New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Require "edit submissions", not "add submissions", for working with transcripts and translations #4749
Require "edit submissions", not "add submissions", for working with transcripts and translations #4749
Conversation
translation permission checks. It will pass once `change_submissions` becomes required for modifying transcripts and translations
working with transcripts and translations
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PR is ok and LGTM.
Just have comments / questions before merging. Feel free to merge it if my comments are not relevant.
self.asset.assign_perm(other_user, PERM_ADD_SUBMISSIONS) | ||
resp = self.client.post(schema['url'], modified, format='json') | ||
assert resp.status_code == 404 | ||
|
||
self.asset.assign_perm(other_user, PERM_VIEW_ASSET) | ||
resp = self.client.post(schema['url'], modified, format='json') | ||
assert resp.status_code == 404 | ||
|
||
self.asset.assign_perm(other_user, PERM_CHANGE_ASSET) | ||
resp = self.client.post(schema['url'], modified, format='json') | ||
assert resp.status_code == 404 | ||
|
||
self.asset.assign_perm(other_user, PERM_VIEW_SUBMISSIONS) | ||
resp = self.client.post(schema['url'], modified, format='json') | ||
assert resp.status_code == 403 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not related to this PR but I wondering why PERM_VIEW_ASSET
, PERM_CHANGE_ASSET
return a 404 while PERM_VIEW_SUBMISSIONS
returns a 403. I was assuming that as soon as user had PERM_VIEW_ASSET
, users would receive a 403 when they don't have required permissions on nested objects.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question; I'd assume it's just the usual DRF behavior of:
- Did you send a GET for a specific object that you are not allowed to see? We're not telling you whether or not it exists, so 404
- Did you try to take a disallowed action (POST, PATCH) on an object that you are allowed to see? → 403
I didn't expect nested objects to behave differently, but we can look into it more if you think something doesn't make sense
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right! that's what I'm expecting too.
I missed an important line!
I was thinking the model was Asset
. Everything is good.
self.asset.assign_perm(other_user, PERM_ADD_SUBMISSIONS) | ||
resp = self.client.post(schema['url'], modified, format='json') | ||
assert resp.status_code == 404 | ||
|
||
self.asset.assign_perm(other_user, PERM_VIEW_ASSET) | ||
resp = self.client.post(schema['url'], modified, format='json') | ||
assert resp.status_code == 404 | ||
|
||
self.asset.assign_perm(other_user, PERM_CHANGE_ASSET) | ||
resp = self.client.post(schema['url'], modified, format='json') | ||
assert resp.status_code == 404 | ||
|
||
self.asset.assign_perm(other_user, PERM_VIEW_SUBMISSIONS) | ||
resp = self.client.post(schema['url'], modified, format='json') | ||
assert resp.status_code == 403 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right! that's what I'm expecting too.
I missed an important line!
I was thinking the model was Asset
. Everything is good.
Checklist
Description
Doing any kind of work with transcripts or translations—whether adding a new one or editing an existing one—now always requires the "edit submissions" permission.