Skip to content

Only admins of org could access to /petitions/manage #787

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 23, 2025
Merged

Only admins of org could access to /petitions/manage #787

merged 2 commits into from
Mar 23, 2025

Conversation

markets
Copy link
Collaborator

@markets markets commented Mar 23, 2025

Closes #782

@markets markets requested a review from Copilot March 23, 2025 16:11
Copilot
Copilot AI reviewed Mar 23, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request restricts access to the petitions management functionality so that only organization admins (or superadmins) can perform manage actions. Key changes include:

  • Addition of a manage? method in PetitionPolicy with admin authorization logic.
  • Updates to the petitions_controller to enforce authorization in the update and manage actions.
  • New test cases for admin versus non-admin access in petitions_controller_spec.

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
app/policies/petition_policy.rb Adds manage? and update? methods; potential bug in variable usage in manage?
spec/controllers/petitions_controller_spec.rb Adds tests to check that only admins can access the manage action
app/controllers/petitions_controller.rb Enforces authorization in update and manage actions

@markets
Copy link
Collaborator Author

markets commented Mar 23, 2025
edited
Loading

@franpb14 @sseerrggii Going to merge this one too, already tested locally and by a new test case ✔️

Next: review all relevant changes we have in develop (Bootstrap and Rails upgrades and this one), in staging. But we need to fix the Docker build (#786) first.

@markets markets merged commit c4699c6 into develop Mar 23, 2025
3 of 4 checks passed
@markets markets deleted the manage_petitions_for_admins branch March 23, 2025 16:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Only admins of org could access to /petitions/manage
1 participant
@markets