Skip to content

feat(app): restrict blog post editing to post author or Admin (#300)#304

Merged
mpaulosky merged 6 commits into
devfrom
squad/300-restrict-blog-post-edit-to-author-or-admin
May 11, 2026
Merged

feat(app): restrict blog post editing to post author or Admin (#300)#304
mpaulosky merged 6 commits into
devfrom
squad/300-restrict-blog-post-edit-to-author-or-admin

Conversation

@mpaulosky

Copy link
Copy Markdown
Owner

Summary

Closes #300

Full-stack implementation restricting blog post editing to the post's original author or an Admin. This is the complete solution combining Aragorn's backend enforcement with Legolas's frontend UX.

Working as Legolas (Frontend Developer) + incorporating Aragorn (Backend Developer) changes.


Changes

Backend (Aragorn)

  • ResultErrorCode.Unauthorized = 5 — new enum value in src/Domain/Abstractions/Result.cs
  • EditBlogPostCommand — extended with CallerUserId and CallerIsAdmin parameters
  • EditBlogPostHandler — authorization check: returns Unauthorized if CallerUserId != post.Author.Id and not Admin
  • Handler tests — new tests: author allowed, Admin allowed, different user → Unauthorized

Frontend (Legolas)

  • Edit.razor load-time check — after post loads, compares Auth0 sub claim with post.AuthorId; redirects non-owners to /blog (unless Admin)
  • Edit.razor submit-timeHandleSubmit passes _callerUserId and _callerIsAdmin in the command; on Unauthorized response shows inline user-friendly error instead of silent navigation
  • bUnit tests (EditAclTests.cs) — 4 tests: redirect non-owner, allow owner, allow Admin, server-side Unauthorized shows error message

Test Results

  • bUnit: 88 tests pass (4 new for this issue)
  • Web.Tests: 154 tests pass

⚠️ This task was flagged as "needs review" — please have a squad member review before merging.

Boromir and others added 3 commits May 11, 2026 13:11
Add UI-level ownership check in Edit.razor:
- AuthenticationStateProvider injected; sub claim extracted in OnParametersSetAsync
- After loading post, check if current user is Admin OR post.AuthorId matches sub
- If neither, redirect to /blog immediately
- Admins retain unrestricted edit access

bUnit tests added for:
- author can edit own post
- non-owner Author redirected to /blog
- Admin can edit any post

Closes #300

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add ResultErrorCode.Unauthorized = 5 to domain enum
- Extend EditBlogPostCommand with CallerUserId and CallerIsAdmin
- EditBlogPostHandler enforces: post.Author.Id == CallerUserId OR CallerIsAdmin
- Edit.razor stores caller identity from AuthStateProvider and passes it in command
- Edit.razor redirects to /blog on Unauthorized error code
- All existing tests updated for new command constructor
- New tests: AdminCanEditAnyPost, AuthorCanEditOwnPost, DifferentNonAdminUser_ReturnsUnauthorized
- Leave decisions inbox note for Legolas on contract changes

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…Unit test (#300)

- Fix HandleSubmit: Unauthorized result now shows user-friendly inline error
  'You don't have permission to edit this post.' instead of silently
  navigating to /blog (the old code also set _error after navigating,
  which the user would never see)
- Add bUnit test EditShowsErrorWhenServerReturnsUnauthorized: verifies
  the permission-denied message appears and navigation does not fire
  when the server returns ResultErrorCode.Unauthorized
- Update agent histories for Legolas and Aragorn

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 11, 2026 20:24
@github-actions github-actions Bot added the squad Squad triage inbox — Lead will assign to a member label May 11, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🏗️ PR Added to Squad Triage Queue

This PR has been labeled with squad and added to the triage queue.

Next steps:

  • The squad Lead will review and assign to an appropriate team member
  • A squad:member label will be added after triage

If you know which squad member should handle this, you can add the appropriate squad:member label yourself.

