Fix a check for ancestor editor permissions at create#1629
Conversation
Signed-off-by: David Wallace <david.wallace@tu-darmstadt.de>
MyPyDavid
force-pushed
the
2.4.5/fix/check-ancestor-editor-permissions
branch
from
d6b4bd6 to
0e33c71
Compare
…1628 Signed-off-by: David Wallace <david.wallace@tu-darmstadt.de>
jochenklar
left a comment
jochenklar
left a comment
There was a problem hiding this comment.
Please review and refactor before creating an PR, I will not review purely generated PRs. Also please provice an explanation how the change works and remove the placeholders.
| } | ||
| response = client.post(url, data, content_type='application/json') | ||
| assert response.status_code == status_map['create'][username], response.json() | ||
| expected_status_code = status_map['create'][username] |
There was a problem hiding this comment.
Pleas do not autogenerate tests without proper review. This check should be based on the user as in every other test and not inferred from the request. This clutters out tests and hinders maintainability.
There was a problem hiding this comment.
it looked so nice for a second response.wsgi_request.user.has_perm(...) 🤤
Now I've added a new test cases to the status maps, 'create-with-parent'
There was a problem hiding this comment.
Please use a better name, do not autogenerate tests without proper review.
There was a problem hiding this comment.
yes, this one is removed now and a specific test test_*_rejects_foreign_site_parent is added to each viewset test module
| if request is None: | ||
| return | ||
|
|
||
| for field_name, _source_name, _target_name, _through_name in parent_fields: |
There was a problem hiding this comment.
Why is this not using get_parent_fields?
There was a problem hiding this comment.
it needed to be refactored, and the permissions check should only check and not pop any fields, right?!
I'm now using self.get_parent_field_data(attrs) which is also re-used by self.get_parent_fields(validated_data)..
|
Coverage is 95.102% — 2.4.5/fix/check-ancestor-editor-permissions into 2.4.5/release. No base build found for |
|
Thanks for the review! Yes, this PR was mostly AI-Engineered, it was still in Draft though. |
|
Ah sorry, good point. I need to check that more carefully. |
MyPyDavid
changed the title
Signed-off-by: David Wallace <david.wallace@tu-darmstadt.de>
Signed-off-by: David Wallace <david.wallace@tu-darmstadt.de>
Signed-off-by: David Wallace <david.wallace@tu-darmstadt.de>
…uery counts Signed-off-by: David Wallace <david.wallace@tu-darmstadt.de>
Signed-off-by: David Wallace <david.wallace@tu-darmstadt.de>
…parent test functions Signed-off-by: David Wallace <david.wallace@tu-darmstadt.de>
|
|
||
|
|
||
| def get_obj_perms_status_code(instance, username, method, editors=None): | ||
| def get_obj_perms_status_code(instance, username, action, editors=None): |
There was a problem hiding this comment.
this one was refactored just to make it clearer and more explicit what happens in there (since I could not follow it anymore) , this is actually a test "helper" and not a "util"
There was a problem hiding this comment.
This whole file is much to complex for just setting up something to check against. Why not just prepare list or dicts or even inline the status_code in the tests?
There was a problem hiding this comment.
yes, now, in the age (and with the help of) LLMs, I'll try to make it more explicit..
Signed-off-by: David Wallace <david.wallace@tu-darmstadt.de>
MyPyDavid
changed the title
|
Did some human-in-the-loop and some necessary refactoring and now it's ready for review! 👓 |
|
From discussion: maybe the permission check should go into a new separate |
jochenklar
left a comment
jochenklar
left a comment
There was a problem hiding this comment.
Nice, I think it works. I have some remarks about the tests, though.
|
|
||
|
|
||
| def get_obj_perms_status_code(instance, username, method, editors=None): | ||
| def get_obj_perms_status_code(instance, username, action, editors=None): |
There was a problem hiding this comment.
This whole file is much to complex for just setting up something to check against. Why not just prepare list or dicts or even inline the status_code in the tests?
| site_settings('bar.com') | ||
| client.login(username='bar-editor', password='bar-editor') | ||
|
|
||
| instance = Page.objects.get(uri_path='foo-page') |
There was a problem hiding this comment.
I think this is faulty. foo-page is read only for bar-editor anyway, so this does not test the implemented behaviour, right?
Also the section line should just be Section.objects.get(uri_path='foo-section')
There was a problem hiding this comment.
via the UI it should seem read only but for the API, bar-editor could post a page to the foo-section. That was the whole point of this fix right?!
There was a problem hiding this comment.
I though that the problem was that the bar-editor could post a bar-question to a foo-page (which they don't have permissions on). The bar-editor should not be able to post anything to the foo-question, right? Or maybe I am missing something.
There was a problem hiding this comment.
yes exactly! Im trying to make the explicit multisite object permissions status code maps like so :
STATUS_CODES = {
'detail': {
'http://example.com/terms/questions/catalog': status_map['detail'],
'http://example.com/terms/questions/catalog2': status_map['detail'],
'https://foo.com/terms/questions/foo-catalog': {
'user': 404, 'reviewer': 200, 'editor': 200,
'example-reviewer': 200, 'example-editor': 200,
'foo-user': 404, 'foo-reviewer': 200, 'foo-editor': 200,
'bar-user': 404, 'bar-reviewer': 404, 'bar-editor': 404,
'anonymous': 401
},
'https://bar.com/terms/questions/bar-catalog': {
'user': 404, 'reviewer': 200, 'editor': 200,
'example-reviewer': 200, 'example-editor': 200,
'foo-user': 404, 'foo-reviewer': 404, 'foo-editor': 404,
'bar-user': 404, 'bar-reviewer': 200, 'bar-editor': 200,
'anonymous': 401
},
},
....
}There was a problem hiding this comment.
Yes, I think this is much better. But then the test was faulty before right? Because bar-question/foo-page was not tested (or I missed it).
There was a problem hiding this comment.
the test before was more like bar-editor posting a bar-page that contained the foo-section
|
And yes, we should ad a check for The validator is probably not worth it since the whole validation is strongly coupled to the serializer. |
Signed-off-by: David Wallace <david.wallace@tu-darmstadt.de>
Signed-off-by: David Wallace <david.wallace@tu-darmstadt.de>
Signed-off-by: David Wallace <david.wallace@tu-darmstadt.de>
|
I've refactored/improved the tests and added test for the options as well. Would you approve these changes? |
jochenklar
left a comment
jochenklar
left a comment
There was a problem hiding this comment.
Thanks! I think I will check again tomorrow and then merge.
3 participants
Description
Related issue: #1628