Handle deactivated users gracefully from a bank #3631
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| class DeactiveUsers < ActiveRecord::Migration[7.0] | ||
| def change | ||
| Users.discarded.each do |user| | ||
| user.add_role(:deactivated) | ||
|
There was a problem hiding this comment. Again - here we'd want to just remove all roles rather than add a new one. |
||
| end | ||
| end | ||
| end | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -39,6 +39,17 @@ | |
| expect(build(:user)).to be_valid | ||
| end | ||
|
|
||
| context "discarded user from organization should be able to create a partner profile" do | ||
| let(:discarded_at) { Time.zone.now } | ||
| let(:email) { "[email protected]" } | ||
| let!(:discarded_user) { build(:user, name: "Larry", email: email, discarded_at: discarded_at) } | ||
| let!(:partner) { create(:partner, email: email) } | ||
|
|
||
| it "allows a previously discarded user to create a partner account" do | ||
| expect(partner).not_to be_valid | ||
| end | ||
| end | ||
|
|
||
| context "Validations >" do | ||
| it "requires a name" do | ||
| expect(build(:user, name: nil)).not_to be_valid | ||
|
|
@@ -55,8 +66,8 @@ | |
|
|
||
| describe "Scopes >" do | ||
| describe "->alphabetized" do | ||
| let!(:z_name_user) { create(:user, name: "Zachary") } | ||
| let!(:a_name_user) { create(:user, name: "Amanda") } | ||
|
|
||
| it "retrieves users in the correct order" do | ||
| alphabetized_list = described_class.alphabetized | ||
|
|
@@ -71,10 +82,10 @@ | |
| describe "->alphabetized" do | ||
| let(:discarded_at) { Time.zone.now } | ||
|
|
||
| let!(:z_name_user) { create(:user, name: "Zachary") } | ||
| let!(:a_name_user) { create(:user, name: "Amanda") } | ||
| let!(:deactivated_a_name_user) { create(:user, name: "Alice", discarded_at: discarded_at) } | ||
| let!(:deactivated_z_name_user) { create(:user, name: "Zeke", discarded_at: discarded_at) } | ||
|
|
||
| it "retrieves users in the correct order" do | ||
| alphabetized_list = described_class.org_users.with_discarded.alphabetized | ||
|
|
@@ -118,12 +129,12 @@ | |
| end | ||
| end | ||
|
|
||
| describe "omniauth" do | ||
| it "retrieves the user from an omniauth context" do | ||
| # can't use instance_double since AuthHash uses Hashie for dynamically created methods | ||
| token = double(OmniAuth::AuthHash, info: {"email" => "[email protected]"}) | ||
| expect(described_class.from_omniauth(token)).to eq(nil) | ||
| user = FactoryBot.create(:user, email: "[email protected]") | ||
| expect(described_class.from_omniauth(token)).to eq(user) | ||
| end | ||
| end | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't seem like the right way to model the user. We shouldn't be deliberately giving them a deactivated role. If the user has no roles, we should consider that user deactivated and treat them accordingly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hrm. @dorner -- Here's the thing, though. The bank can deactivate a user and reactivate them. However, there is also a case where someone may go to work for a partner after having worked for a bank (or vice versa), with possible overlap. (pls check the issue ). As things are now (deactivating the user as a user), when the bank deactivates a user, it precludes them working for a partner.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There may well be a way of allowing this situation without using a deactivated role, and if we were to use a deactivated role (which, I admit, is how I thought this would be done, given that we allow reactivation, and that someone might (also) be working with a partner) , it would need to be deactivated in the context of an organization, not just deactivated, imo.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah - I wasn't aware that the bank needed to be able to reactivate users. If that's the case, then yes an org-level deactivated role probably makes the most sense. However, there might be code lurking around that assumes that if you have any role with an org, you have the most basic one (which is ORG_USER) - so you might need to tweak that assumption. E.g. ensure that if that's the role the user would be given when logging in, the user is instead kicked out.
I'm just a bit concerned about the data - what if someone somehow ends up with both an ORG_USER and a DEACTIVATED role?
Maybe a better approach would be to add a "deactivated" column to the
user_rolestable and use that. Again, we'd have to ensure the login and permission logic would specifically exclude deactivated roles in 99% of cases. But there's less chance of weird data issues since you are activating and deactivating a specific role. We also get the benefit of (if we need to) in the future allowing any role to be activated and deactivated - e.g. partner users.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See RolifyCommunity/rolify#551 - similar idea but here we'd use
deactivatedinstead ofdeleted. We'd also have to useunscopedwhen on the page that shows deactivated users.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW I have a gut "that sounds right" reaction to the idea of adding the "deactivated" column to the user_roles table.