[AN-149] Add ability to edit namespace permissions #5203
Conversation
| @@ -47,6 +47,19 @@ export const Methods = (signal?: AbortSignal) => ({ | |||
| return res.json(); | |||
| }, | |||
|
|
|||
| getNamespacePermissions: async (namespace: string): Promise<MethodConfigACL> => { | |||
There was a problem hiding this comment.
Just for me, could you clarify what a namespace is, and what the new name will be if there will be a change as part of the PR Adam is working on?
It looks to me like a namespace is the same thing as a workflow / modal but I think I am missing a critical nuance here sorry
There was a problem hiding this comment.
So it is similar to workspace namespace where one namespace can have many different workflows/methods inside a namespace. And similar to its workspace friend, a workflow/method namespace can have separate set of permissions (which are maintained in Agora and not Sam).
In the new world, its new name based on mockups is going to be collection.
There was a problem hiding this comment.
Ohhh, TIL that workspaces had namespaces 🫨
But the collection idea makes sense to me, thanks!
There was a problem hiding this comment.
LGTM! My understanding from reading the code change is that before, a user could only edit permissions for a snapshot, not the namespace, and so you refactored the permission provider and modal to be able to handle both?
I only have some minor clarifying requests but none should be a blocker for merging, thank you!
|
|
||
| type MethodsNamespaceAjaxNeeds = Pick<MethodsAjaxContract, 'getNamespacePermissions' | 'setNamespacePermissions'>; | ||
|
|
||
| const mockSnapshotAjax = () => { |
There was a problem hiding this comment.
Just curious as to why these two mocks have to be set up in a lightly different way? the mockNamespaceAjax seems a bit more straightforward?
There was a problem hiding this comment.
The Ajax calls inside the mockSnapshotAjax are inside a nested method object and hence they were harder to mock out. I had issue previously (in another PR) where I had difficulty mocking similar nested calls and hence I just did here what I had done there.
| @@ -47,6 +47,19 @@ export const Methods = (signal?: AbortSignal) => ({ | |||
| return res.json(); | |||
| }, | |||
|
|
|||
| getNamespacePermissions: async (namespace: string): Promise<MethodConfigACL> => { | |||
There was a problem hiding this comment.
Ohhh, TIL that workspaces had namespaces 🫨
But the collection idea makes sense to me, thanks!
| getPermissions: async ( | ||
| namespace: string, | ||
| _name?: string | undefined, | ||
| _snapshotId?: number | undefined, |
There was a problem hiding this comment.
The idea here is that a snapshotID would never be provided correct?
There was a problem hiding this comment.
Yes for namespace permissions editing, both name and snapshotId are not required. But since the PermissionsProvider is the same for both namespace and snapshot I need to have it here in the function parameters. As a result I have marked both name and snapshotId with _ which indicated that they are "purposefully not being used"
| export interface PermissionsProvider { | ||
| getPermissions: ( | ||
| namespace: string, | ||
| name?: string | undefined, |
There was a problem hiding this comment.
Is this the name of the namespace or the snapshot, or something else? It feels a bit ambiguous to me
There was a problem hiding this comment.
This is the name of the method. Namespace parameter itself is the name of the namespace
@LizBaldo yes that is correct. Hence the PermissionsProvider has parameters that handle for both editing namespace as well as snapshot permissions. |
|
|
||
| type MethodsNamespaceAjaxNeeds = Pick<MethodsAjaxContract, 'getNamespacePermissions' | 'setNamespacePermissions'>; | ||
|
|
||
| const mockSnapshotAjax = () => { |
There was a problem hiding this comment.
It might be possible to type the mocks and remove the typecasts here as was done in #5187
There was a problem hiding this comment.
Right. That is more for readability right? I don't have strong opinion either way. If you think its a good idea I can create a type for it.
There was a problem hiding this comment.
Yes, for readability and to help make sure your mocks are set up correctly I believe. Miguel would know more about the benefits.
src/pages/methods/WorkflowList.tsx
Outdated
| headerRenderer: () => <HeaderCell>Actions</HeaderCell>, | ||
| cellRenderer: ({ rowIndex }) => { | ||
| const { namespace, managers } = paginatedWorkflows[rowIndex]; | ||
| const isNamespaceOwner = _.includes(getTerraUser().email?.toLowerCase(), _.map(_.toLower, managers)); |
There was a problem hiding this comment.
This checks if the user is a method owner, not a namespace owner. I verified that if there is a method that I am not an owner of in a namespace that I am an owner of, Firecloud UI allows me to edit the namespace permissions from that method's row in the table, but this component does not.
There was a problem hiding this comment.
Huh that is interesting. I will take a look. Thanks!
There was a problem hiding this comment.
I see what happens in FC UI. It doesn't stop me from opening the permissions modal to edit namespace permissions even when I don't have permissions. And then in the modal when it realizes I don't have permission to edit it fails with below error
There was a problem hiding this comment.
I have updated this behavior to be similar to FC UI. So now the Edit namespace permissions in the Actions menu will always be enabled. But if the user doesn't have edit permissions they will be show an error message in the modal that they don't have permissions to edit the settings.
There was a problem hiding this comment.
For post-holidays:
We had a talk during standup and came to a conclusion that we might need to have a discussion on how we can make namespaces more useful. It seems that when User A gives User B 'Owner' permissions on a namespace, it essentially only allows User B to create new methods in that namespace. User B does not inherit the permission to read/edit any pre-existing methods that were created by User A in that namespace. Similarly any new methods created by User B is not visible to User A. Users can only read/edit methods of other users if they have permissions on a snapshot of that method.
Also, the 'Reader' role on namespace setting is unclear as User B doesn't even have read access to methods created by User A in that namespace.
| await user.click(screen.getByRole('button', { name: 'Edit namespace permissions' })); | ||
|
|
||
| // Assert | ||
| expect( |
There was a problem hiding this comment.
It wouldn't hurt to add something after this that checks that the workflow list actually uses the namespace permissions provider and not the snapshot one for its permissions modal.
There was a problem hiding this comment.
I am not sure what would that test prove? Because in the code we actually set it to namespace vs snapshot one right? And the check to ensure right methods were called I think is already covered in PermissionsModal and PermissionsProvider test
There was a problem hiding this comment.
Yeah, it would be more of a regression unit test. I suggested it because none of the WorkflowList tests make sure the right API call is ultimately made for this particular permissions modal, but we don't need it if you don't think it's necessary
|
There was a problem hiding this comment.
Approving given there will be a team decision on where to go with namespace permissions after the break, and the most important issue (not being able to edit namespace permissions from a method you don't own) has been addressed. Thanks for picking up where I left off with the Firecloud UI migration, we're so close!
Jira Ticket: https://broadworkbench.atlassian.net/browse/AN-149
Summary of changes:
What
Why
Testing strategy
Workflows List
Edit modal
Error message is shown when user doesn't have edit permissions
