Todo "hidden" field

Problem to solve

  • User access to a todo record can change over time. For example:
    • Someone removed their access to the issue associated with the todo
    • The original author of the todo was banned
    • Probably many, many more reasons to be uncovered
  • The list of todos needs to reflect the todos that the individual has access to
  • The count of todos needs to reflect the count of todos that the individual has access to

Proposal

Option A

  • Introduce a new hidden field to the Todo model (app/models/todo.rb)
  • Introduce a new background service that runs every X amount of time to update the value of the new hidden field on the todos using the result of ::Todos::AllowedTargetFilterService
  • Use this new hidden field inside the TodosFinder to filter out all the todos that the user should not be able to see

Pros:

  • We can reuse an existing logic to find out whether a todo should or should not be visible by a user (the ::Todos::AllowedTargetFilterService)
  • We will be easily able to tell if a todo should or should not be visible by a user, without complex queries
  • The workload is spread out since we're using a background service that runs only every X amount of time

Cons:

  • We will have to live with a wrong number of todos for a short period of time, if the access to a todos changes between a background job run and the other
    • Not really a security concern because the todos will still be filtered out by the GraphQL endpoint, we'd be disclosing only the number of todos, not which ones or their target (exactly like we have now)
  • (Probably) Easier to implement

Option B

  • Introduce a new hidden field to the Todo model (app/models/todo.rb)
  • Update all the services that could make this field's value change and update the value accordingly
    • e.g. BanService, UnbanService, edit issue service, service to update the access level to a project or group, and probably many more

Pros:

  • No background service to the workload on the server could be/is negligible
  • We will be easily able to tell if a todo should or should not be visible by a user, without complex queries

Cons:

  • Finding all the different services that could make the hidden value change could be very difficult, and pose a maintenance feat because all new services would need to take this field into account
  • (Most likely) Harder to implement
  • Not sure if it's worth reusing the existing ::Todos::AllowedTargetFilterService or use a different solution
Edited by Marco Zille