Centralize a method for checking if a user can access an attachment's review UI.
Review Request #14123 — Created Aug. 26, 2024 and updated
This change is motivated by a bug we have in Power Pack. When an unlicensed
user uploads a PDF (or any other file attachment that requires a Power
Pack license to review), the user can see the "Review" file action and
can click on the file attachment as if they have access to the review UI.
Navigating to the review UI leads to a 404, and reloading the review
request page properly shows the file attachment as un-reviewable.This happens because the file attachment thumbnail view would assume that the
file attachment was reviewable if it had a review URL. However even though
an attachment has a review URL, it doesn't mean the user can access that
review URL.To address this, we add a new
can_access_review_ui
method on the
File Attachment model, which given a user will return whether the user can
access the review UI for the file attachment. We already had two functions in
the codebase that achieved this, one public and one internal. We remove the
internal one and deprecate the public one, instead point to the new method on
the File Attachment model. And we update the file attachment thumbnail
view to check for this boolean before displaying the attachment as reviewable.
- Ran unit tests.
- Tested uploading a PDF document as an unlicensed user, saw that I couldn't
review it. - Tested uploading an image file attachment as an unlicensed user, saw that
I could review it. - Did the same tests as a licensed user.
- Made sure you can't navigate to a review UI that you can't access using
the "previous" and "next" file attachment thumbnails.
Summary | ID |
---|---|
c73e9e77001cc59d29769c4f7921276c777f27de |
Description | From | Last Updated |
---|---|---|
I'd suggest maybe naming this is_review_ui_accessible_by(), to keep with the is_accessible_by() methods. |
chipx86 | |
Typo in the second paragraph of the description: "hapens" |
chipx86 | |
We should import this at the top of the module. |
chipx86 | |
This is missing a -> None. Same below. |
chipx86 | |
We sort these from newest to oldest. |
chipx86 | |
Typical docs we use is "The HTTP request from the client", just to make it clear. |
chipx86 | |
This needs a Version Added. |
chipx86 | |
Let's use single quotes here. |
chipx86 | |
line too long (85 > 79 characters) Column: 80 Error code: E501 |
reviewbot |
- Change Summary:
-
- Renamed
FileAttachment.can_access_review_ui
toFileAttachment.is_review_ui_accessible_by
. - Typing and doc fixes.
- Renamed
- Description:
-
This change is motivated by a bug we have in Power Pack. When an unlicensed
user uploads a PDF (or any other file attachment that requires a Power Pack license to review), the user can see the "Review" file action and can click on the file attachment as if they have access to the review UI. Navigating to the review UI leads to a 404, and reloading the review request page properly shows the file attachment as un-reviewable. ~ This hapens because the file attachment thumbnail view would assume that the
~ This happens because the file attachment thumbnail view would assume that the
file attachment was reviewable if it had a review URL. However even though an attachment has a review URL, it doesn't mean the user can access that review URL. To address this, we add a new
can_access_review_ui
method on theFile Attachment model, which given a user will return whether the user can access the review UI for the file attachment. We already had two functions in the codebase that achieved this, one public and one internal. We remove the internal one and deprecate the public one, instead point to the new method on the File Attachment model. And we update the file attachment thumbnail view to check for this boolean before displaying the attachment as reviewable. - Commits:
-
Summary ID cfc197bf962fe9f898e9b4a40d0e184183435bde 1047272feb5d73d323639c084a70f4add4b75b86 - Diff:
-
Revision 2 (+344 -188)
- Commits:
-
Summary ID 1047272feb5d73d323639c084a70f4add4b75b86 c73e9e77001cc59d29769c4f7921276c777f27de - Diff:
-
Revision 3 (+346 -188)