Restrict ability on clients with archived intakes on hub client related actions #5491
Conversation
|
Heroku app: https://gyr-review-app-5491-7545bb5f1cb5.herokuapp.com/ |
| @@ -47,8 +43,6 @@ def destroy | |||
| end | |||
|
|
|||
| def edit | |||
| return render "public_pages/page_not_found", status: 404 if @client.intake.is_ctc? | |||
There was a problem hiding this comment.
this "public_pages/page_not_found" does not actually exist in the hub so this page is right now showing up blank, "raise CanCan::AccessDenied" will show the Access Denied page
| @@ -105,8 +99,6 @@ def update_take_action | |||
| end | |||
|
|
|||
| def unlock | |||
| raise CanCan::AccessDenied unless current_user.admin? || current_user.org_lead? || current_user.site_coordinator? | |||
There was a problem hiding this comment.
this is now specified in ability.rb, functionality is the same with the addition that they will also see this page if client has archived intake
| @@ -4,7 +4,7 @@ class CtcClientsController < Hub::BaseController | |||
| layout "hub" | |||
|
|
|||
| def edit | |||
| return render "public_pages/page_not_found", status: 404 unless @client.intake.is_ctc? | |||
There was a problem hiding this comment.
same as above this page doesn't exist for the hub
| @@ -1,7 +1,7 @@ | |||
| module Hub | |||
| class NotesController < Hub::BaseController | |||
| load_and_authorize_resource :client | |||
| load_and_authorize_resource through: :client, only: [:create] | |||
There was a problem hiding this comment.
we want it to authorize on all the actions
| @@ -53,7 +53,7 @@ | |||
| <%= f.hidden_field(:role, value: params[:role]) %> | |||
|
|
|||
| <div> | |||
| <%= f.submit t(".submit"), class: "button button--primary" %> | |||
There was a problem hiding this comment.
buttons were overlapping
| can :manage, TaxReturnSelection, tax_returns: { client: { vita_partner: accessible_groups } } | ||
| cannot :manage, TaxReturnSelection, tax_returns: { client: { vita_partner: VitaPartner.where.not(id: accessible_groups) }} | ||
| can :manage, TaxReturnSelection, tax_returns: { client: { vita_partner: accessible_groups, intake: { product_year: Rails.configuration.product_year } } } | ||
| cannot :manage, TaxReturnSelection, tax_returns: { client: { vita_partner: VitaPartner.where.not(id: accessible_groups) } } |
There was a problem hiding this comment.
technically i don't think we need this line
There was a problem hiding this comment.
never mind i removed it and it caused issues
| client_role_whitelist = [ | ||
| :client_success, :admin, :org_lead, :site_coordinator, | ||
| :coalition_lead, :state_file_admin, :team_member | ||
| ].freeze | ||
|
|
||
| if user.role?(client_role_whitelist) | ||
| can :manage, Client, vita_partner: accessible_groups |
There was a problem hiding this comment.
I kept existing functionality that admins can manage everything for the Client. In the future, since the client management actions are now broken out for client_role_whitelist users and not a blanket :manage action, we'll have to remember to explicitly allow them for non-admins if needed. Not sure we should explicitly state each client action permission for admins too as a guardrail for pushing up work that needs to touch this ability file?
…strict-editing-client-tax-returns-from-previous-years
| @@ -12,11 +12,7 @@ class ClientsController < Hub::BaseController | |||
| before_action :redirect_unless_client_is_hub_status_editable, only: [:edit, :edit_take_action, :update, :update_take_action] | |||
| layout "hub" | |||
|
|
|||
| MAX_COUNT = 1000 | |||
There was a problem hiding this comment.
used to be used for pagination, now not getting used anything
embarnard
changed the title
embarnard
changed the title
| :update_13614c_form_page1, :update_13614c_form_page2, | ||
| :update_13614c_form_page3, :cancel_13614c, | ||
| :resource_to_client_redirect, |
There was a problem hiding this comment.
just asking for my own curiosity: what was :resource_to_client_redirect originally for/doing? (i'm seeing that it got removed here.)
Link to pivotal/JIRA issue
Is PM acceptance required? (delete one)
Reminder: merge main into this branch and get green tests before merging to main
What was done?
Restrict ability of hub users non-admins from making changes to clients with archived intakes including:
There was also some general clean up of the ability and client controller file including:
public_pages/page_not_foundwith 403 pageHow to test?
Screenshots (for visual changes)
fixed random overlapping buttons, everything else visually should be the same