Closed begedin closed 6 years ago
I think the policy here really needs to be different, probably more like:
current_user
is authorized if they're the target of the conversationcurrent_user
is authorized if they're a project admin or higherAnything else is superfluous.
Problem
See #1286 for an explanation of how a Message system works.
Once we have created a
Message
and it's associatedConversation
, any side of the conversation can post a reply.Each of these replies then creates a
ConversationPart
containing its contents.In order to do that, we need a
create
endpointSubtasks
create_changeset
Messages.ConversationPart
. Could even be private[:body, :author_id, :conversation_id]
:read_at
is null initiallycreate_changeset
, or testingMessages.create_conversation_part/1
might be enoughPolicy.ConversationPart.create?
current_user
is authorized ifcurrent_user.id == params["author_id"]
current_user
is authorized ifcurrent_user.id == (params |> get_conversation).user_id
current_user
is authorized ifcurrent_user.id == (params |> get_message).author_id
current_user
is authorized if admin or higher on(params |> get_project)
Policy.ConversationPart.create?
Messages.create_conversation_part(params)
Messages.ConversationPart.create
create_changeset
Messages.create_conversation_part(params)
create_changeset
is private, make sure to test casting behavior toConversationPartController
:create
endpointMessages.create_conversation_part
:create
endpoint