Toolhub/Progress reports/2021-04-30
Report on activities in the Toolhub project for the week ending 2021-04-30.
Testing, 1, 2, 3[edit]
Having automated tests covering how an application deals with data processing and access control can be very useful as the number of contributors and complexity of the code base grows. We have been using test automation in developing Toolhub from the beginning, but we have not formally made test coverage goals yet for the frontend code base. Srishti has been grinding through adding tests for the vuex data management layer that we are using in the vue frontend. She's now waiting for code review on that patch and a few related bug fixes that adding the tests exposed.
When merged, our code coverage in the frontend will increase from 34.69% of statements (171/493) to 78% (390/500)! That gets us very close the the 85% code coverage level that was setup for enforcement early on for the Django backend code. With a few more added tests we will be able to turn on enforcement for the Vue code as well.
Object level permissions management[edit]
Bryan has been working towards a patch introducing use of Django's object permissions in the API layer for access control. This was seen as a necessary step to take before diving deeply into more advanced patrolling features like content suppression.
After examining several options (django-guardian, django-rules, drf-access-policy), we have chosen the django-rules library as our starting point. This library is light weight, and uses a declarative configuration that feels easier to reason about than django-guardian's database level configuration.
After a couple of false starts, the work in progress patch now has all applicable existing API routes using the framework. The remaining work is adding more test coverage to assert that the library and it's configuration are enforcing the desired rules about which users can see which results when calling the endpoints. We had high "lines of code" coverage for the routes, largely because the are mostly boiler plate configuration with the hard work being done by the Django REST framework library, but we had very poor coverage of access control enforcement edge cases like "what happens when an anonymous users calls this?". Bryan expects to wrap up the increased test coverage soon and push the patch to gerrit for review and merge.
Wrap up[edit]
There is a colloquial analogy about hidden work that goes something like "A swan moves gracefully and seemingly without effort on top of the water, but underneath the water its feet are continuously working". This feels appropriate for our progress on Toolhub in April 2021. We were able to complete last bits of our direct tool registration goal from the prior quarter early in April, but have not crossed any other major features off since. We have however been making slow but steady progress on our content moderation support goal. Work in this area should start becoming more visible as we start work on user interface components for this in the coming weeks.