Content Admins can alter API data that should be locked. #15427
Comments
swirtSJW
added
Defect
swirtSJW
changed the title
|
Possible red herring, but: PW made changes on VA Benefits taxonomy last sprint to unlock the API ID & Name of VA Benefit taxonomy terms to Content Admins: https://github.com/department-of-veterans-affairs/va.gov-cms/pull/15273/files#diff-fc201850e713ee5608b348314dfe66fb5806403bc69671a8b52d07514f25a950 |
jilladams
added
VAMC
|
From planning: Not high priority for this sprint. Possible 5 pts to root cause this change in order to fix. |
|
Our hasAdminRole in va_gov_user/src/Service/UserPermsService.php checks is true for admin and content_admin. So maybe we're checking this in more places than we were before. |
Yah it has a bool to pass if you want it for TRUE Admin. |
|
The problem lies in here someplace https://github.com/department-of-veterans-affairs/va.gov-cms/compare/0bb3ec5..e7e4e61 |
|
edit: flawed test, that revert was on an older database so it looked like it fixed it but it was never broken. |
|
WEIRD. @chri5tia (and @dsasser ) FYI for awareness: On Facilities Vet Center content type, 2 API fields are now editable by Content Admins that were previously locked down. Steve git bisected and determined this was weirdly caused somehow by #14793 / #15069, the PR to hide Link Description Field in Footers. (NOT by our content admin / unlocking fields change on VA Benefits taxonomy.) Facilities did not prioritize this fix into current sprint, so it'll be a minute before we have a fix to review. |
|
@jilladams thanks for flagging us; very weird indeed. I can pick this up as a stretch item if Facilities is good with that. |
|
False alarm. THis was not code related at all. Michelle was granted superpowers which changed her view of the world |
|
I was tracking code changes through the various tugboat environments and was not looking for user changes during that same time frame. :( |
|
I am closing this ticket, but created another one for the backlog just to cover
|
|
For sanity and to confirm, I double-checked on prod and on my local in an updated state and this defect is not present. @omahane About The function is defined here: |
Describe the defect
Some time within the past 4 months, the behavior of external content has changed. It used to be locked for all users except admins, but now is unlocked for both admins and content_admins.
Used to look like this 4 months ago
Now looks like this
This makes it too easy for one of our ~20 users with All content section access AND Content Admin role to alter content that should not be altered. However, this is mitigated by the fact that the nightly migration can and will overwrite the changed data the next time the lighthouse record is changed. Also we can force the data across all of them with an "update migration" (forced migration)
To Reproduce
Steps to reproduce the behavior:
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here. Reach out to the Product Managers to determine if it should be escalated as critical (prevents users from accomplishing their work with no known workaround and needs to be addressed within 2 business days).
AC / Expected behavior
The text was updated successfully, but these errors were encountered: