Skip to content

Add actions to block add-ons / view authors in scanner results admin #24424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
diox wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add actions to block add-ons / view authors in scanner results admin #24424

diox wants to merge 4 commits into from
+286 −11

Conversation

@diox
Copy link
Member

@diox diox commented Feb 6, 2026

Fixes mozilla/addons#16047

Testing

  • With a user that has blocklist creation and user edit permissions
  • Go to the admin
  • Execute a scanner query rule that yields some results, or look at existing scanner results

Expected:

  • Each result should have a checkbox
  • There should be actions at the top allowing you to search for the authors or block add-ons of the selected results

diox
diox commented Feb 6, 2026
View reviewed changes
src/olympia/scanners/admin.py
)
return '-'

formatted_channel.short_description = 'Channel'
Copy link
Member Author

@diox diox Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regaining a little bit of horizontal space

diox
diox commented Feb 6, 2026
View reviewed changes
src/olympia/blocklist/admin.py

return ro_fields

def _get_input_guids(self, request):
Copy link
Member Author

@diox diox Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was unused

@diox diox marked this pull request as ready for review February 6, 2026 14:41
@diox diox requested a review from eviljeff February 9, 2026 10:17
eviljeff
eviljeff reviewed Feb 9, 2026
View reviewed changes
src/olympia/scanners/admin.py
url = reverse('admin:blocklist_blocklistsubmission_add')
# blocklist submission page expects guids separated by \n
parameters = {'guids': '\n'.join(guids)}
return HttpResponseRedirect(url + f'?{urlencode(parameters)}')
Copy link
Member

@eviljeff eviljeff Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A GET redirect is going to hit the url limit quite quickly with the average guid length. Really you want a POST but I'm not sure how you can achieve that with a redirect (HttpResponseTemporaryRedirect requires the POST data to be already in the request, iirc, so it would have to be in the form that lead to the action... ?).

Copy link
Member Author

@diox diox Feb 9, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah this is not great.

The main problem is that even if the method was POST to begin with, I can't tamper with the data in the redirect.

Beginning of an idea, I can deal with the method by setting formmethod on the <input> responsible for the submission of the action, then stick the addon guids in disabled <input type="hidden"> in each row, then enable/disable them when each checkbox is ticked. Pretty convoluted though, and I'm not sure if the POST data will be forwarded to the redirected URL in the first place in all browsers, but I can try.

Alternatively, I could accept add-on pks in blocklist submission admin, and pass that instead via GET...

Copy link
Member

@eviljeff eviljeff Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah I think that's the only way - dump all the guid data into the html so the form can be submitted with it.

Or add a custom entrypoint to BlocklistSubmissionAdmin that accepts ScannerResult ids (I'm assuming the form post the action submits contains instance ids). It's a hack either way

Copy link
Member

@eviljeff eviljeff Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(my idea is possibly a more hacky hack, I've not thought through it)

Copy link
Member Author

@diox diox Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

21f0060 still uses a GET request but with pks to cram more add-ons in a single request safely - using POST required a lot more hacks...

@diox diox requested a review from eviljeff February 10, 2026 12:13
eviljeff
eviljeff approved these changes Feb 10, 2026
View reviewed changes
src/olympia/scanners/admin.py
Comment on lines +361 to +364
if not acl.action_allowed_for(request.user, amo.permissions.BLOCKLIST_CREATE):
actions.pop('block_addons_action', None)
if not acl.action_allowed_for(request.user, amo.permissions.USERS_EDIT):
actions.pop('search_for_authors_action', None)
Copy link
Member

@eviljeff eviljeff Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit-ish: I wonder if it would be better if these were implemented using allowed_permissions, and a matching has_xxx_permission function, like ModelAdmin seems to prefer (looking at super().get_actions code). I think this would look like allowed_permissions=['blocklist'] in the @admin.action and a has_blocklist_permission function?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eviljeff eviljeff eviljeff approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Task]: Add shortcut actions to block add-ons and view authors of add-ons in scanner results admin page

2 participants

@diox @eviljeff