All logged in users can see all Prompt Meme Claims

Description

A logged-in user who is not the mod or owner of a prompt meme can still see the "Unposted Claims" page at http://test.archiveofourown.org/collections/COLLECTION/claims (zoho ticket 4614 has a live example). Specifically, each prompt contains

Request
by Anonymous claimed by FULFILLER_NAME

or

Request

by REQUESTER_NAME claimed by FULFILLER_NAME

If you are not the mod and you attempt to access this page, you should be redirected to the collection with the usual permission error ("Sorry, you don't have permission to access the page you were trying to reach.")

Note that users still need to be able to access https://test.archiveofourown.org/collections/COLLECTION_NAME/claims?for_user=true

Logged out users who try to access this page are redirected to the log in screen.

Testing instructions

Verify you can access the page for your own claims in a collection you are not a maintainer of.

Verify you can access the page for your own claims in a collection you are a maintainer of.

Verify you can access all the claims in a collection you are a maintainer of.

Verify that you are not allowed to access all the claims in a collection you are not a maintainer of. Note: the generic “not allowed” message we have for collections is different from the one given above: "Sorry, you're not allowed to do that." (A bit “I can’t do that, Dave.”)

Additional testing instructions

Delete a claim as a collection maintainer; check that you are redirected to the collection claims page, with a success message.

Delete one of your own claims as a non-maintainer; check that you are redirected to your claims page within the collection, with a success message.

Attempt to delete a claim that is not yours, without being a maintainer, by modifying the form HTML with browser tools or similar; check that you are redirected to the collection home page with an error message.

Activity

Show:
CJ Record
November 16, 2016, 10:25 PM

in 6970, the prompt fulfillers do get revealed when this bug hits.

Nary Rising
August 6, 2020, 12:35 AM

Made a new prompt meme owned by Nary. Left 2 prompts as Nary, then left 2 prompts as Testy3. Nary claimed one of Testy3’s prompts and Testy3 claimed one of Nary’s prompts.

While logged in as Testy3, I can view Testy3’s claimed prompt. I cannot view all the claims, I get a “Sorry, you’re not allowed to do that” message. I could successfully drop and re-claim Testy3’s claim as a non-maintainer.

While logged in as Nary (maintainer), I can view Nary’s claimed prompt. When I view the entire list of claims, I see one claimed by Nary and one claimed by Testy3. I was successfully able to delete Testy3’s claim as the maintainer of the collection.

I’m not sure how to test the last item, but otherwise everything looks as it should to me.

Sarken
August 6, 2020, 1:57 AM

Verify you can access the page for your own claims in a collection you are not a maintainer of. Yup!

Verify you can access the page for your own claims in a collection you are a maintainer of. Yup.

Verify you can access all the claims in a collection you are a maintainer of. Also yup.

Delete one of your own claims as a non-maintainer; check that you are redirected to your claims page within the collection, with a success message. Yup, got the proper redirect and message.

Verify that you are not allowed to access all the claims in a collection you are not a maintainer of. Got a “Sorry, you're not allowed to do that” message and was redirected to the collection page, so that looks good.

Delete a claim as a collection maintainer; check that you are redirected to the collection claims page, with a success message. Yeah, deleted the claim, got the right redirect and success message.

Delete one of your own claims as a non-maintainer; check that you are redirected to your claims page within the collection, with a success message. Indeed, it worked as expected.

Attempt to delete a claim that is not yours, without being a maintainer, by modifying the form HTML with browser tools or similar; check that you are redirected to the collection home page with an error message.

  • logged in as User A and went to my claims page

  • copied the HTML for the “Drop Claim” button on one of my claims

  • logged in as User B and went to my claims page

  • modified the href attribute on one of the ‘Drop Claim” buttons so it pointed to User A’s claim

  • clicked on the modified “Drop Claim” button

  • confirmed I wanted to delete it

  • was redirected to the collection User A’s claim was in, with the error “Sorry, you're not allowed to do that.”

Looks good to me!

Sammie Louise
August 6, 2020, 4:00 AM
Edited

Verify you can access the page for your own claims in a collection you are not a maintainer of. Yes

Verify you can access the page for your own claims in a collection you are a maintainer of. Yes

Verify you can access all the claims in a collection you are a maintainer of. Yes

Verify that you are not allowed to access all the claims in a collection you are not a maintainer of. Yep, got a "you're not allowed to do that" message and redirected to the collection dashboard.

Delete one of your own claims as a non-maintainer; check that you are redirected to your claims page within the collection, with a success message. This step isn't really accurate, as you can't delete the claim (since it's not your prompt). But, I was successfully able to drop my claim in a collection I did not maintain.
[side note, the popup does say "Do you really want to delete this claim?" which should probably be changed to "drop"]

Delete a claim as a collection maintainer; check that you are redirected to the collection claims page, with a success message. Yes, though again "delete" seems like a misnomer since the prompt itself remains.

Attempt to delete a claim that is not yours, without being a maintainer, by modifying the form HTML with browser tools or similar; check that you are redirected to the collection home page with an error message. I attempted to modify the Drop Claim destination to force it to drop a claim made by another user on a collection I wasn’t involved with on any level. It correctly refused to allow it, redirected me to that collection’s dashboard with an error saying “Sorry, you're not allowed to do that”

Looks good!

DeployedToBeta

Assignee

enigel lj

Reporter

CJ Record

Roadmap

Challenges

Priority

High

Affects versions

None

Fix versions

Components

BackEnd

Difficulty

Medium

Milestone

Internal 0.9
Configure