Summary: PRs #297, #298, #301, #302 merged. Issues #293, #296, #299,
#300 all closed. Sprint 19 complete.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Implements end-to-end authorization for editing blog posts so only the original post author or an Admin can edit, with both backend enforcement (handler) and frontend UX guardrails (Edit page + bUnit coverage).

Changes:

  • Added ResultErrorCode.Unauthorized and enforced author/Admin checks in EditBlogPostHandler.
  • Extended EditBlogPostCommand to include caller context (CallerUserId, CallerIsAdmin) and updated validators/tests accordingly.
  • Added frontend load-time redirect + submit-time unauthorized messaging, with new bUnit ACL tests.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
tests/Web.Tests/Handlers/EditBlogPostHandlerTests.cs Updates existing edit tests and adds coverage for author/admin/unauthorized edit outcomes.
tests/Web.Tests/Features/BlogPosts/Commands/UpdateBlogPostCommandValidatorTests.cs Updates validator tests to use the new EditBlogPostCommand signature.
tests/Web.Tests/Features/BlogPosts/Commands/EditBlogPostCommandValidatorTests.cs Updates validator tests to use the new EditBlogPostCommand signature.
tests/Web.Tests/Behaviors/ValidationBehaviorTests.cs Updates validation behavior tests to use the new EditBlogPostCommand signature.
tests/Web.Tests.Bunit/Features/EditAclTests.cs Adds bUnit tests covering edit ACL redirect/allow/admin and unauthorized UX.
src/Web/Features/BlogPosts/Edit/EditBlogPostHandler.cs Adds server-side authorization enforcement returning Unauthorized when caller isn’t author/admin.
src/Web/Features/BlogPosts/Edit/EditBlogPostCommand.cs Extends the edit command with caller identity/admin context.
src/Web/Features/BlogPosts/Edit/Edit.razor Adds load-time ownership check + submit-time unauthorized message handling.
src/Domain/Abstractions/Result.cs Adds Unauthorized = 5 to the shared result error codes.
.squad/agents/legolas/history.md Documents frontend approach and testing notes for issue #300.
.squad/agents/aragorn/history.md Documents backend approach and related implementation notes.

}
else
{
_model = null;
Boromir and others added 2 commits May 11, 2026 13:32
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Kept instance fields _callerUserId and _callerIsAdmin from PR branch (needed for HandleSubmit)
- Kept full EditShowsErrorWhenServerReturnsUnauthorized test from PR branch
- Dev branch changes merged successfully

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@mpaulosky
mpaulosky enabled auto-merge (squash) May 11, 2026 20:36
@mpaulosky
mpaulosky merged commit 7e15cdd into dev May 11, 2026
13 checks passed
@mpaulosky
mpaulosky deleted the squad/300-restrict-blog-post-edit-to-author-or-admin branch May 11, 2026 20:37
@codecov

codecov Bot commented May 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.33%. Comparing base (292fd26) to head (8e608bb).
⚠️ Report is 1 commits behind head on dev.

Additional details and impacted files
@@            Coverage Diff             @@
##              dev     #304      +/-   ##
==========================================
+ Coverage   83.19%   83.33%   +0.13%     
==========================================
  Files          47       47              
  Lines        1238     1248      +10     
  Branches      150      152       +2     
==========================================
+ Hits         1030     1040      +10     
  Misses        148      148              
  Partials       60       60              
Files with missing lines Coverage Δ
src/Domain/Abstractions/Result.cs 80.55% <ø> (ø)
src/Web/Features/BlogPosts/Edit/Edit.razor 80.55% <100.00%> (+1.76%) ⬆️
...Web/Features/BlogPosts/Edit/EditBlogPostCommand.cs 100.00% <100.00%> (ø)
...Web/Features/BlogPosts/Edit/EditBlogPostHandler.cs 94.87% <100.00%> (+0.27%) ⬆️
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

squad Squad triage inbox — Lead will assign to a member

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Sprint 19] feat(app): restrict blog post editing to post author or Admin

2 participants