Page MenuHomePhabricator
Differential D13075

[keyserver] Prevent updateRoles from resetting user-surfaced permissions
ClosedPublic
Actions

Authored by ashoat on Aug 13 2024, 12:52 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Nov 8, 11:06 PM
Unknown Object (File)
Fri, Nov 8, 12:23 PM
Unknown Object (File)
Sat, Oct 19, 2:33 PM
Unknown Object (File)
Sat, Oct 19, 2:32 PM
Unknown Object (File)
Sat, Oct 19, 2:31 PM
Unknown Object (File)
Sep 29 2024, 1:31 PM
Unknown Object (File)
Sep 29 2024, 1:26 PM
Unknown Object (File)
Sep 29 2024, 1:22 PM
View All 73 Files
Subscribers
None

Details

Reviewers
tomek
inka
Commits
rCOMMb9cada1ad34e: [keyserver] Prevent updateRoles from resetting user-surfaced permissions
Summary

This resolves ENG-9031.

updateRoles currently resets user-surfaced permissions to the default. This diff instead attempts to reconstruct the set of user-surfaced permissions based on the current role permissions, and then reapply then when generating the updated permissions.

Depends on D13074

Test Plan

I tested this in combination with the next diff, where we add a updateRolesAndPermissionsForAllThreads migration:

  • Create a community
  • Update Members permission to include managing tags
  • Run the migration
  • Confirm that the managing tags permissions is still present

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

ashoat created this revision.Aug 13 2024, 12:52 PM
ashoat added a child revision: D13076: [keyserver] Regenerate permissions for all threads.
Harbormaster completed remote builds in B31084: Diff 43370.Aug 13 2024, 1:15 PM
ashoat requested review of this revision.Aug 13 2024, 1:15 PM
tomek accepted this revision.Aug 14 2024, 9:08 AM
tomek added inline comments.
keyserver/src/updaters/role-updaters.js
51–58 ↗(On Diff #43370)

I'm not sure if I understand this correctly, but it looks like defaultRolePermissions.Members would override what we have in currentRole.permissions. Wouldn't that mean that we override permissions that a user set?

131–142 ↗(On Diff #43370)

I know this is based on the existing code, but it looks quite dangerous from the consistency point of view. Ideally, all the updates in this function should be one transaction, but at least we can first update the memberships and then delete the role. The current approach would leave some members with nonexistent roles, if the delete succeeds and update fails.

This revision is now accepted and ready to land.Aug 14 2024, 9:08 AM
ashoat added inline comments.Aug 14 2024, 9:45 AM
keyserver/src/updaters/role-updaters.js
51–58 ↗(On Diff #43370)

Yes. User-surfaced permissions are represented internally by roles specified at the community root level, and they don't affect the role permissions for any other threads. As such, role permissions for non-root thread types should always be reset to the default.

131–142 ↗(On Diff #43370)

Good point – I'll make sure we update the memberships first

ashoat updated this revision to Diff 43394.Aug 14 2024, 9:46 AM

Perform updateMembershipsQuery before deleteQuery

This revision was landed with ongoing or failed builds.Aug 14 2024, 9:50 AM
Closed by commit rCOMMb9cada1ad34e: [keyserver] Prevent updateRoles from resetting user-surfaced permissions (authored by ashoat). · Explain Why
This revision was automatically updated to reflect the committed changes.
ashoat added a commit: rCOMMb9cada1ad34e: [keyserver] Prevent updateRoles from resetting user-surfaced permissions.
Harbormaster completed remote builds in B31108: Diff 43394.Aug 14 2024, 10:03 AM

Revision Contents
Changeset List

PathSize
keyserver/
src/
updaters/
158 lines

Diff 43400

View Options

keyserver/src/updaters/role-updaters.js

Loading...