Hide location action buttons unless user has permission to do the action #1268
Conversation
There was a problem hiding this comment.
Hi @laura-barluzzi, some the tests are failing. Please make sure all tests pass before we can proceed with the review.
|
Hi @oliverroick, I made some changes and now all the tests run on my machine. |
There was a problem hiding this comment.
Hi @laura-barluzzi - thanks for your work on this! It looks good from a ui perspective! Can you just update your branch to be current with the latest master branch?
|
Hi @clash99, I've updated it. Let me know if there's something else to do. |
There was a problem hiding this comment.
Hi @laura-barluzzi, thank you for your contribution. It looks almost ok, there are two things I would like to ask you to change:
- Check the permissions against the correct object (see my comment in the code).
- You have only added tests for users who have all permissions. Could you also add tests that render the view with users who don't have permissions and thus should not see the buttons?
Thanks!
cadasta/organization/views/mixins.py
Outdated
| @@ -186,6 +186,10 @@ def get_context_data(self, *args, **kwargs): | |||
| project = self.get_project() | |||
| context['is_allowed_add_location'] = user.has_perm('spatial.create', | |||
| project) | |||
| context['is_allowed_update_location'] = user.has_perm('spatial.update', | |||
| project) | |||
There was a problem hiding this comment.
Your checkin the permission against the wrong object here. For spatial.create project is fine, because the user wants to create a spatial unit for the project. For spatial.update and spatial.delete, you need to use the spatial unit instance from the view; the permission needs to be checked against itself and not its project.
|
Hi @oliverroick, I changed the logic so that the permission is checked against the location object instead of the project, but I struggle to figure out how to update the tests. Can you please guide me on this? Cheers |
|
Hey @laura-barluzzi, If you look at this part; this is where permissions are assigned to a user. In a default test the user has these permissions, so the buttons are shown. You now need to add a test for the case when the buttons are not shown. In that test, you need to:
You can create policies that deny permissions by copying the clauses that I linked above and add another clause that looks like this: {
'effect': 'deny',
'object': ['spatial/*/*/*'],
'action': ['spatial.update', 'spatial.delete']
},Combined with the other policies the user will be able to view all locations but not edit or delete any of them. If you look at this test case, you'll see an example how to use a specific user with a request (for step 3) and how you can overwrite specific items in the template context for the rendered expected response to make sure the buttons are not rendered (for step 4). Note: We're using django-skivvy to setup test cases for views. Each test class defines a standard template context for expected response for all the tests (see here for reference). And you can overwrite selected items using |
|
Hi @oliverroick, thank you for telling me how to add a new test. Before adding the new tests, I'd like to address something I'm confused about and I was hoping you could help me figure this out. Currently some of the existing tests fail, e.g. https://travis-ci.org/Cadasta/cadasta-platform/jobs/212860743#L955-L975 Currently all the exiting test template contexts render the edit/delete location buttons e.g. https://github.com/Cadasta/cadasta-platform/pull/1268/files#diff-d2f99481b1c4d834b7e971c17527a28cR590 And by default, the user has all permissions on the spatial object: https://github.com/laura-barluzzi/cadasta-platform/blob/bugfix/%231233/cadasta/spatial/tests/test_views_default.py#L42-L44 So doesn't that mean that the buttons should get rendered and the tests should pass? I'm confused what's going on here. Why the tests are not passing? |
|
You have only added the permissions check to It would be a good idea to move the functionality to work out the permissions into a mixin and apply that to all the views that require it. Otherwise you'd be replicating a lot of code. Good job on writing the tests so thoroughly! |
|
Hi @oliverroick, I figured out how to make all the tests pass and I pushed this commit. Next I'll add the test for cases without buttons. |
|
Hi @oliverroick I added the test with the denied edit/delete permission. Let me know what you think and if there's something else to do before merging. |
There was a problem hiding this comment.
Hi @laura-barluzzi, you're almost there. There's a small bug in the template that you still need to fix. See the comment in the code
| @@ -12,8 +12,12 @@ | |||
| <h2 class="short"><span>{% trans "Location" %} </span>{{ location.name }}</h2> | |||
| <div class="top-btn pull-right"> | |||
| <!-- Action buttons --> | |||
| <a class="btn btn-default btn-action btn-sm" href="{% url 'locations:edit' object.organization.slug object.slug location.id %}" title="{% trans 'Edit location' %}" aria-label="{% trans 'Edit location' %}"><span class="glyphicon glyphicon-pencil"></span></a> | |||
| <a class="btn btn-default btn-action btn-sm" href="{% url 'locations:delete' object.organization.slug object.slug location.id %}" title="{% trans 'Delete location' %}" aria-label="{% trans 'Delete location' %}"><span class="glyphicon glyphicon-trash"></span></a> | |||
| {% if is_allowed_update_location %} | |||
There was a problem hiding this comment.
The edit button is never shown because you're using the wrong template context name here.
Proposed changes in this pull request
Fix bug #1233: only show the location action buttons to users who have permission to do the action.
Screenshot of location view for user without edit/delete permission:
Screenshot of location view for user with edit/delete permission:
When should this PR be merged
No dependencies.
Risks
None.
Follow up actions
None.
Checklist (for reviewing)
General
migrationlabel if a new migration is added.Functionality
Code
Tests
Documentation