Fix showAll toggle and relax saving constraints #2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previous check already checks if the user is assigned to the project which should be good enough for our case.
|
lgtm |
|
Thank you for checking! |
|
deployed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Two fixes:
Fix page decreasing when toggling the "show all" checkbox added previously
Relax saving constraints
So far making changes to other user's assignments was only possible with
allow_all_usersflag. This flag is not very safe though because anyone with an account could enumerate predictable data ids. Explicit list of people for each project is safer because each new user needs to be manually added.But on the other hand, we want to allow correcting other's work within a given project. For that we can relax the permission check slightly. Few lines above the removed part there's already a check whether the user is part of the project and this should be enough for our purposes.