Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix list of shares #1590

Merged
merged 2 commits into from
Nov 15, 2022
Merged

Fix list of shares #1590

merged 2 commits into from
Nov 15, 2022

Conversation

nagmat84
Copy link
Collaborator

This fixes the list of shares (from the left menu) for non-admin, authenticated users. As @kamil4 reported on Gitter at Nov 7th 2022 18:20 non-admin user receive a 403 Forbidden response. This is a regression due to #1519.

Before #1519 the request Sharing::list had unconditionally returned a list of all active shares for all users and all albums as well as a list of all existing albums and all users. The the frontend filtered the received list for the the album or user of interest. The frontend code was not only ugly as hell, but the whole approach had been inefficient. There is no reason to query and transmit everything only to throw way 97% on the frontend. Hence, #1519 introduced two query parameters albumID and userID to enable filtering on the backend.

However, I went one step further and thought it would clever to forbid unrestricted queries Share::list for non-admin users. This was fine when one used the dialog from the toolbar Sharing, but it did no occur to me that non-admin users can also open the page with all sharings from the left menu.

I also discovered related, lurking bug. Do you remember that @kamil4 once said that he doesn't like the attribute name user2 on a request? Here, this actually gave leeway to a trap. The request Sharing::list is one of the rare instances with actually three users being involved: the authenticated user who makes the request, the user who owns the album and the user with whom the album is shared.user2 was used for the last two, but surely they are different. I renamed them to owner and participant.

@nagmat84 nagmat84 added the bug Something isn't working label Nov 12, 2022
@nagmat84 nagmat84 requested a review from a team November 12, 2022 15:05
@nagmat84 nagmat84 mentioned this pull request Nov 12, 2022
Merged
ildyria
ildyria reviewed Nov 15, 2022
View reviewed changes
app/Actions/Sharing/ListShare.php
->select(['id', 'username'])
->where('id', '>', 0)
->orderBy('username', 'ASC')
// Existing users with whom an album can be shared optionally
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this filtering really useful ?

ildyria
ildyria approved these changes Nov 15, 2022
View reviewed changes
Copy link
Member

@ildyria ildyria left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not super convinced by some of the additional filtering.
Nevertheless if it fixes the bug then LGTM.

@ildyria ildyria merged commit b7e2b23 into master Nov 15, 2022
@ildyria ildyria deleted the fix_sharing branch November 15, 2022 13:49
@ildyria ildyria added this to the 4.6.3 milestone Nov 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ildyria ildyria ildyria approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
4.6.3
Development

Successfully merging this pull request may close these issues.
2 participants
@nagmat84 @ildyria