Branch: refs/heads/master Home: https://github.com/openSUSE/open-build-service Commit: 09efb5ba1ce88597a1759b1212147a0874127a49 https://github.com/openSUSE/open-build-service/commit/09efb5ba1ce88597a1759b... Author: Lukas Krause <lkrause@suse.de> Date: 2024-02-28 (Wed, 28 Feb 2024) Changed paths: M src/api/app/controllers/webui/users_controller.rb M src/api/app/policies/webui/user_policy.rb Log Message: ----------- Move user update authorization to pundit policy This moves the authorization of updating a user to pundit and seperates the authorization logic for blocking users from commenting. The reasoning is that it got a little confusing. The previous authorization condition in the the case of submitting the form to block a user from commenting, was checking for the presence of the `:blocked_for_commenting` parameter and the that the user is a moderator. The problem is, you could potentially sneak in more parameters and the authorization would still be truthy and therefore update other user attributes. To prevent this from happening we strictly should only toggle the `:blocked_from_commenting` column and ignore all other attributes. Commit: b1a2fd84b4684fdeb9fd133ee500381775b948c3 https://github.com/openSUSE/open-build-service/commit/b1a2fd84b4684fdeb9fd13... Author: Lukas Krause <lkrause@suse.de> Date: 2024-02-28 (Wed, 28 Feb 2024) Changed paths: M src/api/spec/policies/webui/user_policy_spec.rb Log Message: ----------- Create specs for `#update?` and `#block_commenting?` user policies Commit: 50e26375fef6bc68f84457185e95327160d2da7d https://github.com/openSUSE/open-build-service/commit/50e26375fef6bc68f84457... Author: Lukas Krause <lkrause@suse.de> Date: 2024-02-28 (Wed, 28 Feb 2024) Changed paths: M src/api/app/controllers/webui/users_controller.rb Log Message: ----------- Remove redundant condition from users controller update This is already checked in the pundit policy. No need to do this twice. Commit: 860be2f472ec6848a7efb7d38b0b867f025aaef2 https://github.com/openSUSE/open-build-service/commit/860be2f472ec6848a7efb7... Author: Lukas Krause <lkrause@suse.de> Date: 2024-02-28 (Wed, 28 Feb 2024) Changed paths: M src/api/spec/controllers/webui/users_controller_spec.rb Log Message: ----------- Adapt users controller spec Commit: 6312cd6c403790c5cebf49cc4bc64c4c452b511a https://github.com/openSUSE/open-build-service/commit/6312cd6c403790c5cebf49... Author: Lukas Krause <lkrause@suse.de> Date: 2024-03-04 (Mon, 04 Mar 2024) Changed paths: M src/api/app/controllers/webui/users_controller.rb M src/api/app/policies/webui/user_policy.rb M src/api/spec/controllers/webui/users_controller_spec.rb M src/api/spec/policies/webui/user_policy_spec.rb Log Message: ----------- Merge pull request #15702 from krauselukas/move_user_update_authorization_to_pundit Move user update authorization to pundit Compare: https://github.com/openSUSE/open-build-service/compare/3e7b666fddb0...6312cd... To unsubscribe from these emails, change your notification settings at https://github.com/openSUSE/open-build-service/settings/notifications