Closed emteknetnz closed 3 years ago
I've updated the ACs
I spent some time trying to solve this through #62. There's a couple thoughts:
LoginSessionController
is not covered by any unit test which is probably why we miss this for so long
DELETE admin/loginsession/remove/123
is a weird REST API call, it should be DELETE admin/loginsession/123
private static $required_permission_codes = false;
to LoginSessionController
. This mimics what CMSProfileController
does. LoginSessionController
needs to be a LeftAndMain
.LoginSessionController
should even exists. Other form fields that need AJAX endpoint add them as URL handlers directly on the FormField.In short, this is an example of how cutting corners and not following best practices does not actually save you time in the long run.
My preference is do it all and refactor the whole thing to make it more proper. And of course there's no sane argument against "Do it right first time"
I'm just not sure the time investment is worth it at this stage in the project though? Seems like the refactor itself could easily add several days once peer-review and testing is taken into consideration?
Other than "code less bad" what's the long term benefit here? There's no plan at this stage to develop or extend this module any further beyond this project.
Seems like MVP here is:
?
Obviously, I don't know that if we don't refactor this bit of the system, some horrible calamity will befall us. It's totally possible - even probable - that we could get away with the suggested MVP and never have to look at this bit of code ever again.
But it's worth pointing out that this refactor is relatively cheap right now:
If we ship this like this in version 1.0.0, we're stuck keeping it like this forever.
On a side note that's probably more relevant for a post-project retro, there seems to have been very little planning around the architecture of this module or review of the pre-existing implementation. I would argue that this led to a lot of those late critical issues:
Cucumber test looks good
Non-admin user isn't able to revoke their own sessions.
With a test user in the group "Content authors", when attempting to revoke a session I see a red toast "Could not log out of session. Try again later"
Originally noted on this pull-request https://github.com/silverstripe/silverstripe-session-manager/pull/62#issuecomment-823742134
ACs
Pull request