-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AOM-120: Non-admin users have same privileges as a admin #122
Conversation
Kindly look into the test that is failing |
f9180cf
to
218d771
Compare
Looks good to me |
fetchCurrentUser(){ | ||
const apiHelper = new ApiHelper(null); | ||
const getUserData = new Promise(function(resolve, reject) { | ||
apiHelper.get('/v1/session').then(response => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How is an error
condition from the HTTP call handled, since a promise is created locally? Basically, am talking about an error
resolve.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
working on it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
Pull Request Test Coverage Report for Build 610
💛 - Coveralls |
messageType, | ||
showMessage } = this.state; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix indentation, this can also be seen in other areas of your code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some codebase fix were done and my PR was not merged then so when i pull rebased this changes auto fixed themselves.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me
checkIsAdmin() { | ||
this.fetchCurrentUser().then((response) => { | ||
const user = response.user; | ||
if (user) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make the assignment, after the check. In other words put the assignment in the if
statement and use response.user in the if
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me
return userCanManageModules = false; | ||
}); | ||
} | ||
if (user.systemId === "admin" || user.display === "admin" || userCanManageModules){ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"admin" is just a value, there is no requirement for a system admin to have a system id of any value. It all depends on the System Admin role, irrespective of the user name or system id.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so I should change using the system id ???
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Am not talking about using system id. What talking about is that can't an admin be samuel?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, I also took note on that and that why I also opted using also the privileges as a condition on which it will check either of the 3 conditions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so if one is an admin and the name is different it will check if they have the priviledges.
@dkayiwa
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do you even have to assume any name called admin?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or what happens if my name or system id is admin but am not an administrator?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was checking on the response of the rest and if the user is an admin the system id is listed as admin.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have added an image of the response.
If i make a REST call and get one of the patients with name "daniel", should i have my code to have a check for name "daniel"? |
Working on it |
8034a77
to
b6c5346
Compare
Looks good to me |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Look into some suggested modifications
let userCanManageModules; | ||
let userHasPermittedRoles; | ||
userPrivileges = userPrivileges.concat(user.privileges); | ||
if (user.roles.length > 0){ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens if the user object has no roles key? Some browsers may throw errors.
Saying if(user.roles & user.roles.length>0)
may be better
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if I do this it adds a lot of code which will be redundant and also I will be repeating the same check twice since all am checking is if the array has content so it can proceed.
return userHasPermittedRoles = false; | ||
}); | ||
} | ||
if (userPrivileges.length > 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if(userPrivileges.length > 0)
is equivalent to if(userPrivileges.length)
Boolean values are some form of binary integer values so length 0 evaluates to false
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if I do this I will be evaluating if the length not if the array has content,
doing userPrivileges.length
will return an integer which is not a good way of checking conditions but doing userPrivileges.length > 0
will be a boolean checking if the threshold of the length required to proceed is true or false
@@ -153,7 +154,7 @@ export default class SingleAddon extends React.Component { | |||
id="view-icon-wrapper" | |||
> | |||
{ | |||
app.install === false ? | |||
app.install === false || isAdmin === false ? | |||
<Link |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use !app.install || !isAdmin
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done 👍
if (user.roles.length > 0){ | ||
const roles = user.roles; | ||
const userRoles = roles.find((userRole) => { | ||
if (userRole.display === "System Developer" || userRole.display === "Provider" ) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no need to test for system developer or provider roles. All that one needs is the "Manage Modules" prvilege
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested for roles since the admin user we use for development do not have the list of priviledges so they are being locked out of the system and they cant view the add-ons manager that's why I resulted to using the roles as another way of giving access to developers so this also happens to the admin user on ref-app.
@dkayiwa
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since the user has the System Developer role, they by default assume that privilege. So you do not need to test for the system developer role
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have fixed and stripped giving the Provider the access
JIRA TICKET NAME:
AOM-120: Non-admin users have same privileges as a admin
SUMMARY:
Non admin users should not be able to start, stop, delete, start all using the add-on manager.