Add functionality for private review requests

Review Request #7727 — Created Oct. 23, 2015 and discarded — Latest diff uploaded


Review Board


Project Description
Today, review requests can be made private if they're filed against a private repository or invite-only review group. However, there's no way to make one private if you just want to assign it to specific people.

This project would allow a review request to be marked as private. Private review requests will only be visible to those who are on the reviewer list.

Only invite-only groups or individual users will be allowed as reviewers.

It should be possible to make a public review request private, but only if the reviewers list meets the above criteria, and no other reviews have been made. It should be possible to make a review request public at any point.

The API also needs to be updated to include a field representing whether the review request is private.

Pre 11/13/15
Update accessibility for private review requests

Fix issues raised in review request

Create a new field for private instead of using extra_data

Update _query for to filter private requests

Limit the permission to set a review request private to just the owner and super user

Fix error with setting private to F instead of T

Move new private field to BaseReviewRequestDetails model since it is used in both ReviewRequest and ReviewRequestDraft

Update database evolutions accordingly

Experiment with different ways to set the private field to true

Add PrivateField to reviews/

Clean up formatting caught by ReviewBot

Fix some typos and docstrings in review request model

Set Private button finally works!

Clean up some formatting

Create a new button for making a review request no longer private and write the handler for it

Make the existing button a little prettier

Remove debugging code

Fix issues raised in the last review request

Add very basic permissions for who can change the privacy status of a review request. This is done by hiding the set private button if the user is not a superuser or the submitter of the review request.

Add a basic check to see if the privacy status of the review request can be changed. The status cannot be changed if there are non-invite-only groups in the list of target review groups or if the user does not have the required editting permissions. If it cannot, the publish button gets greyed out. A warning is also logged to the console.

Tested the new check mentioned above.

Add a toggle for the privacy lock icon so there is only one button instead of two. Now unlock icon will be shown when the review request can be set unprivate, meaning that the review request is currently private. If a review request is not private, a lock icon will be shown instead, indicating that the review request can be set to private. These icons will only be shown if the user already has the necessary permissions.

Test the toggling for the new single button.

Allow review requests to be accessed by submitters and target people in the "All Review Requests" page. These were previously hidden due to the strictness of the private query.

Test set private
To test the "set private" button, I selected an existing review request and clicked the button to set it to private. I then opened an icognito window to check that the private review request did not show up under "All Review Requests".

Next I set a particular review request to private and then logged in to the user account that submitted the review request. Using that account, I was still able to access the review request.

I also tried to directly open a review request that was set to private by going directly to the URL in the incognito window and was greeted by a Permission Denied error. This validates the functionality.

Test unset private
To test the "unset private" button, I first set a review request to private. Then, verifying that it was correctly set to private, clicked the "unset private" button. I opened an incognito window to make sure the review request had once again appeared under "All Review Requests". I also logged into a user account to make sure a logged in user could also access the review request.

Test basic permissions for changing privacy status
I tested the basic permissions with three scenarios. First I logged in on a superuser account and was able to set any review request to private, regardless of the submitter. The change privacy button was not hidden in this case.

Next I logged in to a regular account and was able to change the privacy status of review requests that were submitted by that account. The change privacy button was hidden for review requests for which that account was not the submitter.

Finally I logged out and was unable to change the privacy status of any review requests. The privacy buttons were always hidden in this case.

Test set private when the review list contains non-invite-only review groups
I tested this by creating a review group that was not invite-only and adding the group to the reviewer list for a review request. I then tried to set the review request to private by clicking the "set private" button. When I did this, the "publish request" button was greyed out and an error was logged to the console.

Using an alternate review request, I added a review group that was invite-only and was able to properly set the review request to private. I then signed in on an account where a user was a member of that invite-only review group and was able to view the review request on that account. This indicates that the functionality is working as intended.

Test change privacy icon toggle
First I logged in on the superuser account to be able to change the privacy status of any review request. When selecting a particular review request, the single lock icon appeared, meaning that I could set the review request to private. I clicked the button and published the review request. After doing this, the lock icon turned into an unlock icon meaning that the review request was private and could be set to no longer private.