Add Advisor Role #588
Add Advisor Role #588
Conversation
|
[diff-counting] Significant lines: 66. |
According to the leads, a lead advisor is possible |
There was a problem hiding this comment.
I found a minor bug while testing. To reproduce:
- Change the role of a user to something not tpm.
- Change isAdvisor to true.
- Change the role back to tpm.
The admin can now save the user.
This bug is unlikely to show up in production, and admin still has to review these changes after it is saved. However, to be safe, a check to enforce that an advisor cannot have the role of TPM can be put insetUser.
+1 Good catch @cchrischen! |
|
The addition of the 'isAdvisor' field definitely LGTM, streamlining the role management process! However, maybe it'd be beneficial to consider implementing a more robust validation check when toggling the advisor status, especially when changing roles to ensure consistency (could prevent potential oversights and reinforce the integrity of the role management system). 🐐 |
| Emitters.generalError.emit({ | ||
| headerMsg: 'Invalid Role!', | ||
| contentMsg: | ||
| 'TPM advisor is not a valid role. Please select a different role if this member is returning as an advisor.' |
There was a problem hiding this comment.
nit: maybe add "Note that previous TPMs may become dev advisors."
Also, just sanity checking: business advisor, and PM advisor are both a thing?
There was a problem hiding this comment.
Ops Leads say so. I'm waiting to hear back from the other role leads about this too. We can probably double check during leads sync.
There was a problem hiding this comment.
Ok! Let's leave it then!
There was a problem hiding this comment.
Nice, thanks for the detailed PR description too! Makes this PR easy to review.
Another question: are there plans to adjust the way Dev Portfolio/TEC behaves for advisors? Off the top of my head advisors have the same TEC requirement, but not the same Dev Portfolio requirement (for Dev Advisors).
Yep, for dev advisors the Dev Portfolio only requires a documentation submission. I'll modify the code to reflect that. |
| @@ -12,7 +12,7 @@ const DevPortfolioForm: React.FC = () => { | |||
| // When the user is logged in, `useSelf` always return non-null data. | |||
| // eslint-disable-next-line @typescript-eslint/no-non-null-assertion | |||
| const userInfo = useSelf()!; | |||
| const isTpm = userInfo.role === 'tpm'; | |||
| const [isTpm, isAdvisor] = [userInfo.role === 'tpm', userInfo.isAdvisor]; | |||
There was a problem hiding this comment.
I would just split this into two lines. Easier to read
|
This kinda change raises a bunch of
The existing roles in IDOL aren't really meant to fully capture authorization policies within IDOL or other policies like grading policies. All of those things are kinda crammed together into the existing roles, but the main purpose of it at the time was to reflect the roles that are displayed on the website. (On a side note, consider updating those because there's new roles since IDOL was originally built that aren't accounted for like PMM, APM, etc.) The purpose of #471 is to separate the concerns of those roles and roles used for access management. It also allows for better flexibility for access management. Something similar could be used to define grading policies as well such that it's all in a single configuration file instead of scattered across the codebase. But those are just some broader questions and ideas. As for this PR itself if those questions/ideas aren't relevant b/c I'm missing a lot of context:
Also feel free to ignore the first thing about the boolean flag if that's not really in the scope of this work. P.S. good catch on the bug @cchrischen :D We love some bug bashing 🐛 |
|
Just to introduce myself and provide a little bit of context, I'm the current Ops Lead of DTI and I think I'm more suited to answer these questions since these were decisions I was involved in.
This new role was created by the leads team, not IDOL, curated specifically for senior members of the team who don't want to do full time DTI work, but are willing to still help out newer members of DTI and impart their wisdom. They are functionally different from general members in the sense that they have significantly less (if any) deliverables. For example, a dev advisor does not have to submit any PRs as supposed to general developers, but they are required to submit code documentation instead. In the future when we do create the new website, I expect the new advisor role to be accurately reflected on the new website as well.
