Add audience field for role-restricted event visibility#22
Open
Add audience field for role-restricted event visibility#22
Conversation
Admins can now mark a public event as visible only to volunteers and admins. Use case: a volunteer briefing or staff-only coordination session that should appear on /schedule for the right roles but stay completely invisible to regular attendees. Data model: a string-backed `audience` enum on ScheduleItem with two values, "everyone" (default, current behavior) and "volunteers_only". The field only matters when is_public: true; private events stay admin-only as before. Visibility rules (ScheduleItem.visible_to(user) scope): - admin / volunteer: sees all public items regardless of audience - attendee / signed-out: sees only items with audience: "everyone" - private items (is_public: false): never appear, for any role Wired into both read paths: - ScheduleController#index — list filter on /schedule - PlanItemsController#create — security guard so an attendee cannot bypass the list and RSVP to a hidden event by guessing its ID Admin UI: - New "Visible to" select on the admin schedule-item form, below the Public checkbox. Two options: Everyone / Volunteers only. - Admin index now shows "(volunteers)" next to the Public badge when audience is restricted, so the audience is visible at a glance. Out of scope (deferred): - Per-user invitee picker — interview confirmed roles are sufficient. - Audience selection on the user-facing /schedule_items form. Attendee- created activities default to audience: "everyone" via the column default. - Adding "admins_only" as a third audience — one-line follow-up if ever needed. Existing :public_items scope is preserved; :visible_to composes on top. Existing plan items are grandfathered: changing audience after a user plans an event does not retroactively remove it from their /plan.
|
🚅 Deployed to the ruby-embassy-pr-22 environment in ruby-embassy
|
railway-app
Bot
temporarily deployed
to
ruby-embassy / ruby-embassy-pr-22
# Conflicts: # app/controllers/admin/schedule_items_controller.rb # db/schema.rb
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
audienceenum toScheduleItem(everyonedefault,volunteers_only) layered on top ofis_public, so admins can publish events that only volunteers and admins see on/schedule. Visibility is enforced in two places via a newScheduleItem.visible_to(user)scope: the public schedule list ANDPlanItemsController#create(so attendees can't bypass the list and RSVP to a hidden event by guessing the ID)./schedule_itemsform is intentionally untouched — attendee-created activities default toaudience: "everyone"via the column default./scheduleintegration, and thePlanItemsController404 guard.Test plan
bin/rails test— 120 runs, 326 assertions, 0 failuresbin/rubocop,bin/brakeman,bin/bundler-audit,bin/importmap audit— all cleanvolunteers_onlyevent; confirm it appears on/schedulefor admin + volunteer, hidden for attendee/plan_itemswith a hidden event's ID — expect 404everyoneevent as attendee, then admin flips it tovolunteers_only— confirm it stays on attendee's/plan(grandfather behavior)