Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Valuator Group Permissions Problem #5366

Open
coslajohn opened this issue Jan 19, 2024 · 0 comments
Open

Valuator Group Permissions Problem #5366

coslajohn opened this issue Jan 19, 2024 · 0 comments
Labels
Bug

Comments

@coslajohn
Copy link
Contributor

Budget valuators are not able to comment or edit Valuation Investments when assigned as part of a Valuation Group

Type: Bug

Current Behavior

When sending Budget Investments to valuators, the valuator is correctly presented with the list of investments to valuate

When assigning Valuators individually this works correctly.

When assigning a valuation Group the list of investments is correctly displayed but when the valuator tries to Edit or Comment on an investment a 404 Error is returned
In this example none of those valuators are able to comment on the valuation even though they are members of the Valuation Group

image

Expected Behavior

Someone who is a member of a valuation group should be able to edit/comment on a budget investment assigned to them for valuation

Solution

I think the problem lies in the budget_investments_controller.rb file. The Method Restrict access to assigned items tests for an administrator or a valuator assignment but doesn't seem to cope with someone who is a member of a valuator group but not individually assigned as a valuator

def restrict_access_to_assigned_items
      return if current_user.administrator? ||
                Budget::ValuatorAssignment.exists?(investment_id: params[:id],
                                                   valuator_id: current_user.valuator.id)

      raise ActionController::RoutingError, "Not Found"
    end

I have coded a workaround which tests to see if current user is a member of an assigned valuation group. This seems to work for me, but I am not a coder (and especially not a rails coder) so I have no idea if this is the correct way to do things, or if this is masking an unresolved issue elsewhere.

def restrict_access_to_assigned_items
     return if current_user.administrator? ||
               Budget::ValuatorAssignment.exists?(investment_id: params[:id],
                                                  valuator_id: current_user.valuator.id)

     # Find the valuator group assignment for the investment
     valuator_group_assignment = Budget::ValuatorGroupAssignment.find_by(investment_id: params[:id])

    #  Check if the valuator group assignment exists
    if valuator_group_assignment.present?
      vg_id = valuator_group_assignment.valuator_group_id

    #  Find all valuators in the Valuator Group
      valuators_in_group = Valuator.where(valuator_group_id: vg_id)

    #  Check if the current user is among the valuators in the group
      return if valuators_in_group.exists?(user_id: current_user.id)
   else
    #  If no specific assignment, check if the user belongs to any valuator group for the investment
      valuator_groups_for_investment = Budget::ValuatorGroupAssignment.where(investment_id: params[:id])
      user_valuator_groups = current_user.valuator.valuator_groups

   return if (user_valuator_groups & valuator_groups_for_investment.map(&:valuator_group)).present?
 end
@javierm javierm added the Bug label Jan 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@javierm @coslajohn