Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Add new "force publish anything" permission #401

Merged
merged 2 commits into from

3 participants

@h-lame

This allows any user the ability to force publish any edition. Note that it doesn't escalate any other permissions, so they still can't see anything they wouldn't normally be allowed to see. This is intended to be added to the user account used by the force publisher for imports who doesn't need to be able to login and do things, just force publish everything in an import batch. There's a data migration that adds this permission to that user.

For: https://www.pivotaltracker.com/story/show/46979963

@bradleywright

test_validation_errors_when_reordering_features_are_propogated failed, but that test seems flakey (it failed on another unrelated branch as well).

@h-lame

Rebasing (NOTE: that test doesn't fail locally).

h-lame added some commits
@h-lame h-lame Add new permission to allow force publishing anything
In the edition rules, if the action is force_publish and the actor can_force_publish_anything? return true immediately.  This is so that the robot account used during force publish process for an import is able to force publish stuff.  I didn't want to add a full on "can do anything" permission, hence the limited scope of this.
a542c9d
@h-lame h-lame Add force publish anything to the user used by the force publisher 5f0ebd0
@heathd heathd merged commit 5b36b37 into master

1 check passed

Details default The Travis build passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Apr 2, 2013
  1. @h-lame @heathd

    Add new permission to allow force publishing anything

    h-lame authored heathd committed
    In the edition rules, if the action is force_publish and the actor can_force_publish_anything? return true immediately.  This is so that the robot account used during force publish process for an import is able to force publish stuff.  I didn't want to add a full on "can do anything" permission, hence the limited scope of this.
  2. @h-lame @heathd
This page is out of date. Refresh to see the latest.
View
5 app/models/user.rb
@@ -20,6 +20,7 @@ module Permissions
IMPORT = 'Import CSVs'
WORLD_WRITER = 'World Writer'
WORLD_EDITOR = 'World Editor'
+ FORCE_PUBLISH_ANYTHING = 'Force publish anything'
end
def role
@@ -60,6 +61,10 @@ def can_import?
has_permission?(Permissions::IMPORT)
end
+ def can_force_publish_anything?
+ has_permission?(Permissions::FORCE_PUBLISH_ANYTHING)
+ end
+
def organisation_name
organisation ? organisation.name : nil
end
View
8 db/data_migration/20130327153531_add_force_publish_anything_to_gds_inside_government_team.rb
@@ -0,0 +1,8 @@
+force_publish_robot_user = ForcePublisher::Worker.new.user
+if force_publish_robot_user.nil?
+ puts "User for Force Publisher is not present! - can't escalate permissions!"
+else
+ puts "Allowing User for Force Publisher (#{force_publish_robot_user.name}[#{force_publish_robot_user.id}]) to force publish anything"
+ force_publish_robot_user.permissions << User::Permissions::FORCE_PUBLISH_ANYTHING
+ force_publish_robot_user.save!
+end
View
4 lib/whitehall/authority/rules/edition_rules.rb
@@ -32,7 +32,9 @@ def valid_action?(action)
private
def can_with_an_instance?(action)
- if !can_see?
+ if actor.can_force_publish_anything? && action == :force_publish
+ return true
+ elsif !can_see?
return false
else
if actor.gds_editor?
View
10 test/unit/user_test.rb
@@ -95,6 +95,16 @@ class UserTest < ActiveSupport::TestCase
assert gds_editor.can_handle_fatalities?
end
+ test 'cannot force publish anything by default' do
+ user = build(:user)
+ refute user.can_force_publish_anything?
+ end
+
+ test 'can force publish imports if given permission' do
+ user = build(:user, permissions: [User::Permissions::FORCE_PUBLISH_ANYTHING])
+ assert user.can_force_publish_anything?
+ end
+
test 'can handle fatalities if our organisation is set to handle them' do
not_allowed = build(:user, organisation: build(:organisation, handles_fatalities: false))
refute not_allowed.can_handle_fatalities?
View
