Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require "edit submissions", not "add submissions", for working with transcripts and translations #4749

Merged
merged 2 commits into from Dec 6, 2023
Merged

Require "edit submissions", not "add submissions", for working with transcripts and translations #4749

merged 2 commits into from Dec 6, 2023

Conversation

jnm
Copy link
Member

@jnm jnm commented Dec 6, 2023

Checklist

  1. If you've added code that should be tested, add tests
  2. If you've changed APIs, update (or create!) the documentation
  3. Ensure the tests pass
  4. Make sure that your code lints and that you've followed our coding style
  5. Write a title and, if necessary, a description of your work suitable for publishing in our release notes
  6. Mention any related issues in this repository (as #ISSUE) and in other repositories (as kobotoolbox/other#ISSUE)
  7. Open an issue in the docs if there are UI/UX changes

Description

Doing any kind of work with transcripts or translations—whether adding a new one or editing an existing one—now always requires the "edit submissions" permission.

@jnm
Add failing test for new transcript and…
8066a48 
translation permission checks. It will pass once `change_submissions`
becomes required for modifying transcripts and translations
@jnm
Require change_submissions, not add_…, for
080eb27 
working with transcripts and translations
@jnm jnm requested a review from noliveleger December 6, 2023 06:59
noliveleger
noliveleger reviewed Dec 6, 2023
View reviewed changes
Copy link
Contributor

@noliveleger noliveleger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR is ok and LGTM.
Just have comments / questions before merging. Feel free to merge it if my comments are not relevant.

kobo/apps/subsequences/api_view.py Show resolved Hide resolved
kobo/apps/subsequences/tests/test_submission_extras_api_post.py
Comment on lines +158 to +172
self.asset.assign_perm(other_user, PERM_ADD_SUBMISSIONS)
resp = self.client.post(schema['url'], modified, format='json')
assert resp.status_code == 404

self.asset.assign_perm(other_user, PERM_VIEW_ASSET)
resp = self.client.post(schema['url'], modified, format='json')
assert resp.status_code == 404

self.asset.assign_perm(other_user, PERM_CHANGE_ASSET)
resp = self.client.post(schema['url'], modified, format='json')
assert resp.status_code == 404

self.asset.assign_perm(other_user, PERM_VIEW_SUBMISSIONS)
resp = self.client.post(schema['url'], modified, format='json')
assert resp.status_code == 403
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not related to this PR but I wondering why PERM_VIEW_ASSET, PERM_CHANGE_ASSET return a 404 while PERM_VIEW_SUBMISSIONS returns a 403. I was assuming that as soon as user had PERM_VIEW_ASSET, users would receive a 403 when they don't have required permissions on nested objects.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question; I'd assume it's just the usual DRF behavior of:

  • Did you send a GET for a specific object that you are not allowed to see? We're not telling you whether or not it exists, so 404
  • Did you try to take a disallowed action (POST, PATCH) on an object that you are allowed to see? → 403

I didn't expect nested objects to behave differently, but we can look into it more if you think something doesn't make sense

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right! that's what I'm expecting too.

I missed an important line!

I was thinking the model was Asset. Everything is good.

@noliveleger noliveleger added API Changes related to API endpoints Back end labels Dec 6, 2023
@jnm jnm requested a review from noliveleger December 6, 2023 20:13
noliveleger
noliveleger approved these changes Dec 6, 2023
View reviewed changes
kobo/apps/subsequences/tests/test_submission_extras_api_post.py
Comment on lines +158 to +172
self.asset.assign_perm(other_user, PERM_ADD_SUBMISSIONS)
resp = self.client.post(schema['url'], modified, format='json')
assert resp.status_code == 404

self.asset.assign_perm(other_user, PERM_VIEW_ASSET)
resp = self.client.post(schema['url'], modified, format='json')
assert resp.status_code == 404

self.asset.assign_perm(other_user, PERM_CHANGE_ASSET)
resp = self.client.post(schema['url'], modified, format='json')
assert resp.status_code == 404

self.asset.assign_perm(other_user, PERM_VIEW_SUBMISSIONS)
resp = self.client.post(schema['url'], modified, format='json')
assert resp.status_code == 403
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right! that's what I'm expecting too.

I missed an important line!

I was thinking the model was Asset. Everything is good.

@noliveleger noliveleger merged commit 7d97ffa into release/2.023.37 Dec 6, 2023
4 checks passed
@noliveleger noliveleger deleted the require-change-not-add-for-transcripts-translations branch December 6, 2023 20:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@noliveleger noliveleger noliveleger approved these changes

Assignees

@noliveleger noliveleger

Labels
API Changes related to API endpoints Back end
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jnm @noliveleger