New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backend: Extra cancancan validations for some URL resource links #2823

Open
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
4 participants
@memotoro

memotoro commented Aug 7, 2018

Hello

In the backend system, some resource link are accesible without any cancancan validations. These extra simple conditionals will help to avoid a leak on those resources for users without the right roles and permissions sets. These changes simply avoid rendering the "create new resource" links if the user has no permissions to do so, given a cleaner backend user experience.

Regards

@kennyadsl

Thanks for your contribution! I left some questions, also specs are failing, can you please take a look?

@@ -13,6 +13,7 @@
<%= render 'new', product: @product, image: Spree::Image.new(viewable: @product) %>
</div>
<% if can?(:create, Spree::Image) %>

This comment has been minimized.

@kennyadsl

kennyadsl Aug 7, 2018

Member

The inner content needs an indentation here

@kennyadsl

kennyadsl Aug 7, 2018

Member

The inner content needs an indentation here

This comment has been minimized.

@memotoro

memotoro Aug 8, 2018

@kennyadsl . You're right. I'll fix it.

@memotoro

memotoro Aug 8, 2018

@kennyadsl . You're right. I'll fix it.

@@ -7,7 +7,7 @@
<li>
<%= link_to t('spree.new_order'), new_admin_order_url, id: 'admin_new_order', class: 'btn btn-primary' %>
</li>
<% end if can? :create, Spree::Order %>
<% end if can? :manage, Spree::Order %>

This comment has been minimized.

@kennyadsl

kennyadsl Aug 7, 2018

Member

why manage if the link is for creating orders only?

@kennyadsl

kennyadsl Aug 7, 2018

Member

why manage if the link is for creating orders only?

This comment has been minimized.

@memotoro

memotoro Aug 8, 2018

Hello @kennyadsl .

There are two classes to manage the permissions sets Spree::PermissionSets::OrderManagement and Spree::PermissionSets::OrderDisplay. The OrderManagement establishes the ':manage' permissions. The display establishes the ':display' and ':admin' permissions. If I want to restrict a user with only the permission OrderDisplay, I have to check for ':manage' permission as for some reasons, the ':create' permission on OrderDisplay is still allowing the button to be rendered, allowing the user to click the New Order button, and creating an empty order that it cannot be modified, not great user experience I guess. I'm not sure why the ':create' is still available on OrderDisplay. Do you know how to fix this issue? Maybe I misunderstood the OrderDisplay role. Let me know your thoughts about it.

@memotoro

memotoro Aug 8, 2018

Hello @kennyadsl .

There are two classes to manage the permissions sets Spree::PermissionSets::OrderManagement and Spree::PermissionSets::OrderDisplay. The OrderManagement establishes the ':manage' permissions. The display establishes the ':display' and ':admin' permissions. If I want to restrict a user with only the permission OrderDisplay, I have to check for ':manage' permission as for some reasons, the ':create' permission on OrderDisplay is still allowing the button to be rendered, allowing the user to click the New Order button, and creating an empty order that it cannot be modified, not great user experience I guess. I'm not sure why the ':create' is still available on OrderDisplay. Do you know how to fix this issue? Maybe I misunderstood the OrderDisplay role. Let me know your thoughts about it.

This comment has been minimized.

@memotoro

memotoro Aug 29, 2018

Hello @kennyadsl

Do you have any thoughts about my previous comments on PermissionSets?

Regards

@memotoro

memotoro Aug 29, 2018

Hello @kennyadsl

Do you have any thoughts about my previous comments on PermissionSets?

Regards

This comment has been minimized.

@kennyadsl

kennyadsl Sep 4, 2018

Member

By default only this permissions set is activated. I think that at line 10 it sets the create ability for Order. Are you setting the other permissions for a specific user in some way via code?

@kennyadsl

kennyadsl Sep 4, 2018

Member

By default only this permissions set is activated. I think that at line 10 it sets the create ability for Order. Are you setting the other permissions for a specific user in some way via code?

Show outdated Hide outdated backend/app/views/spree/admin/payments/index.html.erb Outdated
@@ -3,7 +3,7 @@
<% content_for :page_actions do %>
<% if @order.shipments.any? &:shipped? %>
<li>
<% if can? :create, Spree::ReturnAuthorization %>
<% if can? :manage, Spree::ReturnAuthorization %>

This comment has been minimized.

@kennyadsl

kennyadsl Aug 7, 2018

Member

same question as above

@kennyadsl

kennyadsl Aug 7, 2018

Member

same question as above

This comment has been minimized.

@memotoro

memotoro Aug 8, 2018

@kennyadsl Same comment with the OrderDisplay issue mentioned above.

@memotoro

memotoro Aug 8, 2018

@kennyadsl Same comment with the OrderDisplay issue mentioned above.

@tvdeyen

This comment has been minimized.

Show comment
Hide comment
@tvdeyen

tvdeyen Sep 11, 2018

Member

I think :manage is fine for orders and returns. It only makes sense to be able to create an order if you are also able to update it.

Please fix the specs. Thanks for the contribution

Member

tvdeyen commented Sep 11, 2018

I think :manage is fine for orders and returns. It only makes sense to be able to create an order if you are also able to update it.

Please fix the specs. Thanks for the contribution

@memotoro

This comment has been minimized.

Show comment
Hide comment
@memotoro

memotoro Sep 25, 2018

@kennyadsl @tvdeyen . Changes as requested. Let me know your thoughts. Regards

memotoro commented Sep 25, 2018

@kennyadsl @tvdeyen . Changes as requested. Let me know your thoughts. Regards

@ericsaupe

This comment has been minimized.

Show comment
Hide comment
@ericsaupe

ericsaupe Oct 11, 2018

Contributor

Looks good. Would you mind squashing your commits?

Contributor

ericsaupe commented Oct 11, 2018

Looks good. Would you mind squashing your commits?

Adds cancancan validations for the following resources:
Spree::Image, Spree::Order, Spree::Payment, Spree::ReturnAuthorization
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment