search

phac-nml / irida-next

IRIDA Next
https://phac-nml.github.io/irida-next/
Apache License 2.0
8 stars 2 forks source link

Uploader policy update (DFCT0010069) #627

Closed deepsidhu85 closed 3 weeks ago

deepsidhu85 commented 1 month ago

What does this PR do and why?

Describe in detail what your merge request does and why.

This PR updates policy methods for a user with uploader access level to be able to create a sample, modify a sample (create/remove files, update sample metadata), and read projects

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other pull requests.

image

image

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Start up irida next
  2. Login as any user
  3. Create a project and a group
  4. Add bot accounts to both with an UPLOADER access level. Copy down the tokens
  5. Generate new tokens for both bot accounts and set the Expiration to an earlier date. Copy down the token
  6. Use Postman to test out the graphql queries
  7. In Postman click the icon/button next to Untitled Request and select Graphql
  8. In the URL input, type in http://localhost:3000/api/graphql
  9. Click on the authorization tab. Here you can run the query/mutation with the bot accounts using their email and the tokens as the password. Make sure to try out all the queries/mutations using the valid and expired tokens for each bot account. Verify the bot account with the UPLOADER access level can query/mutate if they have a valid token, otherwise they should not be able to.
  10. Take a look in the test/graphql/ directory for all the queries and mutations and to see how the data is passed in to each query and mutation.

PR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

github-actions[bot] commented 4 weeks ago

Simplecov Report

Covered Threshold
92.45% 90%
ericenns commented 3 weeks ago

Overall looks great!

Can you make a separate error message for attempting to use an expired token? Right now the error returned is Unable to access object while accessing the API in guest mode, which doesn't make much sense for this case.

I added that error message in PR 620. At that stage, the token would have already failed authentication and when that happens the User is placed in guest mode. The same thing happens if the User attempts to use the API without a token. So when the error is thrown there is no context of having an expired token as it wont be set. So long ways around to saying that we can't change this error message, as it is can be thrown when accessing specific API endpoints that require authorization while attempting to use an expired token or while not providing any token at all.