Ban usage of Current.organization outside of request layer
Summary
Currently the plan in #437541 (closed) is to set the Current.organization
in rack middleware.
Current.organization
is kind-of magical in a sense that it can be referenced throughout the application and not just at the request layer. This can easily become more magical than intended and start to be referenced in the model/service and other layers, which will lead to a lot of ambiguity around Current.organization
and expectations of it being set. Since we are only setting this, for now, in the rack middleware, we should try and guard its use to the layers that it will be known to be set from that.
Some of the Global state issues described well in this article we want to contain, but still use CurrentAttributes...for now.
This includes:
- Controller layer
- View layer(including helpers)
- API layer
- Graphql layer
This should promote the use of Current.organization
to be more similar to the availability of the session
.
If needed at the model/service/background jobs(workers) or other layers, we should pass it in like this:
class SomeController < ApplicationController
def create
response = SomeService.new(organization: Current.organization).execute
end
end
Caveat: this maybe not a longterm solution, but for now it seems prudent to put guardrails around this use early.
Plan
-
Create a simple rubocop linter to ban the use of Current.organization
outside of the approved areas as described above. !145586 (merged) -
Lock setting of organization to be only done once, see #442751 (comment 1785926358) !145714 (merged) -
Figure out ways to alert dev earlier in dev process that use of Current.organization
and the setter is banned - see #442751 (comment 1787087785). !145714 (merged)- there may not be a way to do this easily right now, so this is a nice to have. See thread for final decision: !145714 (comment 1789717285)