Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[#149] Restrict access to drawings and organisations #153

Merged
merged 3 commits into from
Mar 9, 2017
Merged

[#149] Restrict access to drawings and organisations #153

merged 3 commits into from
Mar 9, 2017

Conversation

krissy
Copy link
Member

@krissy krissy commented Mar 6, 2017

This updates the permissions around viewing, editing or deleting drawings, restricting access to Super Admins OR those within the same organisation.

It also restricts viewing, editing or deleting Organisations to Super Admins only.

NB: At this time, all of the urgent role permissions we need for a next pilot involving a second organisation are implemented. However, the Org Admin level is still exactly the same as a normal admin, so there is still a separate ticket (TODO write up) / task left to adjust Org Admin levels to allow them to access and create users - but only in their organisation. Super Admins will need to add new users in the meantime.

Addresses issue: #149

What this does

  • Viewing drawings index:
    • Add a new scope to the Drawing model to filter drawings by org ID
    • Update the Drawings controller to restrict to super admins or use the new scope
  • Viewing/updating/deleting a single drawing:
    • Update the Drawing model with two methods checking view and edit rules, taking into account user role and organisations
    • Update the drawings controller to use the new model methods above, redirect to homepage with appropriate errors if access is denied
  • Restrict all Organisation access to Super Admins only with authorize method

Screenshots

Super admin (access to all drawings and orgs):

screen shot 2017-03-05 at 23 45 01

screen shot 2017-03-06 at 00 08 19

Admin or Org admin (access to all drawings within org + no access to edit orgs):

screen shot 2017-03-05 at 23 44 19

screen shot 2017-03-06 at 00 08 27

Attempt to view an unauthorized drawing by accessing URL directly:

screen shot 2017-03-05 at 23 45 49

Attempt to edit/delete an unauthorized drawing by accessing URL directly:

screen shot 2017-03-05 at 23 46 35

Attempt to access/edit organisations when unauthorized

screen shot 2017-03-06 at 00 13 15

@krissy krissy requested review from steverabino and CathMollie March 6, 2017 00:19
steverabino
steverabino requested changes Mar 6, 2017
View reviewed changes
Copy link
Member

@steverabino steverabino left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I'm right in my thinking on that comment, tested it out myself and still works as a private method.

app/controllers/application_controller.rb Outdated
@@ -2,4 +2,11 @@ class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception

def authorize_super_admin!
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be a private method as per https://github.com/empowerhack/DrawMyLife-Service/pull/153/files#diff-b49f873ae722d049d381a3fed3b3b5c5L61

@steverabino steverabino temporarily deployed to drawmylife-staging March 6, 2017 22:45 Inactive
@steverabino steverabino mentioned this pull request Mar 6, 2017
Open
@CathMollie
Copy link
Collaborator

All worked for me. As an Admin user, I:

  • COULD NOT see other Orgs
  • COULD NOT see other users outside my Org
  • COULD NOT access drawing URLs I was not authorised to see (rejected after sign-in)
  • COULD see drawings by Superuser plus other Admin in my Org
  • COULD edit and delete drawings by Superuser plus other Admin in my Org

steverabino
steverabino approved these changes Mar 9, 2017
View reviewed changes
Copy link
Member

@steverabino steverabino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice PR 👍 👯

@krissy krissy temporarily deployed to drawmylife-staging March 9, 2017 21:24 Inactive
@krissy krissy merged commit 9b77094 into master Mar 9, 2017
@krissy krissy deleted the 149/restrict-non-super-admins-to-org branch March 9, 2017 21:28
@krissy krissy mentioned this pull request Mar 11, 2017
Closed
kevinpmcc pushed a commit that referenced this pull request Apr 2, 2017
@krissy
Merge pull request #153 from empowerhack/149/restrict-non-super-admin…
21b7631 
…s-to-org

[#149] Restrict access to drawings and organisations
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@steverabino steverabino steverabino approved these changes

@CathMollie CathMollie Awaiting requested review from CathMollie

Assignees
No one assigned
Labels
backend status: ready to merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@krissy @CathMollie @steverabino