Fix bug of event search not returning writable events for ROLE_ADMIN #1134
Conversation
Previously, users with ROLE_ADMIN did only see listed videos. This is a bug caused by using the `Option<Filter>` in a `Filter::Or`. Using `Option` to omit the filter only makes sense inside `Filter::And`. Now admins can see all events always as it should have been.
I fixed a bug a few commits ago and this is logic that got us our first security vulnerability. So it's probably a good idea to test that.
Should avoid some confusion in the future.
| @@ -110,5 +110,40 @@ test("Read access is checked", async ({ page, standardData, activeSearchIndex, b | |||
| }); | |||
| }); | |||
|
|
|||
| for (const username of ["jose", "admin"] as const) { | |||
| test(`Video search finds listed & writable (for ${username})`, async ({ | |||
There was a problem hiding this comment.
I wonder if this should be in a separate file. I know I haven't set the best example for this, but I think it is generally encouraged to split these tests up into smaller packages and "domains", so to speak. Right now this mixes the general search (for the search page) with the searchableSelect things used for adding/editing content.
I would probably rename this file to searchPage.spec and do the unrelated tests either in blocks.spec or rather in a new file like searchableSelect.spec in the long run. So no need to change it in this PR (and maybe you disagree - this is something we can discuss at a later point).
There was a problem hiding this comment.
Yeah that's a good point. Probably move it to its own file. Also because it can run different files in parallel.
See commits.