Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DFC] add/delete enterprise to enterprise group #12024

Merged
merged 4 commits into from
Jan 11, 2024
Merged

[DFC] add/delete enterprise to enterprise group #12024

merged 4 commits into from
Jan 11, 2024

Conversation

rioug
Copy link
Collaborator

@rioug rioug commented Jan 9, 2024

What? Why?

Allow a group owner to add/remove an enterprise to a group.

What should we test?

  • Not test, spec only

Release notes

Changelog Category (reviewers may add a label for the release notes):

  • User facing changes
  • API changes (V0, V1, DFC or Webhook)
  • Technical changes only
  • Feature toggled

The title of the pull request will be included in the release notes.

@rioug rioug marked this pull request as ready for review January 9, 2024 05:36
@rioug rioug force-pushed the 11707-DFC-update-enterprise-group branch from 54f2fc8 to 5cd5681 Compare January 10, 2024 01:37
@rioug rioug force-pushed the 11707-DFC-update-enterprise-group branch from 5cd5681 to 92921c8 Compare January 10, 2024 01:45
@rioug rioug added the api changes These pull requests change the API and can break integrations label Jan 10, 2024
@rioug rioug requested a review from mkllnk January 10, 2024 02:48
mkllnk
mkllnk requested changes Jan 10, 2024
View reviewed changes
Copy link
Member

@mkllnk mkllnk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice and clean implementation!

Only one request for change.

engines/dfc_provider/app/controllers/dfc_provider/enterprise_groups/affiliated_by_controller.rb Outdated Show resolved Hide resolved
engines/dfc_provider/app/controllers/dfc_provider/enterprise_groups/affiliated_by_controller.rb Outdated Show resolved Hide resolved
engines/dfc_provider/spec/requests/enterprise_groups/affiliated_by_spec.rb Outdated Show resolved Hide resolved
@rioug
Remove save after adding an association with <<
a78042c 
`<<` operator already save the the association to the database
dacook
dacook approved these changes Jan 11, 2024
View reviewed changes
Copy link
Member

@dacook dacook left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nicely done! I think this is good to go.
I do have a query about the authorisation check though...

engines/dfc_provider/app/controllers/dfc_provider/application_controller.rb
@@ -8,6 +8,7 @@ class ApplicationController < ActionController::Base
protect_from_forgery with: :null_session

rescue_from ActiveRecord::RecordNotFound, with: :not_found
rescue_from CanCan::AccessDenied, with: :unauthorized
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do none of the existing dfc controllers check authorisation already? Maybe they should?!

I'm guessing that most/all of the api read and write actions already filter records according to the user's enterprises, but is it worth covering the potential holes... or am I missing something?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We haven't used CanCan for these checks until now. As you guessed, we used the users's scopes to access the right data.

I personally dislike CanCan as it adds complexity and I always find it difficult to see which rules apply to the current user. Looking for records in the right scopes makes any further authorisation unnecessary and it seems more efficient to me.

That said, sometimes the authorisation step is a bit more complicated and when you need to perform the same in several places then it's good to have a single source of truth. CanCan does have its place there.

Spree also used it to check every action and you had to allow everything with abilities before a user could access it. That's good security practice but it made the ability model unnecessarily big, I think.

Is this worth a chat in our next meeting?

engines/dfc_provider/app/controllers/dfc_provider/enterprise_groups/affiliated_by_controller.rb Show resolved Hide resolved
engines/dfc_provider/spec/requests/enterprise_groups/affiliated_by_spec.rb Outdated Show resolved Hide resolved
@mkllnk mkllnk merged commit 90fb0ed into openfoodfoundation:master Jan 11, 2024
50 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkllnk mkllnk mkllnk approved these changes

@dacook dacook dacook approved these changes

Assignees

@rioug rioug

Labels
api changes These pull requests change the API and can break integrations
Projects
OFN Delivery board
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

UPDATE Enterprise in Group via DFC Endpoint Enterprise Groups
3 participants
@rioug @mkllnk @dacook