Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't check permissions for the target resource when canceling requests #8369

Merged
merged 1 commit into from
Aug 30, 2024
Merged

Don't check permissions for the target resource when canceling requests #8369

merged 1 commit into from
Aug 30, 2024

Commits on Aug 28, 2024

  1. Don't check permissions for the underlying resource when canceling re… 

    …quests

IMO, these checks are not very useful. The permission logic for requests
already checks that the request is being canceled by the same user that
created it. Therefore, these additional checks can only fail if a user
creates a request for some action, loses the permissions to do the same
action again, and then tries to cancel the request. But cancelling a request
does not do anything to the target resource (in fact, it _prevents_ some
future actions from taking place), so I really don't see why this shouldn't
be allowed.

In addition, these checks create some problems:

* If the creator of the request is no longer able to cancel it, we now have
  a request that _nobody_ is allowed to cancel. That seems wrong.

* To implement these checks, `RequestPermission` has to know which actions
  require which permissions. This creates code duplication between it and
  the other permission classes. It also causes a dependency on those
  classes, which could create problems if we want to use the request API for
  actions from the Enterprise version.
    @SpecLad
    SpecLad committed Aug 28, 2024
    Configuration menu
    Copy the full SHA
    3366618 View commit details
    Browse the repository at this point in the history