This was answered a little bit in the first question, but the relationship between the general role and the role advisor varies on the role, so the nature of the relationship is dependent on role. The reasoning for this is that each of the roles are functionally very different, and thus the points of emphasis for the advisor varies. If you are at all curious, here are the expectations of all the advisor roles: https://docs.google.com/document/d/1SaxycR6-Dn-22LAPY10SNK526UrxXVr9s2c2F9LwEo4/edit?usp=sharing In terms of IDOL permissions, to my knowledge the only notable change at the moment is that dev advisors do not have to submit PRs in their dev portfolios, where as devs are required to. Everything else should remain the same.
It's actually very interesting what the purpose of roles on IDOL started off as, but I think our vision going into the (long-term) future is to have IDOL be a managerial tool for the leads, in order to keep track of assignments, policies, rubrics, and whatnot, although our current short-term goal is to get the new website up. 😃
I'll leave the remainder of this comment to the devs on IDOL as that information is more suited towards them (but also I agree the backend should be protected as well), but hope that clarified some things! |
|
Hey @JustKong13!
These questions aren't asked with the intention of questioning why the roles were added into to IDOL or why the roles exist within DTI. Rather, these questions pose engineering questions of the longer-term vision of what the introduction of new or modified role system can hope to achieve.
That's the answer I was expecting! This again is another engineering question, not a question to challenge the difference in policy between the general role and the advisor role. The idea of this question is to guide the current team to an understanding that the current implementation is not extensible. The current implementation of a set of fixed "general" roles with a boolean flag to indicate an advisor role (if you look at the actual PR) which requires many conditional checks to determine the correct policies to apply to a given user. It's also not very declarative this way which can be potentially confusing.
This is what I was referring to as "grading policies" in my original comment. Given the usage of IDOL, I would say there are essentially 2 types of policies:
While grading policies may not have too many notable changes at the moment, it potentially will also be very un-declarative in the future if there becomes more differences in the grading policies between general roles and advisor roles. As for authorization policies, there is the question of whether the advisor role should be treated the same as the general role when it comes to access control. For instance, many admin level checks check that a user is a lead or admin. That poses the question - should an advisor lead be granted to full admin permission on IDOL as other general role leads? While the answer may very well be yes, it's a question to ask. Another example would be for Candidate Decider (context for what this is isn't that important). Access to specific instances can be granted by user roles such as dev. Should this apply to dev advisors as well? Point is that just because it's simple right now doesn't mean that the underlying system should be haphazardly built without considering the implications. There's of course a tradeoff of premature abstraction vs spaghetti code but asking questions about these things is where those conversations start.
The original purpose of roles on IDOL is the same as it is now - The dual purpose of serving as a display on the website as well as handling authorization within the IDOL platform. And it looks like those 2 primary goals isn't changing anytime soon. But given that the IDOL platform is getting more complex, a change like this to update the role system should ideally take into account how to setup the role system to be extensible enough in the future. That is to build the system in a way that avoids wasteful refactors and data changes. Again just engineering problems :D
Yup thanks for clarifying things. Again all the questions are more engineering related to guide better engineering discussion but still ultimately achieve the requirements that are asked for. cc @andrew032011 @oscarwang20 @JasonMun7 as this comment explains the reasoning in my previous comment |
Summary
This PR adds the
isAdvisorfield to IDOL members. All members are not advisors by default. Admins can add advisors by setting the form field to "yes" inadmin/edit. There can be advisors for every role except TPM.Dev Portfolios have also been adjusted since dev advisors are only required to submit for documentation.
Test Plan
Manually edited and created users, modifying the field and seeing the changes update in the db.
Edit User
Create User
admin/editpage and in the backend once the new user is createdUpload CSV
isAdvisorfieldDev Portfolio
Notes
scripts/add-advisor.tsis being used to add the field to all members on the db; will stay up for reference and be removed before this pr gets merged