Fix permissions to see admin menu items #3840
Conversation
| cannot [:show], Spree::StockLocation | ||
| cannot [:show], Spree::Zone |
There was a problem hiding this comment.
Shouldn't these two be changed to:
cannot [:admin], Spree::StockLocation
cannot [:admin], Spree::ZoneSo we can be sure that the settings tab is still visible even when the user is not able to access some of its sub-resources?
There was a problem hiding this comment.
Even with the suggested change, the settings tab is not visible. I could change it this way to make sure the settings tab is displayed if one of the inner tab can be accessed but this won't test that the rest of the settings are excluded:
context 'as fakedispatch user' do
before do
allow_any_instance_of(Spree::Admin::BaseController).to receive(:try_spree_current_user).and_return(nil)
end
custom_authorization! do |_user|
can [:admin, :home], :dashboards
can [:admin, :edit, :index, :show], Spree::Order
can [:admin], Spree::Zone
end
it 'should only display tabs fakedispatch has access to' do
visit spree.admin_path
expect(page).to have_link('Orders')
expect(page).not_to have_link('Products')
expect(page).not_to have_link('Promotions')
expect(page).to have_link('Settings')
end
endLet me think about something to test that.
There was a problem hiding this comment.
@elia maybe I've got a possible test, let me know your thoughts!
There was a problem hiding this comment.
Thanks @kennyadsl this look like a nice canary to catch if anything is going wrong with permissions without checking all the possible combinations 👍
Right now a user without roles like logged users or guests can see the admin menu partially. This is because it actually has permission to show zones and shipping methods and the current code is checking against the :show ability, so it seems to be legit. We use :admin for the rest of the menu items checks though, and this is also what we use in the controller to determine if we can access that page, see: https://github.com/solidusio/solidus/blob/3c8ffcc34f9248b286a9d4ca94d1f9a3197ac7b2/backend/app/controllers/spree/admin/base_controller.rb#L29 Test setup lines have been added to be sure the links are populated correctly in the menu.
kennyadsl
force-pushed
the
kennyadsl/fix-menu-permissions
branch
from
a8952f6 to
6e42ac9
Compare
| cannot [:show], Spree::StockLocation | ||
| cannot [:show], Spree::Zone |
There was a problem hiding this comment.
Thanks @kennyadsl this look like a nice canary to catch if anything is going wrong with permissions without checking all the possible combinations 👍
Description
Closes #3834.
Right now a user without roles like logged users or guests user can see the admin menu partially, see #3834.
This behavior has been introduced with 295df5e#diff-757abc24f29994c5e06e233c60ca1f3972c2f5019fba628df718eea681adb61fR68 and it happens because a non-admin user actually has permission to show zones and shipping methods; the current code is checking against the
:showability, so it seems to be legit.We use
:adminfor the rest of the menu items checks though, and this is also what we use in the controller to determine ifwe can access that page, see:
solidus/backend/app/controllers/spree/admin/base_controller.rb
Line 29 in 3c8ffcc
Test setup lines have been removed since they are useless now.
Checklist: