Centralize a method for checking if a user can access an attachment's review UI.
Review Request #14123 — Created Aug. 26, 2024 and submitted — Latest diff uploaded
This change is motivated by a bug we have in Power Pack. When an unlicensed
user uploads a PDF (or any other file attachment that requires a Power
Pack license to review), the user can see the "Review" file action and
can click on the file attachment as if they have access to the review UI.
Navigating to the review UI leads to a 404, and reloading the review
request page properly shows the file attachment as un-reviewable.This happens because the file attachment thumbnail view would assume that the
file attachment was reviewable if it had a review URL. However even though
an attachment has a review URL, it doesn't mean the user can access that
review URL.To address this, we add a new
can_access_review_ui
method on the
File Attachment model, which given a user will return whether the user can
access the review UI for the file attachment. We already had two functions in
the codebase that achieved this, one public and one internal. We remove the
internal one and deprecate the public one, instead point to the new method on
the File Attachment model. And we update the file attachment thumbnail
view to check for this boolean before displaying the attachment as reviewable.
- Ran unit tests.
- Tested uploading a PDF document as an unlicensed user, saw that I couldn't
review it. - Tested uploading an image file attachment as an unlicensed user, saw that
I could review it. - Did the same tests as a licensed user.
- Made sure you can't navigate to a review UI that you can't access using
the "previous" and "next" file attachment thumbnails.