fix: limit assignable roles to the user's manage-team permissions#172
fix: limit assignable roles to the user's manage-team permissions#172dcoa wants to merge 3 commits into
Conversation
|
Thanks for the pull request, @dcoa! This repository is currently maintained by Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review. 🔘 Get product approvalIf you haven't already, check this list to see if your contribution needs to go through the product review process.
🔘 Provide contextTo help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:
🔘 Get a green buildIf one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green. DetailsWhere can I find more information?If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources: When can I expect my changes to be merged?Our goal is to get community contributions seen and reviewed as efficiently as possible. However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:
💡 As a result it may take up to several weeks or months to complete a review and merge your PR. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #172 +/- ##
==========================================
+ Coverage 97.44% 97.48% +0.04%
==========================================
Files 66 66
Lines 1525 1552 +27
Branches 386 370 -16
==========================================
+ Hits 1486 1513 +27
Misses 39 39 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
| const contexts = new Set<string>(); | ||
| permissions?.forEach((p) => { | ||
| if (!p.allowed) { return; } | ||
| if (p.action === CONTENT_LIBRARY_PERMISSIONS.VIEW_LIBRARY_TEAM) { contexts.add('library'); } |
There was a problem hiding this comment.
nit
| if (p.action === CONTENT_LIBRARY_PERMISSIONS.VIEW_LIBRARY_TEAM) { contexts.add('library'); } | |
| if (p.action === CONTENT_LIBRARY_PERMISSIONS.VIEW_LIBRARY_TEAM) { contexts.add(CONTEXT_TYPE.LIBRARY); } |
There was a problem hiding this comment.
Thanks @bra-i-am, I made the nit changes.
| permissions?.forEach((p) => { | ||
| if (!p.allowed) { return; } | ||
| if (p.action === CONTENT_LIBRARY_PERMISSIONS.VIEW_LIBRARY_TEAM) { contexts.add('library'); } | ||
| if (p.action === CONTENT_COURSE_PERMISSIONS.VIEW_COURSE_TEAM) { contexts.add('course'); } |
There was a problem hiding this comment.
nit
| if (p.action === CONTENT_COURSE_PERMISSIONS.VIEW_COURSE_TEAM) { contexts.add('course'); } | |
| if (p.action === CONTENT_COURSE_PERMISSIONS.VIEW_COURSE_TEAM) { contexts.add(CONTEXT_TYPE.COURSE); } |
| { action: CONTENT_LIBRARY_PERMISSIONS.MANAGE_LIBRARY_TEAM }, | ||
| { action: CONTENT_COURSE_PERMISSIONS.MANAGE_COURSE_TEAM }, |
There was a problem hiding this comment.
nit: maybe this can be a constant because these permissions are used in AssignRoleWizardPage.tsx too
const MANAGE_PERMISSIONS = [
{ action: CONTENT_LIBRARY_PERMISSIONS.MANAGE_LIBRARY_TEAM },
{ action: CONTENT_COURSE_PERMISSIONS.MANAGE_COURSE_TEAM },
]| import { Language, LibraryBooks, School } from '@openedx/paragon/icons'; | ||
| import messages from './messages'; | ||
|
|
||
| export const getRolesFiltersOptions = (intl: IntlShape) => [ |
There was a problem hiding this comment.
nit: use the contentType constant I recommended in RolesFilter.tsx
| { action: CONTENT_LIBRARY_PERMISSIONS.MANAGE_LIBRARY_TEAM }, | ||
| { action: CONTENT_COURSE_PERMISSIONS.MANAGE_COURSE_TEAM }, |
There was a problem hiding this comment.
nit: use the constant I recommended in AddRoleButton.tsx
Yes, that is the expected behavior, you can get more information here #173 |
| })); | ||
|
|
||
| // Mock constants | ||
| jest.mock('./course/constants', () => ({ |
There was a problem hiding this comment.
Due to the introduction of MANAGE_TEAM_PERMISSIONS test stated to failing for the mock (that I consider an unusual decision for constants, specially in this component that any change in the constant is important)
There was a problem hiding this comment.
I just noticed here is used the MANAGE_TEAM_PERMISSIONS in the useValidateUserPermissionsNonSuspense but then the permissions returned are being compared with the view constants below:
p.action === CONTENT_LIBRARY_PERMISSIONS.VIEW_LIBRARY_TEAM








Description
The "Assign Role" entry point and the role list inside the assignment wizard were shown to every user regardless of whether they could actually manage a team. This PR gates both on the current user's permissions, so people only see the action and the role groups they're allowed to assign.
Changes
AddRoleButton
MANAGE_LIBRARY_TEAM/MANAGE_COURSE_TEAMand renders the button only when at least one is allowed; otherwise renders nothing.AssignRoleWizardPage
rolesAssignablefrom the permission response, library roles when library-team management is allowed, course roles when course-team management is allowed, and passes them toAssignRoleWizardvia the existing roles prop.allRolesMetadataused as default value in roles props for an empty array. So in the meantime the validation is done the user don't see the complete list.RolesFilter
VIEW_LIBRARY_TEAM/VIEW_COURSE_TEAMand renders the respecting roles according to the allowed scope.Context
It follows the proposal in openedx/wg-build-test-release#603
It solves #163
It solves #161
Testing instructions
Important
Depends on openedx/openedx-authz#348 - Available in version
openedx-authz==1.20.0