16 test/unit/whitehall/authority/department_editor_test.rb
@@ -3,7 +3,8 @@
class DepartmentEditorTest < ActiveSupport::TestCase
def department_editor(id = 1)
- OpenStruct.new(id: id, gds_editor?: false, departmental_editor?: true, organisation: nil)
+ OpenStruct.new(id: id, gds_editor?: false, departmental_editor?: true,
+ organisation: nil, can_force_publish_anything?: false)
end
include AuthorityTestHelper
@@ -45,7 +46,7 @@ def department_editor(id = 1)
user.stubs(:organisation).returns(org1)
edition = limited_edition([org2])
enforcer = enforcer_for(user, edition)
-
+
Whitehall::Authority::Rules::EditionRules.actions.each do |action|
refute enforcer.can?(action)
end
@@ -83,6 +84,17 @@ def department_editor(id = 1)
assert enforcer_for(department_editor, normal_edition).can?(:force_publish)
end
+ test 'can force publish a limited access edition outside their org if they can_force_publish_anything?' do
+ org1 = 'organisation_1'
+ org2 = 'organisation_2'
+ user = department_editor
+ user.stubs(:organisation).returns(org1)
+ user.stubs(:can_force_publish_anything?).returns(true)
+ edition = limited_edition([org2])
+
+ assert enforcer_for(user, edition).can?(:force_publish)
+ end
+
test 'can make editorial remarks' do
assert enforcer_for(department_editor, normal_edition).can?(:make_editorial_remark)
end
View
24 test/unit/whitehall/authority/department_writer_test.rb
@@ -3,7 +3,9 @@
class DepartmentWriterTest < ActiveSupport::TestCase
def department_writer(id = 1)
- OpenStruct.new(id: id, department_writer?: false, departmental_editor?: false, organisation: nil)
+ OpenStruct.new(id: id, gds_editor?: false,
+ departmental_editor?: false, organisation: nil,
+ can_force_publish_anything?: false)
end
include AuthorityTestHelper
@@ -45,7 +47,7 @@ def department_writer(id = 1)
user.stubs(:organisation).returns(org1)
edition = limited_edition([org2])
enforcer = enforcer_for(user, edition)
-
+
Whitehall::Authority::Rules::EditionRules.actions.each do |action|
refute enforcer.can?(action)
end
@@ -83,6 +85,24 @@ def department_writer(id = 1)
refute enforcer_for(department_writer, normal_edition).can?(:force_publish)
end
+ test 'can force publish an edition if they can_force_publish_anything?' do
+ user = department_writer
+ user.stubs(:can_force_publish_anything?).returns(true)
+
+ assert enforcer_for(user, normal_edition).can?(:force_publish)
+ end
+
+ test 'can force publish a limited access edition outside their org if they can_force_publish_anything?' do
+ org1 = 'organisation_1'
+ org2 = 'organisation_2'
+ user = department_writer
+ user.stubs(:organisation).returns(org1)
+ user.stubs(:can_force_publish_anything?).returns(true)
+ edition = limited_edition([org2])
+
+ assert enforcer_for(user, edition).can?(:force_publish)
+ end
+
test 'can make editorial remarks' do
assert enforcer_for(department_writer, normal_edition).can?(:make_editorial_remark)
end
View
16 test/unit/whitehall/authority/gds_editor_test.rb
@@ -3,7 +3,8 @@
class GDSEditorTest < ActiveSupport::TestCase
def gds_editor(id = 1)
- OpenStruct.new(id: id, gds_editor?: true, organisation: nil)
+ OpenStruct.new(id: id, gds_editor?: true, organisation: nil,
+ can_force_publish_anything?: false)
end
include AuthorityTestHelper
@@ -45,7 +46,7 @@ def gds_editor(id = 1)
user.stubs(:organisation).returns(org1)
edition = limited_edition([org2])
enforcer = enforcer_for(user, edition)
-
+
Whitehall::Authority::Rules::EditionRules.actions.each do |action|
refute enforcer.can?(action)
end
@@ -93,6 +94,17 @@ def gds_editor(id = 1)
assert enforcer_for(me, normal_edition(me)).can?(:force_publish)
end
+ test 'can force publish a limited access edition outside their org if they can_force_publish_anything?' do
+ org1 = 'organisation_1'
+ org2 = 'organisation_2'
+ user = gds_editor
+ user.stubs(:organisation).returns(org1)
+ user.stubs(:can_force_publish_anything?).returns(true)
+ edition = limited_edition([org2])
+
+ assert enforcer_for(user, edition).can?(:force_publish)
+ end
+
test 'can make editorial remarks' do
assert enforcer_for(gds_editor, normal_edition).can?(:make_editorial_remark)
