search

hypothesis / h

Annotate with anyone, anywhere.
https://hypothes.is/
BSD 2-Clause "Simplified" License
2.96k stars 427 forks source link

Allow owners, admins and moderators to edit groups #9064

Closed seanh closed 1 week ago

seanh commented 3 weeks ago

Permit owners, admins and moderators, rather than the group's creator, to edit a group. The creator can't edit the group unless they happen to also be an owner, admin or moderator (creators of groups will be owners unless they've subsequently left the group or changed roles).

This allows owners, admins and moderators to call the edit-group API, to see the "edit group" link on the group's page, and to view the edit-group page.

Testing

  1. Create a group and visit the group's page. As the owner of the group you should see the Edit group link. Click on the link and check that you can edit the group.

  2. Log out and visit the group's edit page to test that an unauthenticated user can't edit a group: you should get a 404.

  3. Log in as another user and visit the group's edit page to check that a non-member can't edit a group.

  4. Join the group and visit the group's edit page to check that a plain member can't edit a group.

  5. Promote the user to moderator or admin and check that now they can edit the group.

    This has to be done in SQL, for example:

    update user_group set roles = '["admin"]'::jsonb where id = 42;