Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix download permissions #2517

Merged
merged 2 commits into from
Feb 4, 2019
Merged

Fix download permissions #2517

merged 2 commits into from
Feb 4, 2019

Conversation

escowles
Copy link
Member

@escowles escowles commented Feb 4, 2019

  • allow anonymous users to download any file attached to a public resource
  • allow staff to download all files

Fixes #1568; Fixes #2458

@escowles escowles added the Review label Feb 4, 2019
hackartisan
hackartisan requested changes Feb 4, 2019
View reviewed changes
Copy link
Member

@hackartisan hackartisan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you say something about why we have to look to parents, where we weren't doing that before?

spec/models/ability_spec.rb Outdated
@@ -227,6 +228,7 @@
is_expected.to be_able_to(:manifest, flagged_scanned_resource)
is_expected.to be_able_to(:color_pdf, color_enabled_resource)
is_expected.to be_able_to(:read, :graphql)
is_expected.to be_able_to(:download, other_staff_file)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you use a different resource name here? the reference to staff file implies that maybe it's not public.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This resource is used several places in the tests, and the name is to contrast with staff_file where we test staff interacting with their own files vs. with files created by another staff member.

I'd be happy to use admin_file instead, or create a new file called open_file if that seems like a clearer illustration.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I think open_file would be clearer in this context!

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 i've pushed another commit that switches to open_file

@escowles
Copy link
Member Author

escowles commented Feb 4, 2019

We're looking at parents because the requirement changed from "never let users download master files" to "let users download master files of public objects" — so we need to look at the state/visibility of the parent. I thought it made the most sense to just use can?(:read, parent) for that, in case we change our logic around which objects are public.

@hackartisan
Copy link
Member

got it. thanks!

@escowles escowles merged commit 182be2d into master Feb 4, 2019
@escowles escowles deleted the everybody-can-download branch February 4, 2019 15:50
@escowles escowles removed the Review label Feb 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hackartisan hackartisan hackartisan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@escowles @hackartisan