Update policies and tests to handle button normalization

[maebeale]

• This work Closes [link an issue]

What is the goal of this PR and why is this important?

Improve UX and change policy defaults

• Update all form buttons to use the same code, and change tests to expect the new en.yml text
• Change ApplicationPolicy to default everything to admin?
• Add policies for the other models that have forms so allowed_to? will find the right policy
• Rename public -> publicly_visible

How did you approach the change?

Anything else to add?

[maebeale]

this gives helper methods including allowed_to?, which we're now using on forms to determine if delete button should show

[jmilljr24]

Suggested change

include ActionPolicy::Controller

Shouldn't need this explicitly. allowed_to? was already working for me and the doc's say its included in ActionController::Base

Were you getting an error without it?

[maebeale]

oh interesting. yes, was getting an error.

[maebeale]

i just removed it and everything still worked. TY for catching this!

[maebeale]

tags need the grouped categories, not @category_types

[maebeale]

not using this endpoint anymore

[maebeale]

defaulting to the most secure first, and then greenlighting everything else in other policies.

this avoids mistakes in forgetting to set admin-only indexes to admin-only. this way we'll need to set not-admin-only to visible.

[jmilljr24]

Good idea.

Can you add index? to the alias_rule manage?. This keeps them all set to admin? in one place and follows the convention from the Action Policy docs.

  alias_rule :index?, :new?, :create?, :edit?, :update?, :destroy?, to: :manage?

[maebeale]

ooo. great idea! yup, will do that now.

[maebeale]

adding both index? and show?

[jmilljr24]

@maebeale might as well!

[maebeale]

same thing here -- defaulting to lockdown mode and we'll greenlight access in other policies

[maebeale]

trying to remove/minimize super_user from the code, as i'm sure we'll be moving to a different permissioning implementation once we have more roles.

[jmilljr24]

Do you think it makes more sense to have the user permission checked here as this this the authorization framework? The method in User model works but is that the best place?

The hope is that any check we make for an admin? is via action_policy not directly off current_user

I agree only one place for sure if we can help it.

[maebeale]

i like better using it here.

and removing all the places we say (...user.super_user or even ...user.admin) and instead use a policy.

[maebeale]

we don't have UI for non-admin banner show, but, technically we would be fine w users seeing it.

[maebeale]

users can only see their own bookmarks on their /personal page

[maebeale]

do we still need to do this if we're using scopes in policies?

[jmilljr24]

If we want to display the count of the results vs total. e.g. 5/20 we need the unfiltered number. If we want to keep it simple we could remove the total.

"Total" gets a bit messy. Total of all? total for the current user? Do we include hidden for admin?

[maebeale]

yeah, it is getting messy. i think we'd want to say total for the current user (or guest)?

[maebeale]

prepending published to all scopes for public_featured and publicly_visible

[maebeale]

added this class set to all form action sections

[maebeale]

don't need conditional text if using f.button :submit and en.yml

[maebeale]

explicitly checking destroy permission before displaying delete button

[maebeale]

some ' -> " changes throughout

[maebeale]

decided to offer an easter egg to change short_name from the UI

[maebeale]

not sure why there's begin and end tags in here...

[jmilljr24]

Something was broken for me when I was fixing the workshop promotion.

[maebeale]

so it can be removed now?

[jmilljr24]

Yes, just need to check for error's on the page and flow but that can be a separate issue.

[maebeale]

i'll leave it in there for you to remove when you're ready

[maebeale]

@jmilljr24 this doesn't seem broken when moved?

[jmilljr24]

In html you are not supposed to have a form nested within a form. It's hard to see on github where the main form ends so I can't tell exactly where you moved it.

[maebeale]

yeah, it is within it...

[maebeale]

i moved it back out

[maebeale]

this is where all the f.button :submit text will come from now

[maebeale]

adding publicly_visible to the two help-related tables too

[maebeale]

factories are always singularly named

[maebeale]

setting this to public false to start to make tests better match default state of the object

[maebeale]

added a TagPolicy, to referring to that now

[maebeale]

removing testing on specific css

[maebeale]

this text isn't on the page anymore

[maebeale]

chatgpt changes

[maebeale]

not readonly when new, since it's a required field

[jmilljr24]

If we want to display the count of the results vs total. e.g. 5/20 we need the unfiltered number. If we want to keep it simple we could remove the total.

"Total" gets a bit messy. Total of all? total for the current user? Do we include hidden for admin?

[jmilljr24]

Suggested change

include ActionPolicy::Controller

Shouldn't need this explicitly. allowed_to? was already working for me and the doc's say its included in ActionController::Base

Were you getting an error without it?

[jmilljr24]

Good idea.

Can you add index? to the alias_rule manage?. This keeps them all set to admin? in one place and follows the convention from the Action Policy docs.

  alias_rule :index?, :new?, :create?, :edit?, :update?, :destroy?, to: :manage?

[jmilljr24]

Do you think it makes more sense to have the user permission checked here as this this the authorization framework? The method in User model works but is that the best place?

The hope is that any check we make for an admin? is via action_policy not directly off current_user

I agree only one place for sure if we can help it.

[jmilljr24]

Something was broken for me when I was fixing the workshop promotion.

[jmilljr24]

In html you are not supposed to have a form nested within a form. It's hard to see on github where the main form ends so I can't tell exactly where you moved it.

[jmilljr24]

The only reason I had this at the top was because of the order displayed on the show page. Extra Field is the first thing displayed. We should ask what order they expect.

[maebeale]

i want to leave it at the bottom of the edit screen, and still display it at the top on show. then it's not their first instinct, AND, we still allow them to insert something above everything else?

[jmilljr24]

That make sense. There are workshops where they literally have pages worth of content all in "extra_field" which doesn't make sense.

As long as they know where the field will be displayed that make sense to have it as a secondary option.

[jmilljr24]

Thanks for cleaning this up. I wanted to get most of the similar scope into a concern but the inactive vs published on different models side tracked me and this is where I left off.

[maebeale]

i'm taking a second pass on all of these booleans and scopes and trying to normalize inactive/published

[jmilljr24]

Sorry I missed this.

To use the relation_scope in the policy you need to call authorized_scope(CommunityNews.all)

That will look in the Community News Policy for the relation_scope. authorized_scope allows other options like specifying which policy or a specific named scope withing a policy as well if you need it.