Test field level permissions

hackforla / peopledepot

A project to setup a datastore for people and projects at HackforLA. The link below takes you to the code documentation

https://hackforla.github.io/peopledepot/

GNU General Public License v2.0

5 stars 24 forks source link

Test field level permissions #274

Open anandramakris opened 2 months ago

anandramakris commented 2 months ago

Overview

We are planning on including field-level security for tables. The required permissions need to be tested before implementation.

Action Items

implement code needed for FLS (tables, possibly models)
- [x] create tables
- [x] add test data
test Practice Lead project
[ ] create test cases for FLS

Resources/Instructions

PostgreSQL documentation for field-level security policies
Django multitenancy
Use cases and tests for FLS feasibility: https://github.com/hackforla/peopledepot/issues/150#issuecomment-2043688312
Tables and test data
Ethan's proposal and documentation on the wiki: https://github.com/hackforla/peopledepot/wiki/Security:-Field-Level-Proposal-(using-Github-Copilot)

ExperimentsInHonesty commented 2 months ago

@anandramakris, @Neecolaa and I just finished writing - Use cases and tests for FLS feasibility: https://github.com/hackforla/peopledepot/issues/150#issuecomment-2043688312, and we have added the link to this comment above under Resources. Let us know in a comment here if you have any questions.

anandramakris commented 2 months ago

Have attempted to implement the permission table and the test data in the field-level-permissions branch.

https://github.com/hackforla/peopledepot/tree/field-level-permissions
- test data: https://github.com/hackforla/peopledepot/blob/field-level-permissions/app/core/tests/conftest.py
- https://github.com/hackforla/peopledepot/blob/field-level-permissions/app/core/models.py

ExperimentsInHonesty commented 2 months ago

@anandramakris and what was the outcome?

Last time we spoke you were going to setup the data and then feed ChatGPT the prompt with the data so that it could provide a more complete solution. Did you try that, and if so, please cut and past the conversation into this issue.

anandramakris commented 2 months ago

Had forgotten to try it, so I did it first thing this morning.

Attached is a link to the chat, in which I asked in order about:

Testing the classes,
Using pytest with the data,
Specifically testing each value of PermissionType. test-permissions.pdf

ExperimentsInHonesty commented 1 month ago

@anandramakris Please provide update

Progress: "What is the current status of your project? What have you completed and what is left to do?"
Blockers: "Difficulties or errors encountered."
Availability: "How much time will you have this week to work on this issue?"
ETA: "When do you expect this issue to be completed?"
Pictures or links* (if necessary): "Add any pictures or links that will help illustrate what you are working on."

remember to add links to the top of the issue if they are going to be needed again.

anandramakris commented 1 month ago

Asked ChatGPT about field-level permissions in Django, giving the test cases for memberGeneral and memberProject as a basic prompt. Result is attached as pdf. django-fieldpermissions.pdf

Note: the transcript is in pdf becasue the original html file is not accepted by github.

ExperimentsInHonesty commented 3 weeks ago

@ethanstrominger Please do a draft PR, we need to see the file permissions (how they show up in the models) so that we can revise our documentation on who should have which permissions.