Signed comment attachment URLs with paywalled parent entities minds#3927
Ticket(s) / Related Merge Requests
Summary of Changes
The issue here at a high-ish level is that a comment's access_id IS the same as its parent's activity guid. This means that when we try to view an image but the parent entity is paywalled, it will blur the comment attached image based upon the parent's permissions.
In this fix we are
- Migrating existing attachment logic to an
export:extenderhook to keep things clean and avoid duplication. - Signing any attachments IF the parent container entity is paywalled so that images show as is appropriate for this specific use-case.
Testing Considerations
Be very careful to test comments with and without media in a variety of situations, such as with a paywall and without.
-
Can view a comment with a paywalled container and an image. -
Can view a comment with a paywalled container and a video. (advised testing in staging) -
Can view a comment with a paywalled container and without an image or video. -
Can view a comment with an image but no paywalled container. -
Can view a comment with a video but no paywalled container. (advised testing in staging) -
Can view a comment without an image, video or paywalled container.
Contrast any issues found with other sandboxes.
Deployment Considerations
Standard deployment.
Regression Scope
Export of any and all comments - though realistically SHOULD only impact those with attachments.
Platform Affected (web, mobile, etc)
Web.
Developer Testing Completed
Manual - event hook callbacks are not testable in our framework.
Screenshots / Screen Recording
simplescreenrecorder-2023-08-02_13.17.03
Does this impact
-
Localization -
Dark/light mode -
Guest mode
Definition of Done Checklist
-
The Acceptance Criteria has been met -
Code is tested: Testing includes unit/spec, E2E/automated and manual testing -
Merge requests description has been filled out
Edited by Ben