Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix current version bug #366

Open
wants to merge 5 commits into
base: release-2024.4.4
Choose a base branch
from

Conversation

EstelleDa
Copy link
Member

@EstelleDa EstelleDa commented Dec 5, 2024

Only show unpublished superseding score set to the users who have permissions to view it. The current version to other users will only be the published one.

Fix #370

…missions to view it. The current version to other users will only be the published one.
Copy link
Collaborator

@bencap bencap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for looking at this Estelle. Is there a reason why all of the function definitions got an extra indent? It also might be nice if we add a test that ensures this new behavior to superseding score sets.

Comment on lines 107 to 116
if(
item
and item.superseding_score_set
and not owner_or_contributor
and (
urn_re.MAVEDB_OLD_TMP_URN_RE.fullmatch(item.superseding_score_set.urn)
or urn_re.MAVEDB_TMP_URN_RE.fullmatch(item.superseding_score_set.urn)
)
):
item.superseding_score_set = None
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if instead of checking like this we check the permissions of the superseding score set, something like:

Suggested change
if(
item
and item.superseding_score_set
and not owner_or_contributor
and (
urn_re.MAVEDB_OLD_TMP_URN_RE.fullmatch(item.superseding_score_set.urn)
or urn_re.MAVEDB_TMP_URN_RE.fullmatch(item.superseding_score_set.urn)
)
):
item.superseding_score_set = None
from mavedb.lib.permissions import Action, assert_permission, has_permission
if item.superseding_score_set:
superseding_score_set = db.scalars(select(ScoreSet).where(ScoreSet.urn = item.superseding_score_set).one()
if not has_permission(user, item, Action.READ):
item.superseding_score_set = None

This way, we don't have to maintain any extra permission logic and can guarantee the item within the superseding score set property is only returned if the user has access to it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I modified it. I check item.superseding_score_set directly cause it's an object.

@bencap bencap changed the base branch from release-2024.4.3 to release-2024.4.4 December 10, 2024 22:36
Copy link
Collaborator

@bencap bencap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you also be able to fix the extra indentations before merging? The logic looks good!

@EstelleDa
Copy link
Member Author

Would you also be able to fix the extra indentations before merging? The logic looks good!

@bencap Do you mean the one we discussed in Slack, #371?

…score sets are unpublished yet. Haven't fixed the search score set codes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants