Put some band-aids on draft sharing by admin users.
Review Request #13398 — Created Nov. 2, 2023 and submitted
For a while, it's been possible for admin users to modify other people's
review requests. In most cases this is used for things like
reassignining the owner, but some people use it as a way to collaborate
We've always had some weirdness with draft visibility by admins. They
could see that a draft was present, and prior to 6.0 would be able to
publish it, but they were never shown that draft data. Changes in 6.0
related to how things get published caused clicking the "Publish" button
to return an error.
This change adds two band-aids to this process. First, the details
data blob has been updated to always fetch the draft when the review
request is mutable by the requesting user. This makes it so admins will
see the draft data. Second, the batch endpoint has been updated to
fetch any existing draft rather than limiting by the requesting user.
- Was able to manipulate and publish review requests by other users.
Verified that both the review request owner and a separate admin user
were able to see the draft data.
- Ran unit tests.
Add a unit test.
Revision 2 (+58 -4)