AO3-5506 Don't include hidden works in Readings #4781
Merged
+20
−2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Require works to be visible to mark for later * Hide draft works and hidden by admin works from the reading history * Test for visibility of hidden by admin works in reading history
de3sw2aq1
commented
Apr 4, 2024
| @@ -16,7 +16,7 @@ def index | |||
| @readings = @readings.where(toread: true) | |||
| @page_subtitle = ts("Marked For Later") | |||
| end | |||
| @readings = @readings.order("last_viewed DESC").page(params[:page]) | |||
| @readings = @readings.left_joins(:work).merge(Work.visible_to_registered_user).or(Work.where(id: nil)).order("last_viewed DESC").page(params[:page]) | |||
There was a problem hiding this comment.
A join is required to query by work fields, with the visible_to_registered_user scope
It must be a left join and .or(Work.where(id: nil)) included, otherwise deleted works won't be included in the reading history.
brianjaustin
reviewed
Apr 7, 2024
brianjaustin
approved these changes
Apr 8, 2024
sarken
added a commit
that referenced
this pull request
May 31, 2024
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request Checklist
as the first thing in your pull request title (e.g.
AO3-1234 Fix thing)until they are reviewed and merged before creating new pull requests.
Issue
https://otwarchive.atlassian.net/browse/AO3-5506
Purpose
Don't include hidden works in reading history
Require works to be visible to mark for later
Hide draft works and hidden by admin works from the reading history
Test for visibility of hidden by admin works in reading history
Testing Instructions
An automated test for hidden by admin works not being visible in the reading list is included. This may be tested manually by adding a work to a users reading list, an admin hiding it, and then viewing the users reading list and confirming it's absence.
Accessing a URL for a draft work like http://localhost:3000/works/110/mark_for_later (manually replace 110 with the id of a draft work owned by another user) should now return the error "Sorry, you don't have permission to access the page you were trying to reach." This URL was never linked in the UI for draft works, but could be guessed and draft works could previously be added to the reading list.
I don't know how to test the fact that the reading list no longer shows draft works if they somehow get added to the reading list (the above
.../mark_for_lateraction is now blocked), but they should no longer be visible in the reading list now.Credit
@de3sw2aq1
Thanks @sarken for initial review of the security aspect of this issue and the pointer to
visible_to_registered_userin Jira was helpful.