- 
                Notifications
    You must be signed in to change notification settings 
- Fork 34
gatekeep #408
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gatekeep #408
Conversation
34f9f43    to
    c874b46      
    Compare
  
    c874b46    to
    25d43f2      
    Compare
  
    | Would it be better to, in addition to the result, expose the expected and actual counts for each thing? That way things like vote could explain to you why you're ineligible to vote. You may also want to add a banner to the conditional dashboard page telling you you're ineligible to vote. Also I don't see a check for the date here... Presumably you only need to meet these requirements by week 6? Sometimes we need to do elections or spending presentations early in the year. Lastly... How does this interact with members who were on coop in the fall? Are they just ineligible to vote until they do a bunch of meetings? That might be a problem with the amendment itself though. Would it be better to reuse the "house meetings missed" logic for the dashboard of conditional? Unfortunately that doesn't fix the other requirements, but it gets the house meeting one dealt with. | 
5855285    to
    b9cb4fc      
    Compare
  
    | 
 Correct, they are ineligible to vote until the following semester, where for the first 6 weeks, everyone will be able to vote, and then ALL members must fulfill the requirements again if they want to vote during the semester Unfortunately, the way the constitution is worded, currently in order to vote you must have six house meetings. That amendment is currently in the process of being ratified (hopefully). The way I wrote the gatekeep function is based upon the assumption that that amendment would fail, and I will update it in the future | 
| 
 This will be implemented into vote via a toggle. Doing it here would spread false information that a member has passed gatekeep when they haven't... Would it be better to add that maybe to the dashboard in "member statistics"? | 
| 
 Conditional does not return to 0 HM attendances, seminars, and directorships for spring semester. Your current code would allow anyone who has passed gatekeep at any point in the operating year, not just the current semester. | 
| Whoops that put my thing in as a review rather than a comment... Oh well. | 
| 
 To me, this seems like it's a lot of room for human error... What happens when some votes have the switch flipped and others don't? I think conditional has the brains to know when an intro eval has happened, so you could probably key off of that? If you want a separate line item for passing the requirements I'd say that's fine, but I do think you should also have SOME way to expose whether or not you can vote right now... This would account for things like coop, gatekeep, activeness, etc. | 
| 
 Huge! Thank you for that catch because I never would have seen that. Thank you | 
| 
 This has to happen, otherwise all votes would require gatekeep, even if a member wants to make a vote about what type of cheese is best for grilled cheese. That member might want all people to vote, not just voting active members. The toggle will default to on though, since most votes will require gatekeep 
 I'm looking at how conditional gives member the "voting" tag right now. It's literally a mess I will organize that code better (it's in dashboard.html). Basically, it says "if voting" which connects to the get_voting_members function (and returns that same voting list that the "voting members" shows) if a member is in that list, it gives them the voting tag, otherwise it gives them a "non-voting" tag. If they have questions about why they should look at the constitution | 
da0f397    to
    7f22ae2      
    Compare
  
    7f22ae2    to
    af307ee      
    Compare
  
    | 
 That's outside the scope of this PR. Alumni members are not my concern. I'm adding implementation for specifically active members following ComputerScienceHouse/Constitution#260. | 
|  | ||
| @app.route("/gatekeep/<username>") | ||
| def gatekeep_status(username): | ||
| token = request.headers.get("X-VOTE-TOKEN", "") | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think limiting access to this call is better done with a service account - we already have ones for services like drink and selfservice, and you could do a check on the username/email/whatever.
Personally I don't really understand why this call is being limited to vote - it would be pretty easy to pull the relevant information from LDAP + scrape /spring_evals to get the information anyway.
Regardless, I think giving vote a service account to give it authentication is a more robust solution for access control to API calls.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be "pretty easy" to do that, but the number of people that will do that is very little (historically probably 0), considering we all rely on our Evals Director to run the queries year after year.
Having an accessible endpoint would make it significantly more convenient, and I would imagine people would actually start looking at it.
As far as the service account vs token is concerned, a token is fine... It's "more robust" but if we are hard-coding a username in as a check, that completely 180's the robustness of it. The way this works, the token could even be shared as one shared secret/configmap in OKD, and then we can mount the same secret across multiple Deployments, so it can be rotated once in all the places.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I didn't consider that it could be shared as a secret/configmap in OKD. Good enough, I guess.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In what application is the /gatekeep endpoint used? I feel like that could also dictate if an account or token makes more sense
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Vote
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Token feels fine then tbh
| Everything else looks good to me (in hindsight i should've just done a review lol mb) | 
|  | ||
| @app.route("/gatekeep/<username>") | ||
| def gatekeep_status(username): | ||
| token = request.headers.get("X-VOTE-TOKEN", "") | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I didn't consider that it could be shared as a secret/configmap in OKD. Good enough, I guess.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
| #410 has been merged, all set 👍 | 
| Issues attributed to commits in this pull requestThis pull request was merged and Sentry observed the following issues: 
 | 

Add gatekeep requirements to follow ComputerScienceHouse/Constitution#260