AOM-120: Non-admin users have same privileges as a admin #122
Conversation
|
Kindly look into the test that is failing |
justmesam
force-pushed
the
AOM-120
branch
2 times, most recently
from
f9180cf
to
218d771
Compare
|
Looks good to me |
| fetchCurrentUser(){ | ||
| const apiHelper = new ApiHelper(null); | ||
| const getUserData = new Promise(function(resolve, reject) { | ||
| apiHelper.get('/v1/session').then(response => { |
There was a problem hiding this comment.
How is an error condition from the HTTP call handled, since a promise is created locally? Basically, am talking about an error resolve.
Pull Request Test Coverage Report for Build 610
💛 - Coveralls |
| messageType, | ||
| showMessage } = this.state; | ||
|
|
There was a problem hiding this comment.
Fix indentation, this can also be seen in other areas of your code.
There was a problem hiding this comment.
Some codebase fix were done and my PR was not merged then so when i pull rebased this changes auto fixed themselves.
| checkIsAdmin() { | ||
| this.fetchCurrentUser().then((response) => { | ||
| const user = response.user; | ||
| if (user) { |
There was a problem hiding this comment.
Make the assignment, after the check. In other words put the assignment in the if statement and use response.user in the if
| return userCanManageModules = false; | ||
| }); | ||
| } | ||
| if (user.systemId === "admin" || user.display === "admin" || userCanManageModules){ |
There was a problem hiding this comment.
"admin" is just a value, there is no requirement for a system admin to have a system id of any value. It all depends on the System Admin role, irrespective of the user name or system id.
There was a problem hiding this comment.
so I should change using the system id ???
There was a problem hiding this comment.
Am not talking about using system id. What talking about is that can't an admin be samuel?
There was a problem hiding this comment.
yeah, I also took note on that and that why I also opted using also the privileges as a condition on which it will check either of the 3 conditions.
There was a problem hiding this comment.
so if one is an admin and the name is different it will check if they have the priviledges.
@dkayiwa
There was a problem hiding this comment.
Why do you even have to assume any name called admin?
There was a problem hiding this comment.
Or what happens if my name or system id is admin but am not an administrator?
There was a problem hiding this comment.
I was checking on the response of the rest and if the user is an admin the system id is listed as admin.
There was a problem hiding this comment.
I have added an image of the response.
|
@dkayiwaI have added the snippet of how the systemid response looks like . |
|
If i make a REST call and get one of the patients with name "daniel", should i have my code to have a check for name "daniel"? |
|
Working on it |
justmesam
force-pushed
the
AOM-120
branch
3 times, most recently
from
8034a77
to
b6c5346
Compare
|
Looks good to me |
| let userCanManageModules; | ||
| let userHasPermittedRoles; | ||
| userPrivileges = userPrivileges.concat(user.privileges); | ||
| if (user.roles.length > 0){ |
There was a problem hiding this comment.
What happens if the user object has no roles key? Some browsers may throw errors.
Saying if(user.roles & user.roles.length>0) may be better
There was a problem hiding this comment.
if I do this it adds a lot of code which will be redundant and also I will be repeating the same check twice since all am checking is if the array has content so it can proceed.
| return userHasPermittedRoles = false; | ||
| }); | ||
| } | ||
| if (userPrivileges.length > 0) { |
There was a problem hiding this comment.
if(userPrivileges.length > 0) is equivalent to if(userPrivileges.length)
Boolean values are some form of binary integer values so length 0 evaluates to false
There was a problem hiding this comment.
if I do this I will be evaluating if the length not if the array has content,
doing userPrivileges.length will return an integer which is not a good way of checking conditions but doing userPrivileges.length > 0 will be a boolean checking if the threshold of the length required to proceed is true or false
| @@ -153,7 +154,7 @@ export default class SingleAddon extends React.Component { | |||
| id="view-icon-wrapper" | |||
| > | |||
| { | |||
| app.install === false ? | |||
| app.install === false || isAdmin === false ? | |||
| <Link | |||
There was a problem hiding this comment.
use !app.install || !isAdmin
| if (user.roles.length > 0){ | ||
| const roles = user.roles; | ||
| const userRoles = roles.find((userRole) => { | ||
| if (userRole.display === "System Developer" || userRole.display === "Provider" ) { |
There was a problem hiding this comment.
There is no need to test for system developer or provider roles. All that one needs is the "Manage Modules" prvilege
There was a problem hiding this comment.
I tested for roles since the admin user we use for development do not have the list of priviledges so they are being locked out of the system and they cant view the add-ons manager that's why I resulted to using the roles as another way of giving access to developers so this also happens to the admin user on ref-app.
@dkayiwa
There was a problem hiding this comment.
Since the user has the System Developer role, they by default assume that privilege. So you do not need to test for the system developer role
There was a problem hiding this comment.
I have fixed and stripped giving the Provider the access
JIRA TICKET NAME:
AOM-120: Non-admin users have same privileges as a admin
SUMMARY:
Non admin users should not be able to start, stop, delete, start all using the add-on manager.