Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move return authorizations from spree_backend to OFN #4450

Merged
merged 2 commits into from
Nov 22, 2019
Merged

Move return authorizations from spree_backend to OFN #4450

merged 2 commits into from
Nov 22, 2019

Conversation

luisramos0
Copy link
Contributor

@luisramos0 luisramos0 commented Nov 8, 2019
edited
Loading

What? Why?

Part of #4050

This moves return authorizations from spree_backend to OFN. No change in functionality.

What should we test?

Make sure the return authorizations page is work correctly for a given order.

Release notes

Changelog Category: Changed
Imported views related to return authorizations management from spree_backend to make OFN more independent of Spree.

@luisramos0 luisramos0 self-assigned this Nov 8, 2019
@luisramos0 luisramos0 changed the title Return auth Move return authorizations from spree_backend to OFN Nov 8, 2019
@luisramos0 luisramos0 mentioned this pull request Nov 8, 2019
Closed
mkllnk
mkllnk approved these changes Nov 9, 2019
View reviewed changes
Copy link
Member

@mkllnk mkllnk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good to have this in our code now. It needs improving.

app/controllers/spree/admin/return_authorizations_controller.rb
create.after :associate_inventory_units

def fire
@return_authorization.public_send("#{params[:e]}!")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a terrible pattern for security. I can't even see any authorisation here. The client can call any method ending in ! on this object. Good to have that visible in our code now.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Um... I'm not sure we should merge this as is?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or at least make an issue to change this line, and put it at the top of Tech Debt.

Copy link
Contributor Author

@luisramos0 luisramos0 Nov 22, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is live code .
this is not only spree 2 code but also spree master code 🙈 🤕
https://github.com/spree/spree/blob/98fa319554e9bad01fee9a9f56500eea99847d29/backend/app/controllers/spree/admin/return_authorizations_controller.rb#L11

I think the security risk is really just adding return authorizations.

I'll create a tech debt issue.
https://github.com/openfoodfoundation/ofn-security/issues/21

@RachL
Copy link
Contributor

RachL commented Nov 14, 2019

@luisramos0 what or where is the return authorizations page? 😁

@luisramos0
Copy link
Contributor Author

ahah, it's a dead feature but I think we decided to keep it at some point during the upgrade to spree v2...
there is 1 authorization in Uk live, 2 in AU and 3 in France...

anyway, it's in orders, first you have to ship the order to be able to register return authorizations.
If there are issues in this PR I think it's better if we verify the feature in the current version to verify if it's a new problem or an existing one. Thanks!

@filipefurtad0 filipefurtad0 self-assigned this Nov 18, 2019
@filipefurtad0 filipefurtad0 added the pr-staged-uk staging.openfoodnetwork.org.uk label Nov 18, 2019
@filipefurtad0
Copy link
Contributor

Hey @luisramos0,

I am not so familiar with this feature, but I had a look before and after staging the PR, and all behaved similarly. I was able to create, edit, delete Return Authorizations, and these had the effect on the values in the orders table.

I found some small issues/possible improvements, but I think these are not related with this PR:

  • in the field Amount / RMA any value in quantity is accepted. This may lead to negative values on the orders table (see below). Is it supposed to be so?
  • similarly, I guess Return Quantity should be =< Quantity Shipped

image

Should I open Issues on these? Or is this rather a fearture which will be removed in the future?

I moved it to Ready to Go, but please let me know if there is something more specific I should check. Thank you! :-)

@filipefurtad0 filipefurtad0 removed the pr-staged-uk staging.openfoodnetwork.org.uk label Nov 18, 2019
@luisramos0
Copy link
Contributor Author

rebased to resolve conflict.

Thanks Filipe!
Yeah, this is such a corner of the app that I think we can leave those issues as they are...

Merging.

@luisramos0 luisramos0 merged commit 689eb88 into openfoodfoundation:master Nov 22, 2019
@luisramos0 luisramos0 deleted the return_auth branch November 22, 2019 14:33
@luisramos0 luisramos0 mentioned this pull request Feb 6, 2020
Merged
18 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Matt-Yorkley Matt-Yorkley Matt-Yorkley left review comments

@mkllnk mkllnk mkllnk approved these changes

@sauloperez sauloperez sauloperez approved these changes

Assignees

@luisramos0 luisramos0

@filipefurtad0 filipefurtad0

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@luisramos0 @RachL @filipefurtad0 @sauloperez @mkllnk @Matt-Yorkley