolicy.edit_metadata?(manifestation)
and we can reuse such checks both in view and controller. So if some rules need to be updated we'll update both places at the same time. And it has some additional helper methods to simplify access checks.
abartov
commented
2 months ago Yeah, refactoring with Pundit may help tidy up, but not a priority for now.
I understand the access checks are not perfectly synced about the editor bits, but I still don't understand when a non-editor would see these links.
damisul
commented
2 months ago Ok, I agree, as those links are not shown to regular users, this is not urgent. We can surely postpone it.
If user without edit_metadata permission clicks on it he gets redirected to home page with message
רק בעלי הרשאת עריכה רשאים לגשת לדף זהI believe we need to use same access check on read page to avoid those links to be rendered. I'd consider using Pundit gem for this, as described here: https://github.com/abartov/bybeconv/issues/171