[DRAFT][native] Introduce `persistMigrationForThreadAvatarPermission` to update thread permissions
AbandonedPublic
Actions

Authored by atul on Apr 19 2023, 10:21 PM.

Details

Reviewers

ashoat
ginsu

Summary

As part of introducing thread avatars, we added edit_thread_avatar and descendant_edit_thread_avatar permissions to role-creator.js. Roles and permissions for all threads on prod keyserver were updated to include these permissions via a recent updateRolesAndPermissionsForAllThreads migration.

If during a state check a client's threadStore is "out of sync" with the keyserver, the client will need to pull down ALL threadInfos from the keyserver. This isn't the end of the world and doesn't break anything, but it can degrade the user experience and is something we want to avoid.

The first step in doing that was filtering out certain permissions on the keyserver when computing threadInfos to be compared against those on the client. To handle this we introduced filterThreadPermissions in thread-utils to filter out *edit_thread_avatar permissions.

However, now that we want to "switch on" avatars for new clients we WILL want the keyserver to be including *edit_thread_avatar permissions in the threadInfos it computes. Because the client won't have the *edit_thread_avatar permissions persisted, there would be an inconsistency the first time the client connects to keyserver after updating the app to a codeVersion that supports avatars.

To handle this initial inconsistency, we want to introduce a migration that modified the client's persisted roles/permissions in the threadStore AFTER we update the client but BEFORE we establish connection with the keyserver.

We've done this twice in the past with edit-thread-permission-migration and manage-pins-permission-migration. I used those two migrations as a guide and tried to follow them as closely as possible.

Test Plan

I tested versions of this code as I was iterating and things seemed to work with my very new dev DB that has very few threads/thread types.

However, I haven't tested the current state of the diff at all. I'm putting it up as a DRAFT to try to surface any glaring issues as soon as possible, but I need to do more careful testing before this is ready.

Diff Detail

Repository

rCOMM Comm

Branch

master

Lint

No Lint Coverage

Unit

No Test Coverage

Event Timeline

atul created this revision.Apr 19 2023, 10:21 PM

Herald added a subscriber: tomek. · View Herald TranscriptApr 19 2023, 10:21 PM

Harbormaster completed remote builds in B18576: Diff 25452.Apr 19 2023, 10:39 PM

atul requested review of this revision.Apr 19 2023, 10:39 PM

atul added a subscriber: rohan.Apr 19 2023, 10:59 PM

atul added inline comments.

native/redux/edit-thread-avatar-permission-migration.js
14–20	From the previous `filterThreadPermissions` work I knew we were excluding `edit_thread_avatar` from `PERSONAL` and `PRIVATE` threads. I tried to read through `role-creators` to try to reason about which threadTypes should have `Members` permission blob that include `edit_thread_avatar` but found it a bit confusing. Instead, I figured the best bet was to just call the `getRolePermissionBlobs(...)` function in `role-creator` with every `threadType` and see which ones included `edit_thread_avatar`: Why not just move `getRolePermissionBlobs(...)` to `lib` and call it directly from this migration? I considered doing that, but `getRolePermissionBlobs(...)` will always have the role permissions blob for the CURRENT version of `keyserver`. Which means if someone has an old client (let's say hasn't been updated in a year) and only updates far into the future (let's say a year from now), `getRolePermissionBlobs(...)` could have changed drastically and this migration, and any others that may depend on it, could break. This `Set` is a "snapshot" of `getRolePermissionBlobs` that's needed for the client upgrade that supports avatars and the `edit_thread_avatar` permission.
30–36	My understanding is that the `edit_thread_avatar` "user" permission entry will be included for every member with role `Members` whether or not the permission is granted. My understanding is that the permission will have a `value` of `true` and `source` set to the `threadID` of the `threadInfo` it's within IFF the `Members` role for the threadType includes the `edit_thread_avatar` permission. My understanding is that it's not possible for `Members` to inherit permissions from ancestor threads they are descendants of... so if the current threadType does not grant `Members` `edit_thread_avatar` permission, the `value` will be `false` and the `source` `null`.
37–42	My understanding is that if a thread member does not have role name `Members`, then they are either an Admin or parent Admin (`role` is `null`). If they are admin of a parent thread it's possible (guaranteed?) that they implicitly have `edit_thread_avatar` permissions via a "higher" `descendant_edit_thread_avatar` permission, but it's difficult to ascertain the `source` threadID. What we're taking advantage of here is that `edit_thread_color` and `descendant_edit_thread_color` are included in the `Admins` permission blob for the same three threadTypes as `edit_thread_avatar` and `descendant_edit_thread_avatar`. That means that permissions will "cascade" down from threads the user is admin of in the same way. That means we can use `edit_thread_color` as a proxy for `edit_thread_avatar` when determining `value` and `source` of the permission entry.
56–65	There are three threadTypes where the `Admins` permissions include `edit_thread_avatar` and `descendant_edit_thread_avatar`: Those are also the only three threadTypes that have an `Admins` `ThreadRolePermissionsBlob` at all... so we can just add `edit_thread_avatar` and `descendant_edit_thread_avatar` to every `Admins` permissions blob that we have persisted.
native/redux/persist.js
508–559	This migration very closely matches the threadStore-related portions of @rohan's `manage-pins-permission` migration (which is migration 36 right above this one). I'm fairly confident in the correctness of this code vs. the code in `edit-thread-avatar-permission-migration` which I'm not so confident about.

atul attached a referenced file: F498065: b034ef.png. (Show Details)Apr 19 2023, 10:59 PM

atul attached a referenced file: F498058: 58a7a3.png. (Show Details)

Okay well as a starting point trying the migration with my already correct threadStore led to some inconsistencies...

I'll try to debug and get things correct ASAP tomorrow morning, but it's clear that it's def not landable as is.

While the changes in edit-thread-avatar-permission need to be revisited, the code in persist.js is solid (shoutout @rohan who wrote it).

Personally, since we know that the code in persist.js is reliable and well tested my preference would be to put up a diff that extracts the functionality out into a function similar to unshimClientDB in unship-utils.js that can be consumed by a later diff which handles recalculating permissions and roles. That way we could "lock in" the scaffolding and consume it later with the roles/permission recalculation code.

However, that function would be "dangling" (no callsites) until the role/permission recalculating code is ready. This forces us to include two complicated chunks of logic in the same diff which IMO blows up complexity for reviewer to handle in a single diff.

Not suggesting we do that, just a thought given discussion about putting up "dangling" functionality for review.

(Talked through that offline with @atul and we agreed the "dangling" stuff would be fine)

Requesting changes for a migration that takes no params and just recalculates all thread permissions from "first principles" based on role-creator.js that is extracted to lib

This revision now requires changes to proceed.Apr 21 2023, 6:04 AM

atul mentioned this in D7590: [native] Introduce `updateClientDBThreadStoreThreadInfos` utility.Apr 24 2023, 12:08 PM

atul mentioned this in rCOMMcd669a5a35e6: [native] Introduce `updateClientDBThreadStoreThreadInfos` utility.Apr 25 2023, 10:46 AM

Don't need this anymore, handled by other diffs