[BUG] Unintended Access to dRep Registration and Editing Functions

[kneerose]

Context & versions

• Unrestricted Access to Registration: Registered dReps can access the /register_drep page, intended for new dRep registrations.
• Uncontrolled Access to Editing: Non-registered users can inappropriately access the /edit_drep page, meant for modifying existing dRep profiles.

Steps to reproduce

dRep user:

• Log in as a registered dRep user.
• Navigate to the URL for registering a new dRep /register_drep.

Non dRep User:

• Access the system with non-dRep users.
• Navigate to the URL for editing a dRep profile /edit_drep.

Expected behaviour

• Registered dReps: Upon accessing /register_drep, a registered dRep should be redirected to a relevant page (e.g. dashboard) with a clear message indicating they are already registered.
• Non-registered Users: When a non-registered user attempts to access /edit_drep, they should be redirected to the registration page (/register_drep) with a message explaining they need to register first.

Allure Report references

• 6G Should restrict edit dRep for non dRep
• 6H Should restrict dRep registration for dRep

[MSzalowski]

That should already be fixed @pmbinapps could you please retest it making sure that the issue no longer exists?

[pmbinapps]

OK NOW

• for not connected user, after reload user stays on dashboard when /edit_drep is used
• for connected as Drep after /edit_drep - Edit drep is used
• for connected as non-Drep /edit_drep shows Dashboard

@m-i-k-e TBC any behaviour mentioned in Expected results should be implemented.

[kneerose]

Hello @pmbinapps ,

The /edit_drep navigation is working fine, but the /register_drep navigation proceeds even if the user is already registered as a dRep.

Impact

• An error is thrown during registration

[kneerose]

Sentry Issue Details

• URL: View Issue

Test Report

• URL: Test Report

[kneerose]

@pmbinapps any updates on this?

[pmbinapps]

@kneerose assigning to @MSzalowski to clarify how to handle /register_drep when user is already a DRep.

[kneerose]

@jdyczka any update on this?

[jdyczka]

@kneerose Yes, the same problem exists for retire_drep, register_direct_voter and retire_direct_voter.
As far as how to handle this, instead of automatically redirecting the user, I would show a message with Go to dashboard button. The reason is that we have to fetch some data to know if the user can access this url and so for the automatic redirect scenario there is first a flash of the page with title and loader before the redirect happens.

[bosko-m]

@jdyczka @MSzalowski Is this now deployed?

[kneerose]

I see this message while navigating to the /register_drep page when the user is already a DRep. It seems that the issue has been fixed. What do you think, @MSzalowski and @jdyczka ?

CC: @bosko-m

[bosko-m]

Closing as per the comment above.