[WHIT-3020] Allow publishers to delete a document preview link#11543
Open
TonyGDS wants to merge 5 commits into
Open
[WHIT-3020] Allow publishers to delete a document preview link#11543TonyGDS wants to merge 5 commits into
TonyGDS wants to merge 5 commits into
Conversation
17 tasks
TonyGDS
force-pushed
the
whit-3020-deletable-preview-tokens
branch
6 times, most recently
from
9163764 to
f642e3e
Compare
TonyGDS
changed the title
TonyGDS
force-pushed
the
whit-3020-deletable-preview-tokens
branch
from
f642e3e to
d35f18e
Compare
TonyGDS
force-pushed
the
whit-3020-deletable-preview-tokens
branch
3 times, most recently
from
92202fe to
381379d
Compare
TonyGDS
force-pushed
the
whit-3020-backfill-cfe-auth-bypass
branch
from
aa6603c to
c6d23b1
Compare
TonyGDS
force-pushed
the
whit-3020-deletable-preview-tokens
branch
from
381379d to
b25327c
Compare
TonyGDS
force-pushed
the
whit-3020-backfill-cfe-auth-bypass
branch
from
c6d23b1 to
ce3d9c1
Compare
TonyGDS
force-pushed
the
whit-3020-deletable-preview-tokens
branch
from
b25327c to
729c9eb
Compare
TonyGDS
force-pushed
the
whit-3020-backfill-cfe-auth-bypass
branch
from
ce3d9c1 to
4ccffe7
Compare
TonyGDS
force-pushed
the
whit-3020-deletable-preview-tokens
branch
from
729c9eb to
30f8365
Compare
Compact the auth_bypass_ids arrays in the Publishing API presenters and in the attachment, image and response-form data models, so an edition without a token serialises to [] rather than [nil]. This is the foundation for letting publishers delete a preview token and for making token generation opt-in.
Drop the NOT NULL constraint on editions.auth_bypass_id so that a token can be removed from a draft. Deleting a token sets the column to nil, which the previous constraint rejected.
Add a service that removes a draft's auth bypass token: it nils the edition's auth_bypass_id, saves the edition, republishes via the updater and sends auth_bypass_ids: [] to Asset Manager for every attached file and image. Extract the shared Asset Manager propagation into EditionAuthBypassAssetPropagator, which derives the value from the edition's current auth_bypass_id, and reuse it from EditionAuthBypassUpdater.
Add a destroy_bypass_id action and DELETE route that removes a draft's auth bypass token via EditionAuthBypassRevoker. Like update_bypass_id it loads the edition and requires :update permission on it.
Render the "Share preview link with someone else" section in two states: when a token exists, show the copy link with options to regenerate or delete it; when no token exists, show only a button to generate one. Deleting a token flips the summary page to the empty state.
TonyGDS
force-pushed
the
whit-3020-backfill-cfe-auth-bypass
branch
from
4ccffe7 to
51b99f2
Compare
TonyGDS
force-pushed
the
whit-3020-deletable-preview-tokens
branch
from
30f8365 to
192753b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part 2 of 3 for WHIT-3020 (opt-in preview tokens). Stacked on #11555. Adds the ability for publishers to delete a document's shareable preview token. Token auto-generation is unchanged here — it flips to opt-in in PR #11542.
Jira
How
.compacttheauth_bypass_idsin the Publishing API presenters and in the attachment, image and response-form data models, so a token-less edition serialises to[]rather than[nil].auth_bypass_ids: []to Asset Manager for attached files and images. AddEditionAuthBypassAssetPropagatorfor shared logic reused by the existing updater.destroy_bypass_idaction +DELETEroute, requiring:updateon the edition.Behaviour
Every draft still auto-gets a token (removed in #11542), so the preview section shows the token-present state. Deleting a token reaches the empty state. Regenerating or deleting removes the previous token from Whitehall, Publishing API and Asset Manager, so the old link returns 403 for unauthorised users.
Screenshots
Before — single-state section
After — no token (empty state)
After — token present
Testing
auth_bypass_ids: []after deletion.Next
PR #11542: Make preview token generation opt-in (removes the auto-generation callback).