Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Respect current ability in users controllers #3732

Merged
merged 5 commits into from
Aug 24, 2020
Merged

Respect current ability in users controllers #3732

merged 5 commits into from
Aug 24, 2020

Conversation

igorbp
Copy link
Contributor

@igorbp igorbp commented Aug 15, 2020
edited
Loading

Description

Admin users were able to see users, roles, and stock locations that they don't have permission to manage in admin users index and form. This fixes those authorization inconsistencies reported in issue #3668.

  • Users that the admin user can't manage are not listed anymore.
  • Roles that the admin user can't manage are not listed in the search input nor in the users' create/update form.
  • Stock locations that the admin user can't manage are not listed in the user's create/update form.
  • Fixed problem that not accessible roles and stock locations passed in :spree_role_ids and :stock_locations_ids params were still being assigned to the user.

Checklist:

  • I have followed Pull Request guidelines
  • I have added a detailed description into each commit message
  • I have updated Guides and README accordingly to this change (if needed)
  • I have added tests to cover this change (if needed)
  • I have attached screenshots to this PR for visual changes (if needed)

igorbp added 5 commits August 13, 2020 21:27
@igorbp
List only accessible users in Spree::Admin::UsersController
4a9e27f 
Admin user's index was displaying a list with all users even if current
ability states it shouldn't be accessible

Now only users that are allowed to be accessed will be displayed on the
list
@igorbp
Load only accessible roles in Spree::Admin::UsersController
f742f5e
@igorbp
Load only accessible stock locations in Spree::Admin::UsersController
f956f09
@igorbp
Disallow admins to set not accessible users stock locations
39a5888 
Admins users able to create and update a user could inject any stock
location id to user params, and the user would have it assigned to it
even if the admin don't have the ability to manage it.
@igorbp
Disallow admins to set not accessible users roles
3037fc9 
Admins users able to create and update a user could inject any role id
to user params, and the user would have it assigned to it even if the
admin don't have the ability to manage it.
spaghetticode
spaghetticode reviewed Aug 19, 2020
View reviewed changes
Copy link
Member

@spaghetticode spaghetticode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@igorbp thanks for these fixes 🎉

It looks good to me, I left only one question about a change that I'm not 100% sure about.

backend/app/controllers/spree/admin/users_controller.rb
if user_params[:stock_location_ids]
@user.stock_locations =
Spree::StockLocation.accessible_by(current_ability).where(id: user_params[:stock_location_ids])
end
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the behavior was slightly changed. The old code always set the user stock locations, also when the parameter was not present, in that case by stock locations to an empty array. This does not happen anymore here. Is this change wanted?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good question. I took this decision because with these changes admins that can't manage stock locations would remove user's stock locations since the params wouldn't be there.

aldesantis
aldesantis approved these changes Aug 24, 2020
View reviewed changes
Copy link
Member

@aldesantis aldesantis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks so much @igorbp, looks great!

@aldesantis aldesantis merged commit 6ef2528 into solidusio:master Aug 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jarednorman jarednorman jarednorman approved these changes

@aldesantis aldesantis aldesantis approved these changes

@spaghetticode spaghetticode spaghetticode approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@igorbp @spaghetticode @aldesantis @jarednorman