Refactoring pundit for authentication #16133
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hennevogel
force-pushed
the
refactoring/require_login
branch
from
a55fda7
to
33fb3ae
Compare
hennevogel
force-pushed
the
refactoring/require_login
branch
4 times, most recently
from
d6fcd97
to
b0ffbe7
Compare
hennevogel
force-pushed
the
refactoring/require_login
branch
6 times, most recently
from
ddd2cea
to
3fe90e3
Compare
|
I'm not going to touch the codeclimate complaint in |
danidoni
reviewed
May 16, 2024
hennevogel
force-pushed
the
refactoring/require_login
branch
from
3fe90e3
to
7fbf0b1
Compare
danidoni
approved these changes
May 22, 2024
Use the standard require_login before action instead (which is running by default in the API...) KISS
Use the standard require_login before action. Also, drop the `params['default_form']` handling, it isn't used anywhere. Probably was before the admin part got moved to `Webui::SubscriptionsController`?
It was only used to require User.session for this route. Require login for /my/patchinfos via standard means. KISS
It was only used require an authenticated User.session. Require login for /my/tasks via standard means. KISS
Instead follow the other examples in ReportPolicy: You can not report things you created.
Use the standard require_login before action. KISS.
Use the standard require_login before action. KISS.
Use the standard require_login before action. KISS. Also: Use policy_scope to limit what people can see.
No need to duplicate the policy. It already lead to deviation for update? and the "stub" code allowing everything is a nasty trap.
There are no notifications anymore with subscriber_type 'Group' since we create a notification for every group member instead.
- spec if out completely in rspec, drop minitest tests - update was not exposed in the routes - XML consumed was not validated correctly - no error handling for create/update
hennevogel
force-pushed
the
refactoring/require_login
branch
from
7fbf0b1
to
97bc55d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In #10083 we extended our pundit
ApplicationPolicywith an option to ensure that someone is logged in. We then started to bake this into controllers. I think the analysis of #10083 is wrong, Pundit is for authorization a.k.a. who can do what.require_loginis for ensuring someone is authenticated a.k.aUser.sessionis set.It should have been clear that this isn't the best idea by the amount of custom code we had to add to pundit policies and controllers. Let's roll this back.
Closes #10083