CCE user with view only rights can make edit

Description

As the user DIVO1 who only has "View Cold Chain Equipment Inventory" right, I can select View in the CCE Inventory and click the Edit button to make edits. Since I do not have the "Edit Cold Chain Equipment Inventory" right, I should NOT be able to edit.

This is a bug caused in the UI.

Acceptance Criteria

  • (A) Users who do not have the "Edit Cold Chain Equipment Inventory" right cannot see the Edit button from the View CCE details modal. The Edit button is hidden.

  • (B) Users who do not have the "Edit Cold Chain Equipment Inventory" right cannot see the "Add Equipment" button on the CCE Inventory page. The add button is hidden.

  • (C) Users who do not have the "Edit Cold Chain Equipment Inventory" right cannot update the function status of an inventory item from the CCE Inventory list page.

    • The user can open a modal with the inventory item

    • Later tickets will address changing the icon in the inventory item list, as it should be stateful, but that is too much work to consider in the scope of this ticket

Environment

test.openlmis.org

Activity

Show:
Joanna Bebak
November 21, 2017, 9:36 AM

I tested the ticket, and everything works correctly.

Joanna Bebak
November 20, 2017, 10:17 AM

The testing of the ticket is currently blocked because when one chooses "CCE Inventory" from the menu as either of the users with the use of which one should perform the test (divo1, divo2, vsrmanager1 and vsrmanager2), the following error message occurs:

and the CCE Inventory is not visible. is currently working on the solution of this problem.

Nick Reid
November 15, 2017, 9:06 PM
Edited

I've updated the A/C for this ticket to reflect the discussion on slack where we decided to simplify the design to make working around problems with the AuthorizationService.hasRight() method (which can be incorrect) for reasons mentioned in OLMIS-3598.

Here is some guidance for implementing these changes (and I'm referencing the AC)

AC: A This should be possible by moving hasRightToEdit function into the the routes.resolve function, which would look something like this:

AC: B I'd still use the AuthorizationService.hasRight method for a generic check for now. Eventually we should do a generic right test against the PermissionService, but I don't see a reason to do that now.

AC: C Use a solution like AC: A to change the update status modal. If there is an opportunity to keep the code DRY, please do it – but if it doesn't seem obvious, don't worry about it for now.

ATTN:

Nikodem Graczewski
November 15, 2017, 8:39 AM

Good catch, thanks!

Nick Reid
November 15, 2017, 12:02 AM

How is this ticket 'blocked' and in QA // please move back to "in progress" if that is the correct place

Done
Your pinned fields
Click on the next to a field label to start pinning.

Assignee

Klaudia Pałkowska

Reporter

Sam Im

Labels