#285 delete application in draft #974
Conversation
|
Oh! 👏 |
| APPLICATION_DELETION_CONFIRM: { | ||
| title: 'Delete application', | ||
| message: 'Please confirm you would like to delete a draft application', | ||
| option: 'OK', | ||
| }, |
There was a problem hiding this comment.
Prob put this in constants.ts since we have to get rid of messages when we do localisation functionality?
There was a problem hiding this comment.
Ok - checked PR #1004 and both files messages and `constants are deleted. So I will leave here for now.
There was a problem hiding this comment.
Yeah, that's cool, I'll need to do a big mop-up before #1004 can merged, so leave any constants stuff for now.
|
|
||
| if (error) return <Message error header={strings.ERROR_APPLICATION_DELETE} list={[error]} /> | ||
|
|
||
| return isDeleted ? null : ( |
There was a problem hiding this comment.
Is there a better way to do this? From what I understand, this just set the local component to "deleted" and just hides it from UI even though it's still actually in the list. What we really want to do is trigger a re-fetch in the list, which means you won't need any state in here.
One way to do it, maybe:
Use "refetch" in "ListWrapper": {data, loading, error: applicationsError, refetch } = useGetApplicationListQuery(...
And pass this down as "refetchList" or something, then in the ApplicationRow component, use the delete mutation's "ON_COMPLETED" property, and call "refetchList" on completion (so no need for useEffect either).
(One side effect of the way you've done it, is if the list is longer than one page, then when you delete one, the list won't re-paginate, which is confusing cos it looks like you've got less applications that there are -- in fact, you could delete all the applications on a page and the user would think they've deleted everything because the existing ones haven't rippled round to the current page like they should have).
There was a problem hiding this comment.
Doing this change now. Thanks : )
|
Actually, now I think about this, the actual deletion should probably be through a back-end endpoint, for security reasons. I know you check for Draft status here, but that's all UI-based -- it's still easy to send "delete" queries to GraphQL for applications not in Draft. I think we should probably set policy so no user has "delete" permissions on any table directly, only the "isAdmin" JWT in the back-end. So the front-end would make request for deletion, and the back-end does all the checks, then handles the deletion, and returns a confirmation to front-end, which then knows to refetch the list. Also -- the back-end needs to delete any files associated with the application too. I realise that makes this a somewhat bigger job, but leaving it like this is quite a big security hole -- so will need to make a new issue and add it to this issue please. (I can probably do the back-end after I finish up on Outcomes, so maybe leave this in PR for now, and come back to it when the back-end API is available) |
Yes, good point. What I was thinking is that back-end would already be preventing that only applications related to your applications (already in place) and in the status draft (need to add as part of this-sprint-issue #119), so this check in UI is only for showing the option - not preventing the deletion on the back-end. But you are right, we need to add this restriction on the back-end to make sure there is no hole on this end. If you would like to have a go on changing the policies to check that today I think that should be enough? And the deletion of the file coud be done as part of the garbage-collection issue: |
|
@CarlosNZ planning to have a look on adding some restrictions to users as to only delete application in status = DRAFT or WITHDRAWN (if we will still do this one) or EXPIRED. I don't think we should allow changing if status CHANGES_REQUIRED. Have you and @andreievg started some discussions around security and row-level permissions? |
Kind of, you'll see I've updated the linked issues on this summary issue with more details as to what we discussed. I'll make a comment about deletion on the Policies issue. The main thing to fix in this PR I think is just my first comment, as I don't think it's good practice to just hide (using CSS) items from the table without actually removing them from the list state -- seems likely to lead to unexpected bugs (such as the one I mentioned in that comment) |
|
Ok - Changes done on Front-end. Regarding security issue, should be dealt as part of issue msupply-foundation/conforma-server#589. Have added an comment there about that now. |
Cool, will check out shortly |
| @@ -1,6 +1,8 @@ | |||
| import React, { Fragment } from 'react' | |||
| import React, { Fragment, useEffect, useState } from 'react' | |||
There was a problem hiding this comment.
useEffect, useState not used
Sure. Thank you! |
Fixes #285
@adamdewey That one is for you : )
Changes