search

rubyforgood / homeward-tails

Homeward Tails is an application making it easy to link adopters/fosters with pets. We work with grassroots pet rescue organizations to understand how we can make the most impact.
MIT License
68 stars 113 forks source link

Clicking pet when viewing adoption applications as adopter fosterer leads to unauthorized error #1056

Open coalest opened 3 weeks ago

coalest commented 3 weeks ago

Reproduction steps:

  1. Log in as an adopter, eg. adopter1@alta.com:123456
  2. Go to the Adoption Applicationspage
  3. Click on a pet's name.
  4. See the error message like screenshot below: Screenshot from 2024-10-10 20-27-17

Expected behavior:

In theory I have already put in an application to adopt these pets, so I would expect to be directed to a page with information about that pet (either generic information or information on the application I made).

Actual behavior:

I see an error message flash that says "You are not authorized to perform this action." In the logs, I see a request was sent to GET /alta/adoptable_pets/1 failed the policy check and resulted in a 302 redirect. I believe because this part of the expression returns false as the pet does have a match (the current user).

princekumarg12 commented 3 weeks ago

Hi, I would like to take on the task regarding the authorization issue with the adoption application page. I believe I can help identify and resolve the underlying policy check problem.

Please let me know if I can be assigned to this task.

kasugaijin commented 3 weeks ago

@princekumarg12 all yours!

princekumarg12 commented 3 weeks ago

@kasugaijin i found this while debugging

There are two reasons for this bug:

  1. user.staff_account is nil, which causes authorization to be denied. See the screenshot for reference. Screenshot from 2024-10-13 00-28-54

  2. The user does not have permission to "manage_pets."

kasugaijin commented 3 weeks ago

Ah good catch! So we have this PR https://github.com/rubyforgood/pet-rescue/pull/1039 to remove the StaffAccount and replace it with Person model. Can you please check out that branch and see if the bug still happens on that branch? It might not be a bug in that branch.

princekumarg12 commented 3 weeks ago

I checked out the branch 1034-replace-staffaccount and found that the issue still persists.

kasugaijin commented 3 weeks ago

Ah ok thank you! I think it would make sense to hang on until that branch https://github.com/rubyforgood/pet-rescue/pull/1039 is merged because we are changing the architecture around a bit, and I think that would impact this fix.

kasugaijin commented 2 weeks ago

FYI @princekumarg12 that branch mentioned above is now merged. Are you interested in pursuing this now?