Closed martha closed 15 hours ago
@martha I'd like to dig into why this isn't ACL ready yet. Project.viewable_by
defers to Project.viewable_by_entity
, which is setup to handle ACLs. Was it just that it's not setup to handle multiple permissions for a single entity?
Please squash merge this PR
Description
PIT QA fix for: https://github.com/open-path/Green-River/issues/6481#issuecomment-2389756617
Bug: For a user using legacy permissions (not ACLs), you can still see the "Client Locations" link in the Warehouse Project page, even if you don't have the permission to view project locations.
The issue is that the
Project
'sviewable_by_entity
scope accepts a permission arg, but only uses the permission if the user is using ACLs. If they are using legacy access controls then it just checks viewability.Fix: Per @gigxz 's suggestion I've simplified the permission check so it's not ACL-compatible, since this view on the whole is not ACL-ready (it is also using
can_edit_projects?
andcan_delete_projects?
without checking against the specific entity).(I thought I checked this case before but was likely fooled by local caching.)
Type of change
Checklist before requesting review