Yashwanth_Backend_for_permission_log_table #1149
Conversation
yashwanth170
added
the
High Priority - Please Review First
src/routes/userProfileRouter.js
Outdated
| @@ -116,6 +117,10 @@ const routes = function (userProfile, project) { | |||
|
|
|||
| userProfileRouter.route('/userProfile/teamCode/list').get(controller.getAllTeamCode); | |||
|
|
|||
| userProfileRouter.post('/logPermissionChanges', logUserPermissionController.logPermissionChanges); | |||
There was a problem hiding this comment.
| userProfileRouter.post('/logPermissionChanges', logUserPermissionController.logPermissionChanges); |
You shouldn't be able to edit history without making the edits. Instead, call logPermissionChanges from wherever the permissions are changed (putUserProfile() I think?). That unites both API calls into one and can guarantee that the updates are atomic.
Uniting the API calls makes it so devs testing with Postman don't have to make multiple API calls to make the history accurate and ensures that they can't make API calls to give false update history. You currently don't check for requestor permissions in logPermissionChanges, so anyone could add false information with this API using something like Postman.
| existingPermissions, | ||
| addedPermissions, | ||
| removedPermissions, |
There was a problem hiding this comment.
I would avoid doing the added/removed/existing permission logic on the frontend. Only requesting newPermissions from the frontend should be enough to derive the info on the backend.
Can find 'existingPermissions'/'oldPermissions' from the DB to ensure the info is accurate.
addedPermissions = newPermissions.filter(x=> !oldPermissions.contains(x));
removedPermissions = oldPermissions.filter(x => !newPermissions.contains(x));
| const userProfile = await UserProfile.findOne({ _id: req.params.userId }).exec(); | ||
|
|
||
| if (userProfile) { | ||
| if (userProfile.role !== 'Owner') { | ||
| res.status(204).send([]); |
There was a problem hiding this comment.
Is this checking for permission to view the history? I think Admins might also want to see the history? not sure.
Could use await hasPermission(req.body.requestor, 'getPermissionHistory') or something (could use an existing permission or create a new one). There shouldn't be hardcoded references to specific roles if avoidable.
There was a problem hiding this comment.
I see that's just copied from getPermissionChangeLogs... I guess it is only Owners then. Would've been easier to find if this was modifying that file instead of creating a new file.
|
Thank you all, merging! |
Description
The permission change log table only logs changes made to role, so I have added additional features to log permission changes made to individual account. Now the table shows latest logs of changes made to both individual and role
Related PRS (if any):
This frontend PR is related to the ##2868 Frontend PR.
To test this backend PR you need to checkout the #2868 frontend PR.
…
Main changes explained:
…
How to test:
npm installand...to run this PR locallyScreenshots or videos of changes:
Note:
Test the updated implementation across different user types and let me know if I missed any expected conventions or if you have additional suggestions. I’ve also resolved an existing issue where submitting without adding or removing any permissions no longer logs duplicate entries for both role and user permissions.