CSC/ECE 517 Fall 2015/oss E1553 AAJ
Pagination of versions helps the user to view a subset of versions at a time. Considering the huge number of versions in the system, it is very useful to have a pagination mechanism and a filtering mechanism which can be applied on the whole set of versions. The idea is to display the versions in an ordered, comprehensible and logical manner.
In Expertiza the gem ‘will_paginate’ is used to achieve pagination.
Drawbacks with the current implementation:
Functionality:
- Any user irrespective of his/ her privileges can view all the versions.
- The versions which a particular user can view should be restricted based on the privileges of the user. For instance, only a user with Administrator privileges should be able to view all the versions in the system. However, that is not the case now. Every user can view all the versions irrespective of whether the user is a student or an administrator.
- Any user can delete any version
- The versions which a particular user can delete should be restricted based on the privileges of the user. For instance, a student should not be allowed to delete any version. According to the current implementation any user can delete any version in the system.
- Filtering of versions were restricted to the current user
- The filtering options on versions were restricted to the current user. Sometimes a user might want to view versions associated with other users. For instance, an instructor might want to view the list of versions created by a particular student. This is not possible with the current implementation.
Current Implementation:
- Problem 1: The method paginate_list is doing more than one thing.
- The method paginate_list was building a complex search criteria based on the input params, getting the list of versions from the Database matching this search criteria and then calling the Page API. All these tasks in a single method made it difficult to understand.
# For filtering the versions list with proper search and pagination. def paginate_list(id, user_id, item_type, event, datetime) # Set up the search criteria criteria = '' criteria = criteria + "id = #{id} AND " if id && id.to_i > 0 if current_user_role? == 'Super-Administrator' criteria = criteria + "whodunnit = #{user_id} AND " if user_id && user_id.to_i > 0 end criteria = criteria + "whodunnit = #{current_user.try(:id)} AND " if current_user.try(:id) && current_user.try(:id).to_i > 0 criteria = criteria + "item_type = '#{item_type}' AND " if item_type && !(item_type.eql? 'Any') criteria = criteria + "event = '#{event}' AND " if event && !(event.eql? 'Any') criteria = criteria + "created_at >= '#{time_to_string(params[:start_time])}' AND " criteria = criteria + "created_at <= '#{time_to_string(params[:end_time])}' AND " if current_role == 'Instructor' || current_role == 'Administrator' end # Remove the last ' AND ' criteria = criteria[0..-5] versions = Version.page(params[:page]).order('id').per_page(25).where(criteria) versions end
- Solution:
- The implementation has been changed in such a way that the versions which a user is allowed to see depends on the privileges of the user. The approach we have taken is as follows
- An administrator can see all the versions
- An instructor can see all the versions created by him and other users who are in his course or are participants in the assignments he creates.
- A TA can see all the versions created by him and other users who are in the course for which he/ she assists.
- A Student can see all the versions created by him/ her.
- The implementation has been changed in such a way that the versions which a user is allowed to see depends on the privileges of the user. The approach we have taken is as follows
- Problem 2: The search criteria created in the method paginate_list was difficult to comprehend.
- The code which builds the search criteria in the method paginate_list uses many string literals and conditions and is hardly intuitive. The programmer will have to spend some time to understand what the code is really doing.
- Solution:
- The implementation has been changed. A student is not allowed to delete any versions now. Other types of users, for instance administrators, instructors and TAs are allowed to delete only the versions they are authorized to view.
- Problem 3: The paginate method can be moved to a helper class.
- VersionsController is not the only component which require to paginate items. There are other components too. For instance, the UsersController has to paginate the list of users. Hence the Paginate method can be moved to a helper class which can be accessed by other components as well.
- Solution:
- The filtering options has also been enhanced. The current user can now choose as part of the version search filter any user from a list of users if the current user is authorized to see the versions created by that user.
How the drawbacks were addressed in the new implementation:
New Implementation:
- The method paginate_list has been split into 2 methods now.
