Skip to content

Fix assignment policies and authorize assignment views #18791

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix assignment policies and authorize assignment views #18791

wants to merge 2 commits into from
+27 −2

Conversation

@krauselukas
Copy link
Contributor

@krauselukas krauselukas commented Nov 6, 2025

  • The policy doesn't check if the assigner is authorized to add an assignee to a package. As of now everyone can add an assignee. We have to check if the assigner is a collaborator as well.
  • Right now we show the assignment option to every user. We should only show it if the user is actually authorized to assign someone.

@krauselukas
Consider the assigner in assignment policies
13a6c8b 
The policy doesn't check if the assigner is authorized to add
an assignee to a package. As of now everyone can add an assigne.
We have to check if the assigner is a collaborator as well.
@krauselukas krauselukas added the Frontend Things related to the OBS RoR app label Nov 6, 2025
@krauselukas krauselukas mentioned this pull request Nov 6, 2025
Open
@krauselukas
Show assignment option only if user is acutally authorized to do so
e6026eb 
Right now we show the assignment option to every user. We should only
show it if the user is actually authorized to assign someone.
@krauselukas krauselukas force-pushed the fix/show_assignment_option_authorization branch from f92bd5e to e6026eb Compare November 6, 2025 17:17
danidoni
danidoni reviewed Nov 7, 2025
View reviewed changes
src/api/app/policies/assignment_policy.rb
return true if user.admin?
return false unless assigneer_is_a_collaborator?

record.assignee_is_a_collaborator?
Copy link
Contributor

@danidoni danidoni Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct me if I'm wrong:
We check the assigner is a collaborator and can indeed assign someone, that's right.
But then we check we can only assign collaborators.
So in the end this only allow collaborators to assign other collaborators, is this how it should be?

danidoni
danidoni reviewed Nov 7, 2025
View reviewed changes
src/api/app/policies/package_policy.rb
Comment on lines +71 to +76
def assigneer_is_a_collaborator?
collaborators = (record.relationships + record.project.relationships).map(&:user)
return false if collaborators.empty?

collaborators.include?(user)
end
Copy link
Contributor

@danidoni danidoni Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this can be moved into User, that way you can reuse it for this and for the AssignmentPolicy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danidoni danidoni danidoni left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Frontend Things related to the OBS RoR app

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@krauselukas @danidoni