Skip to content

Consistently use Version.visible scope #21716

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
NobodysNightmare merged 1 commit into from
Jan 19, 2026
Merged

Consistently use Version.visible scope #21716

NobodysNightmare merged 1 commit into from
Jan 19, 2026
+42 −30

Conversation

@NobodysNightmare
Copy link
Contributor

@NobodysNightmare NobodysNightmare commented Jan 19, 2026
edited
Loading

Previously there was a separate permissions check for /api/v3/versions/:id. This check at least looked like it was inconsistent with the visible-scope.

Using the scope both for /api/v3/versions and /api/v3/versions/:id ensures that both will return results consistent with each other.

References

Discovered as a side-find while working on #21661

@NobodysNightmare NobodysNightmare requested review from a team and ulferts January 19, 2026 09:37
NobodysNightmare
NobodysNightmare commented Jan 19, 2026
View reviewed changes
spec/requests/api/v3/versions/project_resource_spec.rb
let(:portfolio) { create(:portfolio, public: false) }
let(:inaccessible_project) { create(:project, public: false) }
let(:version) { create(:version, project:, sharing: "system") }
let(:version) { create(:version, project:) }
Copy link
Contributor Author

@NobodysNightmare NobodysNightmare Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I find this surprising. Why would a spec that's designed to show that something might be inaccessibile define the tested version to use sharing: "system", which means that the version is shared system-wide?

Copy link
Contributor

@klaustopher klaustopher Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apparently because it was never checked in the API :)

Copy link
Contributor Author

@NobodysNightmare NobodysNightmare Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. That's what I am hoping for. The worse explanation is usually something like "it's intended, you just don't understand how/why".

But I agree, it probably just was never noticed.

@klaustopher
Copy link
Contributor

klaustopher commented Jan 19, 2026

The old and the new check is not really equivalent. The authorize_in_projects checks that the user either has the view_work_packagespermission OR the manage_versions permission. The check in the visible scope only checks for view_work_packages.

I'm not too sure if it makes sense to have a user with manage_versions permission but not view_work_packages, but maybe we should extend the visible check to also allow those with the manage_versions permission

@NobodysNightmare
Copy link
Contributor Author

NobodysNightmare commented Jan 19, 2026

The old and the new check is not really equivalent.

Thanks for the feedback. Yes this is true, though looking at the failing specs I didn't expect it to be so bad xD

I'm not too sure if it makes sense to have a user with manage_versions permission but not view_work_packages

Me neither, but on the other hand we allow for this in our permissions scheme 🤷 And at least one spec relied on it.

@NobodysNightmare NobodysNightmare force-pushed the visibility-consistency branch 2 times, most recently from 763be76 to 863e3c1 Compare January 19, 2026 12:52
@NobodysNightmare
Consistently use Version.visible scope
fa784d5 
Previously there was a separate permissions check for
/api/v3/versions/:id. This check at least looked like it was
inconsistent with the visible-scope.

Using the scope both for /api/v3/versions and /api/v3/versions/:id
ensures that both will return results consistent with each other.

As part of this change, the manage_versions permission was also added into
the Version.visible scope and the Version#visible? method, because it was missing so far
from those places.
@NobodysNightmare NobodysNightmare merged commit 585f2f8 into dev Jan 19, 2026
16 of 17 checks passed
@NobodysNightmare NobodysNightmare deleted the visibility-consistency branch January 19, 2026 14:56
@github-actions github-actions bot locked and limited conversation to collaborators Jan 19, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@klaustopher klaustopher klaustopher approved these changes

@ulferts ulferts Awaiting requested review from ulferts

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@NobodysNightmare @klaustopher