AO3-5742 Fix work_skin_allowed validation never running#5928
Conversation
sarken
left a comment
There was a problem hiding this comment.
A lot of nitpicking, but nothing really major!
| at_most: must not add up to more than %{count}. Your work has %{value} of these tags, so you must remove %{diff} of them. | ||
| blocked_gifts: "%{byline} does not accept gifts." | ||
| blocked_your_gifts: "%{byline} does not accept gifts from you." | ||
| work_skin_not_allowed: You do not have permission to use that custom work stylesheet. |
There was a problem hiding this comment.
Let's change this while we're here, since the current phrasing is not how we'd normally refer to work skins. Better text would be: "You do not have permission to use that work skin."
| unless self.users.include?(self.work_skin.author) || (self.work_skin.public? && self.work_skin.official?) | ||
| errors.add(:base, ts("You do not have permission to use that custom work stylesheet.")) | ||
| end | ||
| return if work_skin.blank? |
There was a problem hiding this comment.
Could we do return if work_skin.blank? || (work_skin.public? && work_skin.official?) here? I don't think there's any reason to we need to do pseuds_after_saving.filter_map(&:user).uniq if we know the work skin is public and official.
| end | ||
| return if work_skin.blank? | ||
|
|
||
| skin_users = pseuds_after_saving.filter_map(&:user).uniq |
There was a problem hiding this comment.
I can see where this name is coming from: it serves as a list of users whose skins we should be allowed to use.
However, I think something like work_users, approved_work_creators, or work_users_after_saving might be better -- something like return if approved_work_creators.include?(work_skin.author) feels clearer than return if skin_users.include?(work_skin.author)
| end | ||
| end | ||
|
|
||
| context "when the work skin is approved" do |
There was a problem hiding this comment.
is public and official might be clearer than approved, especially since the next thing is public but not official.
(Should we also have a test for skins that are official but not public? I'm not 100% sure, but I think it might unfortunately be possible to put a skin in that state...)
There was a problem hiding this comment.
Sounds good, I'm going to add test 👍
| let(:work) { build(:custom_work_skin, authors: [@second_author.pseuds.first], work_skin_id: @private_skin.id) } | ||
| it "cannot be used by another user" do | ||
| work.work_skin_allowed | ||
| it "is invalid when the skin author is a pending co-author" do |
There was a problem hiding this comment.
Could you change this to pending co-creator? Whenever possible in the code, we try to call people who make works "creators" instead of "authors" to be more inclusive of non-textual fanworks.
It would also be a good idea to add a test that confirms the work is valid when the skin author is an approved co-creator. (Users with the archivist role can add co-creators without waiting for approval from the co-creator.)
There was a problem hiding this comment.
Make sense, adding the extra test 👍
|
|
||
| it "is valid when used by the skin author" do | ||
| work = build(:work, authors: [skin_author.default_pseud], work_skin_id: skin.id) | ||
| work.valid? |
There was a problem hiding this comment.
Instead of calling work.valid? in these examples, could we do expect(work).to be_valid and expect(work).to be_invalid as appropriate?
|
|
||
| context "when the work skin is approved" do | ||
| it "is valid even when used by a different user" do | ||
| skin = create(:work_skin, author: skin_author, public: true, official: true) |
There was a problem hiding this comment.
I think create(:work_skin, :public) should work here.
There was a problem hiding this comment.
Make sense, thanks!
| let(:work) { build(:custom_work_skin, authors: [work_author.pseuds.first], work_skin_id: @private_skin.id) } | ||
| it "can be used by the work skin author" do | ||
| expect(work.save).to be_truthy | ||
| context "when the work skin is public but not official" do |
There was a problem hiding this comment.
It probably makes sense to include the same co-creator situations we cover for when the work skin is private here.
There was a problem hiding this comment.
Makes sense, adding the test.
Pull Request Checklist
AO3-1234 Fix thing)Issue
https://otwarchive.atlassian.net/browse/AO3-5742
Purpose
The
work_skin_allowedvalidation was declared withon: :save, which is not a standard Rails validation context. Rails only runs validations on:createand:updateby default, so this validation never executed. This allowed a user to apply another user's private work skin by manipulating the form's skin dropdown value via Inspect Element.This PR:
on: :saveoption so the validation runs on both create and updatepseuds_after_savinginstead ofself.usersto check skin ownership, so the validation works for both new (unsaved) and existing works. Only approved creatorships are considered, a pending co-author invitation does not grant access to that user's private skinscustom_work_skinfactory (hardcodedwork_skin_id: 1)Testing Instructions
Credit
Pablo Monfort (he/him)