Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Compliance Auth Group Fixes and Changes #246

Merged
merged 27 commits into from
Mar 26, 2024
Merged

Compliance Auth Group Fixes and Changes #246

merged 27 commits into from
Mar 26, 2024

Conversation

awf-dbca
Copy link
Contributor

@awf-dbca awf-dbca commented Mar 25, 2024
edited
Loading

Number of fixes and adjustments to Compliance Management, mainly pertaining to allocated access groups.

Changes included*:

  • Re-enabling the allocated_group column for the SanctionOutcome model
  • Reviewing each stage of a number of object workflows and ensuring that all objects have an allocated_group value while they are open
  • Removing the organisation request link from the Compliance Management nav links
  • Ensuring that only users assigned to a given object can make changes to said object (except inspections, where a member of an inspection team can also make changes at the inspection's initial stage)
  • Fixing the assignment drop-down display and functionality so that users can assign themselves or others to a given object
  • Adding a dedicated inspection officer group, works the same as the officer group but specific to inspections (officers cannot change inspection details unless they are part of the inspection's inspection team)
  • Adding environment variables to control access among groups - by default all groups sharing the same group name (e.g. officer) will have their objects editable by users belonging to all of those groups regardless of region/district
  • A region lock env var is available so that only users in groups belonging to specified region/district can make changes to objects belonging to a given group
  • A super group env var is available for when the region lock is enabled but some groups (with no specified region/district) need to be able to alter objects belonging to groups with same name (in the case of where regions are specified, those groups can alter objects with that region regardless of district)
  • Fixed inspection team search/add/remove
  • Added server-side authentication to the related item functions
  • Added server-side validation for all workflow processes pertaining to Inspections, Offences, Sanction Outcomes, and Legal Cases

*Where referring to objects, referring to Inspections, Offences, Sanction Outcomes, and Legal Cases

The changes should allow for users to choose how group users are allowed to interact with objects with regards to their specified regions and districts. A number of issues that could lead to stale objects have also been fixed, as well as some minor security issues.

Note: regardless of auth options, officer and manager region and district groups must be specified to create and forward objects. For example, to create a legal case in the kimberley region, an officer kimberley region group must exist (it can be empty if region locks are disabled, however)

@awf-dbca
Update: fixed a number of workflow blocks - Sanction Outcome allocate…
db8a765 
…d_group to be reviewed (currently disabled and/or tied to offence allocated_group) and some allocated_group assignment functions may need review in terms of which assignment types are handled by which user group
@awf-dbca
Update: some comments added for later work, sanction outcome notice e…
64b24ef 
…mail sent to parent offence allocated_group (temporary, pending review)
@awf-dbca
Update: re-enabled allocated_group tracking for sanction outcomes
dc4fbdf
@awf-dbca
Update: legal cases should now always have an allocated_group (some r…
edfe8c6 
…eview still needed) and get_members (for CMS group model) function bug fixed (and function applied in place of deprecated members attr)
@awf-dbca
Update: change certain group assignments
92abedb
@awf-dbca
Update: changed another allocated group to match status
25e2516
@awf-dbca
Update: some notes on what might need to change, adjustments to alloc…
052e295 
…ated_group
@awf-dbca
Added: inspection officer group and inspection group allocations
0a87b6e
@awf-dbca
Update: organisation requests no longer show for compliance managemen…
e6ac804 
…t, only wildlife licensing
@awf-dbca
Added: new assignment component (WIP)
c0b0ec6
@awf-dbca
Updated: assignment.vue now lists all acquired in group user names, h…
4f747ae 
…ides assign to me when user is already assigned, displays the currently displayed user, and updates on change (implemented for only inspection currently)
@awf-dbca
Added: assignment component to offences, sanctions, and cases (with s…
96d6062 
…ome supporting serializer adjustments)
@awf-dbca
Update: only assigned users in the allocated group can make changes t…
ec3aa4a 
…o objects (exception for open inspections, which inspection teams members can alter regardless)
@awf-dbca
Added: update and create auth check to inspections, comments on auth …
94c517c 
…for other objects (WIP), added minimum auth to main views endpoints and internal auth check to create/delete weak link functions (anyone could do that until now)
@awf-dbca
Update: removed client-side auth bypass for testing
6b1aa52
@awf-dbca
Added: server-side auth offence functions
b1f7a4f
@awf-dbca
Update: auth is now checked for workflow actions on offence and inspe…
79dac25 
…ction objects
@awf-dbca
Update: legal case now has server-side auth for its functions and fix…
3ce5895 
…ed serializer issue
@awf-dbca
Added: access group env options, SUPER_AUTH_GROUPS_ENABLED and AUTH_G…
672fd36 
…ROUP_REGION_DISTRICT_LOCK_ENABLED - former allows non-region/district specific group member to access all contituent group members, latter allows all group members to access group members with the same name
@awf-dbca
Added: server-side group auth for adding related items (checked on it…
e122854 
…em being added to)
@awf-dbca
Update: fixed inspection add/remove and search - any officer or manag…
b4f36f0 
…er can be added/removed from any given inspection team
@awf-dbca
Update: inspections and cases will no longer report a successful save…
545a549 
… if a server error occurs
@awf-dbca
Added: validation error if an inspection officer group does not exist…
81edeac 
… for region/district upon inspection creation (same as all other objects with officer groups)
@awf-dbca
Update: removed can_user_action post request var - no longer needed a…
878e0ef 
…nd obstructing add related items for objects object (artifacts)
@awf-dbca
Update: re-enabled create offence button on main page, expanded acces…
30c12e1 
…s to include managers
@awf-dbca
Update: fixed minor bug where assignment list would not populate afte…
3c2e04c 
…r workflow change until refreshed
@awf-dbca
Update: raise validation error if region/district group does not exis…
782f4c2 
…t on creation of offences, sanctions, and cases (while region lock if off)
xzzy
xzzy approved these changes Mar 26, 2024
View reviewed changes
Copy link
Collaborator

@xzzy xzzy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sensitivity Check Completed

@xzzy xzzy merged commit 36c41a7 into dbca-wa:master Mar 26, 2024
6 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xzzy xzzy xzzy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@awf-dbca @xzzy