Skip to content

Fix authorization error for facilitator spotlights in share portal#1011

Open
Copilot wants to merge 3 commits intomainfrom
copilot/fix-facilitator-spotlight-error
Open

Fix authorization error for facilitator spotlights in share portal#1011
Copilot wants to merge 3 commits intomainfrom
copilot/fix-facilitator-spotlight-error

Conversation

Copy link
Contributor

Copilot AI commented Feb 15, 2026
edited
Loading

What is the goal of this PR and why is this important?

Users were receiving "You are not authorized to perform this action" errors when clicking on facilitator spotlight links in the "My Butterfly" (share portal) section. This prevented both authenticated users and guests from accessing publicly available facilitator spotlight stories, significantly impacting the usability of this key feature.

How did you approach the change?

The issue was caused by missing authorization methods in the StoryPolicy class. When ActionPolicy couldn't find specific authorization methods for the share portal actions (share_portal? and show_share_portal?), it fell back to the default manage? method which only allows admin users.

Changes made:

  1. Added share_portal? method to StoryPolicy that returns true (public access, same as index?)
  2. Added show_share_portal? method to StoryPolicy that delegates to show? for proper authorization:
    • Admins can view all stories
    • Authenticated users can view published stories
    • Guests can view publicly visible stories
  3. Added comprehensive test coverage for all user roles (admin, regular user, guest) and story visibility states (public, published, private)

Files modified:

  • app/policies/story_policy.rb - Added authorization methods
  • spec/requests/stories_spec.rb - Added test coverage for share portal authorization

Anything else to add?

All authorization tests pass successfully, code review found no issues, and security scanning (CodeQL) detected no vulnerabilities. The fix ensures proper access control while maintaining security and follows the existing authorization patterns in the codebase.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI requested a review from maebeale February 15, 2026 07:39
@maebeale
Copy link
Collaborator

maebeale commented Feb 15, 2026

@copilot try again

@maebeale maebeale marked this pull request as ready for review February 15, 2026 21:28
Copilot AI and others added 2 commits February 15, 2026 21:31
@maebeale
Add missing authorization methods for share portal actions
0e9faa8 
Co-authored-by: maebeale <7607813+maebeale@users.noreply.github.com>
@maebeale
Add tests for show_share_portal authorization
5873d77 
Co-authored-by: maebeale <7607813+maebeale@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 15, 2026

@copilot try again

Fixed! The issue was that the StoryPolicy was missing authorization methods for the share portal actions. I've added:

  • share_portal? method (returns true like index?)
  • show_share_portal? method (delegates to show? for proper authorization)

The fix is in commit 0e9faa8. All authorization tests now pass - guests can view publicly visible stories, authenticated users can view published stories, and admins can view all stories in the share portal.

Copilot AI changed the title [WIP] Fix error related to facilitator spotlights access Fix authorization error for facilitator spotlights in share portal Feb 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maebeale maebeale Awaiting requested review from maebeale

Assignees

@maebeale maebeale

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@maebeale