-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[AC-2084] Include Collection permissions for admin endpoints #3793
[AC-2084] Include Collection permissions for admin endpoints #3793
Conversation
…ils for collections
This comment was marked as off-topic.
This comment was marked as off-topic.
- vNext endpoints should now always return CollectionDetailsResponse models - Update constructors in CollectionDetailsResponseModel to be more explicit and add named static constructors for additional clarity
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3793 +/- ##
==========================================
- Coverage 38.95% 38.79% -0.17%
==========================================
Files 1214 1216 +2
Lines 58874 59169 +295
Branches 5632 5646 +14
==========================================
+ Hits 22937 22955 +18
- Misses 34882 35157 +275
- Partials 1055 1057 +2 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Started looking at this today just to get my head around it. Will continue tomorrow.
src/Sql/Vault/dbo/Stored Procedures/Collections/Collection_ReadByIdWithPermissions.sql
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've reviewed the SQL sprocs, models, and controller methods to make sure they're in line with our discussions and AC Team's requirements, but I'll leave the rest (mostly EF queries and test logic I think) to the Vault reviewer as codeowner.
Thank you again for tackling this!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Love the tests, a couple of comments below but nothing blocking.
CreationDate = collectionGroup.Key.CreationDate, | ||
RevisionDate = collectionGroup.Key.RevisionDate, | ||
ExternalId = collectionGroup.Key.ExternalId, | ||
ReadOnly = Convert.ToBoolean(collectionGroup.Min(c => Convert.ToInt32(c.ReadOnly))), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The conversions are unnecessary:
collectionGroup.All(c => c.ReadOnly)
(equivalent of MIN, it will return false if there is anyReadOnly = false
)collectionGroup.Any(c => c.Manage)
(equivalent of MAX, it will return true if there is anyManage = true
)
However I can see this is how we do it in existing queries, and that does more closely track the SQL equivalent, so I'll leave it up to you as to which you prefer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a fair point. I had gone with what already existed in the other queries, as I figured there was some underlying implementation detail forcing the extra conversions (e.g. maybe one provider doesn't behave properly with Any
or All
).
I think I'll opt to leave it alone for now since we know it works as expected and it keeps consistent with the other queries.
|
||
CollectionAdminDetails collectionDetails; | ||
|
||
// SQLite does not support the GROUP BY clause |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Boo :( If this is the case, should we just have the single implementation? I guess the Sqlite version here is arguably less performant because it doesn't use delayed execution. But in practice I'm not sure it would make a significant difference, and it avoids having divergent EF implementations for different databases. Would be interested in what @justindbaur thinks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not too attached either way (a single implementation or split). We do have a few other repository calls here that have similar behavior, so its not entirely new, if still pretty ugly.
I'm also not too familiar with the magnitude of the performance difference, but I do expect this to be called fairly frequently in the AC until we have better caching there, so its something to keep in mind.
Type of change
Objective
We’ve run into multiple places where we need the current user’s collection permissions after fetching them from the admin endpoints. Those responses do not include the manage, readonly, hidePasswords flags so we’ve been forced to merge the permissions from the collection sync data with the admin endpoint response multiple times.
This PR adds those permission details to those admin endpoint responses. Doing so required creating new SQL queries to fetch collections and permission information even if there is no relationship (all existing queries that included permission info automatically filter out collections that have no existing User/Group relationship).
Code changes
New
CollectionAdminDetails
ModelAdd a new Domain model that represents collection details that are intended to be used for collection management/administrative purposes. The model includes permission details for a given user, a flag for if that user is explicitly assigned to the collection, and optional lists for User/Group access relationships.
ICollectionRepository.cs
Add additional documentation to existing methods and add the two new
*WithPermissions
queries. By their inherent nature, these queries do not perform our normal database level authorization checks, so care should be taken to ensure the requesting user has access to the organization. (Our existing queries quietly remove any collection resources the user does not have access to.)GetManyByOrganizationIdWithPermissionsAsync()
GetByIdWithPermissionsAsync()
Before you submit
dotnet format --verify-no-changes
) (required)