TODO

alphagov · Jul 11, 2024 · 98b9b2a · 98b9b2a
1 parent 5a16bc2
commit 98b9b2a
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 3 deletions.
diff --git a/app/policies/user_permission_manageable_application_policy.rb b/app/policies/user_permission_manageable_application_policy.rb
@@ -22,7 +22,7 @@ def resolve
       if current_user.govuk_admin?
         applications
       elsif current_user.publishing_manager?
-        applications.can_signin(current_user).with_signin_delegatable
+        applications.can_signin(current_user).with_signin_delegatable # applications.can_signin(current_user).with_delegatable_non_signin_permissions
       else
         applications.none
       end

diff --git a/docs/access_and_permissions.md b/docs/access_and_permissions.md
@@ -96,6 +96,8 @@ These dependencies determine whether a user can:
 - access the page
 - manage (non-`signin`) permissions
 
+- [ ] TODO: filter the permissions by delegatable for publishing managers
+
 ```mermaid
 flowchart TD
     A(Account::PermissionsController#edit) --authorize [:account, @application], :edit_permissions?--> B(Account::ApplicationPolicy#edit_permissions?)
@@ -109,6 +111,8 @@ These dependencies determine whether a user can:
 - complete the controller action
 - update certain permissions
 
+- [ ] TODO: update which permissions publishing managers can update
+
 ```mermaid
 flowchart TD
     A(Account::PermissionsController#update) --authorize [:account, @application], :edit_permissions?--> B(Account::ApplicationPolicy#edit_permissions?)

diff --git a/lib/supported_permission_parameter_filter.rb b/lib/supported_permission_parameter_filter.rb
@@ -1,3 +1,4 @@
+# this will filter out any unauthorised permissions updates - have a look at the logic for which permissions a user is authorised to update
 class SupportedPermissionParameterFilter
   attr_reader :current_user, :user, :param_set
 
@@ -13,9 +14,9 @@ def filtered_supported_permission_ids
     allowed_to_be_removed = authorised_supported_permission_ids - attempting_to_set_supported_permission_ids
     # any permissions in "attempting_to_add" should be added if they're in the
     # set we're allowed to manipulate
-    allowed_to_be_added = attempting_to_set_supported_permission_ids & authorised_supported_permission_ids
+    allowed_to_be_added = attempting_to_set_supported_permission_ids & authorised_supported_permission_ids # bitwise operators
 
-    (existing_supported_permission_ids - allowed_to_be_removed) | allowed_to_be_added
+    (existing_supported_permission_ids - allowed_to_be_removed) | allowed_to_be_added # bitwise operators
   end
 
 private