-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
moderation: add self-action prevention #134
base: master
Are you sure you want to change the base?
Conversation
6d9d9d2
to
da26087
Compare
b169f51
to
f113927
Compare
After discussing with @slint and @zzacharo at different times, there are differing opinions on the approach: zzach View: Suggest a UI confirmation modal instead. My Position: I believe a permission-based approach is the most effective to prevent accidental self-harm actions. Looking forward to your thoughts to move forward. |
I would say that if the case of preventing a self action is a core requirement then acting on permission level is necessary. That said, from the UI point of view, as also @kpsherva said in our latest call, we need to ensure that such actions are blocked in the UI and/or use a confirmation modal. |
I think that's why we try to enforce this kind of things via permissions, since it's the closest we have to syncing backend + frontend without having to touch both. E.g. if the REST API serializes For the confirmation modals or having more user-friendly messages/popovers, it becomes difficult, since the frontend has to reason about "you can block this user, because it's you" vs. "you don't have permission to block this user". Again, I'm not sure if the Admin UI right now supports this style, but I also feel that if we want it to, doing it via permissions is the better path. |
f113927
to
1c0db76
Compare
37d80fb
to
b166e62
Compare
* The problem is that an admin could block his own account. With this change it is possible to prevent the admin from doing that. * Prevent self-action for: block, deactivate, restore, activate and approve. * Update tests for self-action prevention * introduce PreventSelf generator * introduce _check_manage_permissions in users service * add "PreventSelf" into "can_manage" permission
b166e62
to
80a1149
Compare
❤️ Thank you for your contribution!
Description
block
,deactivate
,restore
,activate
,impersonate
andapprove
._check_permission
in users servicecan_manage
andcan_impersonate
permissionChecklist
Ticks in all boxes and 🟢 on all GitHub actions status checks are required to merge:
Frontend
Reminder
By using GitHub, you have already agreed to the GitHub’s Terms of Service including that: