319 - Restrict Submitters From Accessing Things They Don't Own

[Janell-Huyck]

Fixes #319

Restricts submitters from viewing or accessing publications or submitter profiles that they did not create.

Core Changes

• Creates a new "concern" RestrictSubmitterAccess that checks if a submitter is the creator of a publication (or the submitter profile), and returns a 404 error if they are not.
• Updates tests to apply the concern for publication types and submitter profiles.

Additional Changes:

Correct HTTP status of failed creation and update of colleges and submitters to be status: :unprocessable_entity

[Janell-Huyck]

This change allows us to specify the individual publication or submitter profile that we are trying to log in as owners of. It's calling helper functions located in spec/support/helpers/access_authorization.rb to correctly set up the session variables and request parameters

[Janell-Huyck]

helper function used to set the session[:submitter_id] to the id of the resource sent.

[Janell-Huyck]

changes allow us to set the params for a specific resource rather than just a generically created one. This is needed because of the newly created restrictions where submitters can only change their own work.

[hortongn]

@Janell-Huyck Just to make sure I understand this change correctly, AAEC currently allows any submitter to visit something like http://localhost:3000/artworks/3 and view/edit a publication another submitter added. The same is true for viewing/editing another person's submitter record.

Your change blocks access if the current submitter is not the person who created those records, correct? I've verified the bug and verified your change fixes it, but is there anything else this change does that I should verify?

[hortongn]

@Janell-Huyck Just to make sure I understand this change correctly, AAEC currently allows any submitter to visit something like http://localhost:3000/artworks/3 and view/edit a publication another submitter added. The same is true for viewing/editing another person's submitter record.

Your change blocks access if the current submitter is not the person who created those records, correct? I've verified the bug and verified your change fixes it, but is there anything else this change does that I should verify?

Oh I see you're also restricting submitter access for certain actions. This all seems to work correctly, but I'd like to talk through some of the code with you on Monday. Easier to chat about than having a conversation in comments.

[hortongn]

@Janell-Huyck See my refactoring suggestions inline

[hortongn]

Suggest making the name an action such as raise_unauthorized_access

[hortongn]

Suggest a more descriptive name at will help devs know why a submitter is authorized. E.g. current_submitter_is_creator?

[hortongn]

Perhaps we can call set_resource from within authorized_submitter? since that's the only place making use of @resource. Might not even need a separate method for it.

[hortongn]

"special_case" is vague. Seems like this method should just return true if submitter_logged_in?. Move the call to unauthorized access outside of this method.

[hortongn]

Avoid "non" because negatives are hard to follow mentally.

[hortongn]

@Janell-Huyck You call user_is_admin? but that method isn't defined.

[Janell-Huyck]

@Janell-Huyck You call user_is_admin? but that method isn't defined.
It looks like I misplaced a few helper methods I created. I put them in a spec folder by accident. 🙀 Also looks like my tests weren't complete enough to catch that mistake. Fixing! 🛠️

[Janell-Huyck]

We had a flaky feature test. I've added in a line that makes the test wait for a page to load, and I expect this to clear up the problem.

[hortongn]

@Janell-Huyck Looks great. Thanks for all the work you put into this. merging