5
11
Fork
You've already forked tomato
1

Volunteers should not be able to see/edit admin shift pages #62

Merged
edwardloveall merged 1 commit from el-perms into main 2025年12月10日 22:18:12 +01:00

We were sharing a policy for events between org admins and volunteers.
This allowed volunteers to see or event edit events. They would have go
know or guess the url, but it's not that unlikely for an admin to send
a screenshot or share their screen over a video call.

This splits the event scopes into two: one for admins, and one for
organization users (admins and volunteers). The volunteer one still
contains permissions for admins because admins can be assigned to
shifts.

We were sharing a policy for events between org admins and volunteers. This allowed volunteers to see or event edit events. They would have go know or guess the url, but it's not that unlikely for an admin to send a screenshot or share their screen over a video call. This splits the event scopes into two: one for admins, and one for organization users (admins and volunteers). The volunteer one still contains permissions for admins because admins can be assigned to shifts.
edwardloveall force-pushed el-perms from 0da908f3d6
Some checks failed
Setup Successful
Jest Successful
RSpec Failed
Static Analysis Failed
to 6588151bc4
All checks were successful
Setup Successful
Jest Successful
RSpec Successful
Static Analysis Successful
2025年12月10日 21:18:30 +01:00
Compare
@ -18,4 +14,1 @@
private
def authorize_resources
authorize @occurrence.event if @occurrence
First-time contributor
Copy link

Should this be authorize [:admin, @occurrence.event] to match the other controller? Or is this the spot that still allows users and admins to have the same permissions?

Should this be `authorize [:admin, @occurrence.event]` to match the other controller? Or is this the spot that still allows users and admins to have the same permissions?
Author
Owner
Copy link

Yeah, the API is what volunteers (and potentially admins) are using on the frontend.

Yeah, the API is what volunteers (and potentially admins) are using on the frontend.
Author
Owner
Copy link

Tests are flaky and pass locally.

Tests are flaky and pass locally.
Sign in to join this conversation.
No reviewers
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
rootable/tomato!62
Reference in a new issue
rootable/tomato
No description provided.
Delete branch "el-perms"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?