Move API user permission management to design system #2599
Merged
Commits on Jan 9, 2024
-
Improve Manage API Users integration test
The comment in the `assert_has_signin_permission_for` method was incorrect. The presence of an application in the "Permissions" list is determined by `UserPermissionsControllerMethods#visible_applications`, which uses `User#authorisations` and not `User#application_permissions`. I've renamed the original method to better describe its behaviour, and I've added a new method to test that the user has the signin permission for the app. Unfortunately there's no way in the user interface to know whether an API User has the signin permission for an app so we have to rely on `User#has_access_to?`.
-
Improve test coverage of ApiUsersController#visible_applications
In preparation for refactoring this method. I realised that was no coverage around revoked access tokens.
-
Refactor User#authorised_applications to use has_many
Previously this method was returning an array of unique applications using Ruby's `group_by`. It's more idiomatic, and will allow us to chain on additional ActiveRecord query methods if we convert it to a has_many instead. This method was only being used via its alias `:applications_used` so we've changed the call site to use `:authorised_applications` instead (which we think is clearer). Co-authored-by: Chris Roos <chris.roos@gofreerange.com>
-
Use User#authorised_applications in visible_applications
This both simplifies, and reduces the number of queries in (from 2 to 1), the `#visible_applications` method. It was made possible by our change to `User#authorised_applications` which converted it from a method to a `has_many`. Co-authored-by: Chris Lowis <chris.lowis@gofreerange.com>
-
Add ApiUsers::ApplicationsController#index
This page will allow a superadmin to see which applications an API user has access to and eventually edit their permissions. We've based the view on `/users/applications/index.html.erb` but as managing access to applications is handled on the "manage tokens" page we do not need to show applications the user does not have access to here. Note it is possible for api users to have access tokens for applications that are not "api only" (e.g in production the "Content Publisher" api user has a token for "Whitehall") so we do not filter out applications based on their `api_only` field. Co-authored-by: Chris Roos <chris.roos@gofreerange.com>
-
Exclude revoked access tokens when listing API Users' apps
To replicate the behaviour of the existing `/manage_permissions` page, which uses `UserPermissionsControllerMethods#visible_applications?` to determine which applications to list.
-
Add ApiUsers::PermissionsController#edit/update
We've copied the controller, template and test files from their user counterparts and modified as necessary. We've decided to add this duplication for now but will see whether we can reduce/remove it later. Note that we're using `UserUpdate` in this new controller, where we were using `User#update` in `ApiUsersController#update`[1]. Using `UserUpdate` has the following advantages: - consistency with the other controllers that modify a user's permissions (account/permissions_controller and users/permissions_controller). - record an `EventLog` about the update - record an `EventLog` about the permissions that have been added/removed [1]: https://github.com/alphagov/signon/blob/089516afdc0311525769d89c81bc837db4b16a2d/app/controllers/api_users_controller.rb#L42C25-L42C51 Co-authored-by: Chris Roos <chris.roos@gofreerange.com>
-
Exclude revoked access tokens in api_users/permissions
To mirror the behaviour in `ApiUsersController#manage_permissions`, which uses `ApiUsersController#visible_applications` to obtain the applications that can be managed.
-
Display flash notice when permissions updated for API users
We've copied the template change from views/users/applications/index.html.erb We've added a test to assert that a flash message is displayed but haven't tested the content of the message because that's being unit-tested in application_permissions_helper_test.rb. Co-authored-by: Chris Lowis <chris.lowis@gofreerange.com>
-
Link to permissions from API Users' applications
Copied the template changes and tests from users/applications.
-
Link to new api_users/<id>/applications
I will remove the manage_permissions route in a later commit.
-
Remove api_users/<id>/manage_permissions
Permissions are now managed using the /api_users/<id>/applications page.
-
Display permission flash notice in custom_alerts container
So that these flash messages appear above the page title instead of between the page title and page body. This is consistent with the manage_tokens.html.erb template. Co-authored-by: Chris Lowis <chris.lowis@gofreerange.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.