Skip to content

Make registration ticket callout pages publicly readable#1759

Merged
maebeale merged 1 commit into
mainfrom
maebeale/public-callout-pages
Jun 18, 2026
Merged

Make registration ticket callout pages publicly readable#1759
maebeale merged 1 commit into
mainfrom
maebeale/public-callout-pages

Conversation

@maebeale

@maebeale maebeale commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

What is the goal of this PR and why is this important?

  • Callout detail pages are public reads reached from a registration ticket link
  • They were authorized against Event#show?, which wrongly locked out registrants of unpublished or ended events — the very people who follow these links
  • The callout id is already scoped to its event, so there is nothing sensitive to gate on read

How did you approach the change?

  • Added RegistrationTicketCalloutPolicy with show? open to everyone and update? (drag-reorder persistence) gated to event managers
  • Pointed the controller's show/update actions at the callout policy instead of the event policy
  • Covered both policy methods with a policy spec, and added a request spec asserting a callout on a non-public event is still publicly readable

Anything else to add?

  • Reorder persistence stays manager-only, matching event editing

🤖 Generated with Claude Code

@maebeale @claude
Gate callout pages with a dedicated policy
97267ca 
The callout detail page is a public read reached from a registration ticket
link, so it must stay viewable even when the event is unpublished or ended —
mirroring Event#show? wrongly locked out registrants of non-public events.
Introduce RegistrationTicketCalloutPolicy so show? is open to everyone while
reorder persistence stays gated to event managers via update?.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
maebeale
maebeale commented Jun 18, 2026
View reviewed changes
Comment thread app/policies/registration_ticket_callout_policy.rb
# callout id is scoped to its event, so there is nothing sensitive to gate.
def show?
true
end

@maebeale maebeale Jun 18, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 From Claude: show? returns true deliberately — the callout id is scoped to its event in the controller lookup, so there's nothing sensitive to gate, and registrants of unpublished/ended events must still reach these pages.

@maebeale maebeale marked this pull request as ready for review June 18, 2026 23:29
@maebeale maebeale merged commit 5d89417 into main Jun 18, 2026
3 checks passed
@maebeale maebeale deleted the maebeale/public-callout-pages branch June 18, 2026 23:45
@maebeale maebeale requested a review from jmilljr24 June 18, 2026 23:52
@maebeale

maebeale commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator Author

@jmilljr24 they were locked out of the callout show page bc the event is hidden

@jmilljr24

jmilljr24 commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

@jmilljr24 they were locked out of the callout show page bc the event is hidden

LOL never would have crossed my mind.

@jmilljr24

jmilljr24 commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

AI @maebeale The same issue remains for the "Art supplies" / "Before you attend" details page (events#details) and the CE hours page (events#ce_hours). both still alias to EventPolicy#show?.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmilljr24 jmilljr24 Awaiting requested review from jmilljr24

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@maebeale @jmilljr24