Add Role-based restriction to backend mutations #594
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ErlendHaa
force-pushed
the
restrict-mutation-backend
branch
from
e227b4c to
e4c8fde
Compare
ReedOnly
reviewed
Sep 6, 2021
| @@ -1,4 +1,5 @@ | |||
| using System; | |||
| using System.Linq; | |||
There was a problem hiding this comment.
probably don't need linq here
ReedOnly
reviewed
Sep 6, 2021
Comment on lines
-215
to
-218
| public Note EditNote(string noteId, string text) | ||
| { | ||
| Note note = _noteService.GetNote(noteId); | ||
| return _noteService.EditNote(note, text); |
There was a problem hiding this comment.
I guess we are not using, nor want to have the possibility to edit Notes?
There was a problem hiding this comment.
That's my so-far conclusion, yes.
This mutation is unused and there are currently no UI support for
editing notes - nor is any such feature planned.
Updating and maintaining this mutation without any current or future planned use-case for it seams like unnecessary work. If we ever need it, we can revert this commit
ReedOnly
approved these changes
Sep 6, 2021
ErlendHaa
force-pushed
the
restrict-mutation-backend
branch
from
79b3e48 to
55afd45
Compare
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
The goal is to implement restrictions for which roles can do what mutations in the backend. To that end the AssertIsFacilitator is replaced by the more general AssertCanPerformMutation. To avoid having to replicate AssertCanPerformMutation in the mocked version of the AuthService, the method is also moved to the Mutation class.
Extend the functionallity of the MockAuthService class to allow setting different "signed-in"-users.
This commit implements role-based restrictions on the CreateParticipant mutation. Only Facilitator and OrganizationLead can use this mutation. As a consequence, the seeding logic in the cypress test needs to be updated to ensure that the mutation is only performed by a Facilitator.
This commit implements role-based restrictions on the SetAnswer mutation. This effectively excludes Read-Only participants and non-participating users from using this mutation.
This commit implements role-based restrictions on the CreateAction mutation. This effectively excludes Read-Only participants and non-participating users from using this mutation. Whether Role.Participant should be able to create actions is currently up for debate, so this might be subject to change.
This commit implements role-based restrictions on the EditAction mutation. This effectively excludes Read-Only participants and non-participating users from using this mutation. Whether Role.Participant should be able to create actions is currently up for debate, so this might be subject to change.
This commit implements role-based restrictions on the DeleteAction mutation. Only Facilitators are permitted to use this mutation.
This commit implements role-based restrictions on the CreateNote mutation. This effectively excludes Read-Only participants and non-participating users from using this mutation.
This mutation is unused and there are currently no UI support for editing notes - nor is any such feature planned.
This commit implements role-based restrictions on the CreateClosingRemark mutation. This effectively excludes Read-Only participants and non-participating users from using this mutation. Whether Role.Participant should be able to create closing remarks is currently up for debate, so this might be subject to change.
This commit implements role-based restrictions on the DeleteParticipant mutation. Only Facilitator and OrganizationLead are permitted to use this mutation.
This commit implements role-based restrictions on the ProgressParticipant mutation. This effectively excludes Read-Only participants and non-participating users from using this mutation
ErlendHaa
force-pushed
the
restrict-mutation-backend
branch
from
55afd45 to
53e42d7
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds role-based restrictions to all exposed mutations. Additionally it extends the current test-framework to test the new restrictions.
The test framework for Mutation testing in the backend only implements access-based tests at the moment, but it is intended to be used for further correctness testing of the mutations. However that is out of scope of this PR.
Closes #537
Closes #512