AO3-6004 show hidden bookmarks on a bookmarkable to admins #4758
Conversation
| @@ -61,7 +61,9 @@ def search | |||
| def index | |||
| if @bookmarkable | |||
| access_denied unless is_admin? || @bookmarkable.visible? | |||
| @bookmarks = @bookmarkable.bookmarks.is_public.paginate(page: params[:page], per_page: ArchiveConfig.ITEMS_PER_PAGE) | |||
| @bookmarks = @bookmarkable.bookmarks.is_public | |||
| @bookmarks += @bookmarkable.bookmarks.where(hidden_by_admin: true) if is_admin? | |||
There was a problem hiding this comment.
I think this is a bit weird how I'm doing it, but I didn't see another way to include bookmarks that have been hidden by admin and the public bookmarks.
Also should I add check for policy_and_abuse role?
There was a problem hiding this comment.
Just a quick drive-by comment, not a thorough review:
- Let's not check the admin role, since I'm pretty sure we don't currently check it for, e.g., accessing hidden works directly. But maybe we should changes this two instances of
is_admin?tologged_in_as_admin?-- this seems to be the only file where we useis_admin?and that's weird, imo. - I'm guessing the problem with simply removing the
is_publicscope is you get private bookmarks as well as those hidden by admin? Would changing it to thenot_privatescope fix that? If not, I'd suggest defining a new scope in the bookmark model that will get public bookmarks, regardless of whether they're hidden by admin.
There was a problem hiding this comment.
- I updated those
is_admin?references to belogged_in_as_admin? - On a work's bookmarks page, users should only see public bookmarks, unless you're an admin, then they'll want to see public and hidden, right? Or should admins also be able to see private bookmarks on a work? Also, my changes here appear to work in that non-admins can only see public bookmarks and admins can see public and hidden; do you still think we should create a new scope? It's possible I'm misunderstanding the ask
Thank you!
There was a problem hiding this comment.
On a work's bookmarks page, users should only see public bookmarks, unless you're an admin, then they'll want to see public and hidden, right?
Yes and the current code does that. The suggestion is just about making the code a bit cleaner.
The way I understand sarken's suggestion is to use the not_private scope instead of is_public, since it gets the public bookmarks regardless of the hidden_by_admin status. Then filter out the hidden bookmarks depending on logged_in_as_admin?. That way, there aren't two queries that deal with hidden_by_admin (the is_public scope and the extra query with the where added in this PR), but only the one query (not_private and conditional where for hidden_by_admin on the returned relation).
| @@ -82,6 +82,7 @@ Feature: Admin Actions for Works, Comments, Series, Bookmarks | |||
| When I follow "Hide Bookmark" | |||
| And all indexing jobs have been run | |||
| Then I should see "Item has been hidden." | |||
| And I should see "Make Bookmark Visible" | |||
There was a problem hiding this comment.
Should I add another check to follow this and confirm visible from regular user end?
There was a problem hiding this comment.
A regular user should not be able to see a hidden bookmark. But it would be nice to have a check that an admin can see the text of the hidden bookmark.
There was a problem hiding this comment.
Would you like me to write a test to make sure that a regular user cannot see a hidden bookmark?
I added a check for admins to see the text
There was a problem hiding this comment.
The test already checks that regular_user cannot see the hidden bookmark, so there is no need to add another test.
Pull Request Checklist
as the first thing in your pull request title (e.g.
AO3-1234 Fix thing)until they are reviewed and merged before creating new pull requests.
Issue
https://otwarchive.atlassian.net/browse/AO3-6004
Purpose
Allows admins to show hidden bookmarks on a bookmarkable
Testing Instructions
Credit
Brandon W (he/him/they/them)