end
View
33 test/unit/whitehall/authority/world_editor_test.rb
@@ -5,7 +5,8 @@ class WorldEditorTest < ActiveSupport::TestCase
def world_editor(world_locations, id = 1)
OpenStruct.new(id: id, gds_editor?: false,
departmental_editor?: false, world_editor?: true,
- organisation: nil, world_locations: world_locations || [])
+ organisation: nil, can_force_publish_anything?: false,
+ world_locations: world_locations || [])
end
include AuthorityTestHelper
@@ -114,6 +115,36 @@ def world_editor(world_locations, id = 1)
assert enforcer_for(user, edition).can?(:force_publish)
end
+ test 'can force publish an edition not about their location if they can_force_publish_anything?' do
+ user = world_editor(['hat land', 'tie land'])
+ user.stubs(:can_force_publish_anything?).returns(true)
+ edition = with_locations(normal_edition, ['shirt land', 'hat land'])
+
+ assert enforcer_for(user, edition).can?(:force_publish)
+ end
+
+ test 'can force publish an edition about their location that is limited to another org if they can_force_publish_anything?' do
+ org1 = 'organisation_1'
+ org2 = 'organisation_2'
+ user = world_editor(['hat land', 'tie land'])
+ user.stubs(:organisation).returns(org1)
+ user.stubs(:can_force_publish_anything?).returns(true)
+ edition = with_locations(limited_edition([org2]), ['shirt land', 'hat land'])
+
+ assert enforcer_for(user, edition).can?(:force_publish)
+ end
+
+ test 'can force publish a limited access edition outside their location and org if they can_force_publish_anything?' do
+ org1 = 'organisation_1'
+ org2 = 'organisation_2'
+ user = world_editor(['hat land', 'tie land'])
+ user.stubs(:organisation).returns(org1)
+ user.stubs(:can_force_publish_anything?).returns(true)
+ edition = with_locations(limited_edition([org2]), ['shirt land'])
+
+ assert enforcer_for(user, edition).can?(:force_publish)
+ end
+
test 'can make editorial remarks that is about their location and not access limited' do
user = world_editor(['hat land', 'tie land'])
edition = with_locations(normal_edition, ['shirt land', 'hat land'])
View
31 test/unit/whitehall/authority/world_writer_test.rb
@@ -6,6 +6,7 @@ def world_writer(world_locations, id = 1)
OpenStruct.new(id: id, gds_editor?: false,
departmental_editor?: false, world_editor?: false,
world_writer?: true, organisation: nil,
+ can_force_publish_anything?: false,
world_locations: world_locations || [])
end
@@ -115,6 +116,36 @@ def world_writer(world_locations, id = 1)
refute enforcer_for(user, edition).can?(:force_publish)
end
+ test 'can force publish an edition not about their location if they can_force_publish_anything?' do
+ user = world_writer(['hat land', 'tie land'])
+ user.stubs(:can_force_publish_anything?).returns(true)
+ edition = with_locations(normal_edition, ['shirt land', 'hat land'])
+
+ assert enforcer_for(user, edition).can?(:force_publish)
+ end
+
+ test 'can force publish an edition about their location that is limited to another org if they can_force_publish_anything?' do
+ org1 = 'organisation_1'
+ org2 = 'organisation_2'
+ user = world_writer(['hat land', 'tie land'])
+ user.stubs(:organisation).returns(org1)
+ user.stubs(:can_force_publish_anything?).returns(true)
+ edition = with_locations(limited_edition([org2]), ['shirt land', 'hat land'])
+
+ assert enforcer_for(user, edition).can?(:force_publish)
+ end
+
+ test 'can force publish a limited access edition outside their location and org if they can_force_publish_anything?' do
+ org1 = 'organisation_1'
+ org2 = 'organisation_2'
+ user = world_writer(['hat land', 'tie land'])
+ user.stubs(:organisation).returns(org1)
+ user.stubs(:can_force_publish_anything?).returns(true)
+ edition = with_locations(limited_edition([org2]), ['shirt land'])
+
+ assert enforcer_for(user, edition).can?(:force_publish)
+ end
+
test 'can make editorial remarks that is about their location and not access limited' do
user = world_writer(['hat land', 'tie land'])
edition = with_locations(normal_edition, ['shirt land', 'hat land'])
Something went wrong with that request. Please try again.