- BuildSearchCriteria – as the name suggests the sole purpose of this method is to build a search criteria based on the input search filters when the current user initiates a search in versions.
- paginate_list – this method will call the paginate API.
First the search criteria is built, then the criteria is applied to versions in the database to get all versions which matches the criteria and then the retrieved versions are paginated.
# pagination. def paginate_list(versions) paginate(versions, VERSIONS_PER_PAGE); end def BuildSearchCriteria(id, user_id, item_type, event) # Set up the search criteria search_criteria = '' search_criteria = search_criteria + add_id_filter_if_valid(id).to_s if current_user_role? == 'Super-Administrator' search_criteria = search_criteria + add_user_filter_for_super_admin(user_id).to_s end search_criteria = search_criteria + add_user_filter search_criteria = search_criteria + add_version_type_filter(item_type).to_s search_criteria = search_criteria + add_event_filter(event).to_s search_criteria = search_criteria + add_date_time_filter search_criteria end
- The string literals and conditions in the method paginate_list were replaced with methods with intuitive names so that the programmer can understand the code more easily. We also removed an empty if clause and a redundant statement.
def add_id_filter_if_valid (id) "id = #{id} AND " if id && id.to_i > 0 end def add_user_filter_for_super_admin (user_id) "whodunnit = #{user_id} AND " if user_id && user_id.to_i > 0 end def add_user_filter "whodunnit = #{current_user.try(:id)} AND " if current_user.try(:id) && current_user.try(:id).to_i > 0 end def add_event_filter (event) "event = '#{event}' AND " if event && !(event.eql? 'Any') end def add_date_time_filter "created_at >= '#{time_to_string(params[:start_time])}' AND " + "created_at <= '#{time_to_string(params[:end_time])}'" end def add_version_type_filter (version_type) "item_type = '#{version_type}' AND " if version_type && !(version_type.eql? 'Any') end
- The paginate method has been moved to the helper class Pagination_Helper. This new method can be now reused by the different components like UsersController etc. The method receives two parameters, first the list to paginate and second the number of items to be displayed in a page.
module PaginationHelper def paginate (items, number_of_items_per_page) items.page(params[:page]).per_page(number_of_items_per_page) end end
Code improvements:
- Introduced a constant VERSIONS_PER_PAGE and assigned the value 25 to it. The pagination algorithm for VersionsController displays at most 25 versions in a page. The existing implementation uses the value 25 straight in the code and there are few problems associated with such an approach.
- It is not easy to understand what 25 is unless the programmer takes a close look at the code.
- In case if the value 25 is used at more than one places and in future a new requirement comes to show at most 30 versions in a page, all the values will have to be modified. It is not very DRY.
- The VersionsController was overriding AccessHelper - action_allowed? method to return true in all the cases. This was violating the whole purpose of the method action_allowed?. The purpose of this method is to determine whether the user who is triggering a CRUD operation is allowed to do so. So when the current user invokes a CRUD operation, the action_allowed? method is invoked first and if the method returns true the CRUD operation is triggered or else the user is intimated with a message and gracefully exited. Hence, when the action_allowed? method is overridden to return true always, it results in providing unauthorized access to certain users.
def action_allowed? true end
With the new implementation the AccessHelper - action_allowed? method has been modified in such a way that unauthorized access is prevented. As per the new algorithm, 'new', 'create', 'edit', 'update' cannot be invoked by any user. These operations can be accessed only by ‘papertrail’ gem. Only an ‘Administrator’ or ‘Super-Administrator’ can call 'destroy_all' method. All the other methods are accessible to ‘Administrator’, ‘Super-Administrator’, ‘Instructor’, ‘Teaching Assistant’ and ‘Student’.
def action_allowed? case params[:action] when 'new', 'create', 'edit', 'update' #Modifications can only be done by papertrail return false when 'destroy_all' ['Super-Administrator', 'Administrator'].include? current_role_name else #Allow all others ['Super-Administrator', 'Administrator', 'Instructor', 'Teaching Assistant', 'Student'].include? current_role_name end end