-
Notifications
You must be signed in to change notification settings - Fork 495
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix access to the version history of organization-level roles #2654
base: master
Are you sure you want to change the base?
Fix access to the version history of organization-level roles #2654
Conversation
def deconflate | ||
say 'deconflate' | ||
|
||
PaperTrail::Version.where.not(conference_id: nil).where(item_type: %[Role UsersRole]).each do |version| | ||
id = version.conference_id | ||
|
||
if Organization.exists?(id) | ||
raise "version #{version.id} conflates organization #{id} with conference #{id}" if Conference.exists?(id) | ||
|
||
version.update_attributes conference_id: nil, organization_id: id | ||
end | ||
end | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is untested and needs discussion about how to handle the situation.
857d0b2
to
fe2e5fe
Compare
Codecov Report
@@ Coverage Diff @@
## master #2654 +/- ##
==========================================
+ Coverage 82.15% 82.16% +0.01%
==========================================
Files 146 146
Lines 4780 4783 +3
==========================================
+ Hits 3927 3930 +3
Misses 853 853
Continue to review full report at Codecov.
|
Resolved by #2655. |
fe2e5fe
to
e120a17
Compare
e120a17
to
fe8e82a
Compare
fe8e82a
to
dcbb689
Compare
dcbb689
to
df883c9
Compare
This corrects the specification for the behavior of the Revision History screen; changes to the organization administrator role should be accessible to organization administrators, not conference organizers.
Without this permission, organization administrators can't see the history of changes to the organization administrator role on the Revision History screen.
Resolves failing test spec/features/versions_spec.rb:321 Partially reverts 81853d1
df883c9
to
3f6a9e9
Compare
Checklist
master
branch.Short description of what this resolves, changes proposed
The tests of the version history of organization-level roles are currently failing. In trying to understand why, I encountered several complications:
The tests expect the version history of organization-level roles to be accessible by conference organizers. This surprised me; I expected that organization administrators should have this access, not conference organizers.
Proposed change: Test as an organization administrator.
Regardless of that decision, currently neither organization administrators nor conference organizers have access, due to two independent bugs:
No permission has been granted to access versions of organization-level roles.
Proposed change: Grant permission.
In the metadata of versions of organization-level roles, organization IDs are conflated with conference IDs; affiliation with organization n is recorded as affiliation with conference n. (Confusing name conference_id in versions table #1728)
Proposed change: Distinguish between organization IDs and conference IDs.
The tests that should have caught this return false negatives under SQLite. In this test configuration, the organization and conference happen to have numerically equal IDs, so their conflation goes undetected.
Proposed change: I don't have any good ideas about how to detect this kind of mistake in the future. Maybe randomize IDs by prepopulating tables with filler rows? Or enforce unique IDs upon creation in factories?
I'm not confident about these changes. I don't fully understand the relationship between the
is_admin
flag and theorganization_admin
role, and I'm unclear about what theconference_id
version metadata was supposed to be, e.g. should it be a polymorphic association instead?