Use authorized_scope within controllers

[jmilljr24]

• This work Closes [link an issue]

What is the goal of this PR and why is this important?

Relation scopes were set up in policies. This uses them in the controllers.

How did you approach the change?

Anything else to add?

[maebeale]

did this filter get lost? i don't think it's in the policy

[jmilljr24]

Going off the policy and comment I left off the by project_id since we need have the table change coming and there are a bunch more scope this policy will need to filter the search filters if we filter on org as well.

  relation_scope do |relation|
    next relation if admin?
    relation.where(user: user) # TODO - maybe also allow users to see peers' within same organization
  end

I do notice now that the scope for user should be on created_by_id.

It looks like WorkshopLog has user_id on it not created_by_id so the relation_scope was correct.

[maebeale]

gotcha re project!

the report/workshop_log models are actually still user_id. so we must've never tested as non-admin.

[maebeale]

what was wrong w this test?

[jmilljr24]

We need to scope all the dropdowns. I think it should be its own separate PR. We are disabling workshop logs for this phase right? So this can be lower priority?

[maebeale]

workshop_logs are in scope. it's the workshop_idea he wants us to hide for now.

[jmilljr24]

OoOOOOH ok. I will open a separate issue for the scoped filters.

[maebeale]

i found note somewhere of adding scope_matcher :relation, ActiveRecord::Relation to ApplicationPolicy and after_action :verify_authorized, except: :index to validate that the indexes are using the scopes. not sure if you'd want to do that?

[jmilljr24]

In ApplicationController I have verify_authorized commented out and ready to go once we think we have every policy done and and proper. That makes sure every controller action has a policy checked going forward.

I'll have to look into the scope stuff and see if/what makes sense for us. Thanks for pointing it out.