Allow admins to inspect objects on HCB #11856
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
| def active_teenagers_leaderboard | ||
| end | ||
|
|
||
| def inspect |
There was a problem hiding this comment.
I believe this overrides a Ruby method
There was a problem hiding this comment.
ah, good catch. maybe I'll restructure these to be one route. there was previously a need for them to be separate but I can combine them now since it's all being done in turbo.
| @resource_type = params[:resource] | ||
| @resource_id = params[:id] | ||
|
|
||
| Zeitwerk::Loader.eager_load_all |
There was a problem hiding this comment.
There are likely some columns that we shouldn't even allow admins inspect. I'm specifically thinking of encrypted columns such as session tokens, plaid tokens, etc.
At the moment, encrypted columns are not available to admins via Blazer bc blazer doesn't decrypt.
There was a problem hiding this comment.
I had considered making a concern, say inspectable, that could help us standardize configuration keep track of which columns should be accessible on the model itself. Does that sound like a good path forward?
At the moment, encrypted columns are not available to admins via Blazer bc blazer doesn't decrypt.
Do we want to hide encrypted columns in the inspection toolbar? I can see a case for either being made; on one hand, it allows for more destructive powers as an admin, but on the other hand, it reduces our reliance on the production Rails console.
| Zeitwerk::Loader.eager_load_all | ||
|
|
||
| # get all named classes extending ApplicationRecord | ||
| @all_resource_types = ObjectSpace.each_object(Class).select { |c| c < ApplicationRecord }.select(&:name).map(&:name) |
There was a problem hiding this comment.
Is this different than calling descendants on ApplicationRecord?
Also, maybe we should do ActiveRecord::Base to capture more models such as those created by gems. See which classes it would add.
There was a problem hiding this comment.
I'll look into this. I think I had that approach initially and it caused some issues, but I don't recall exactly why I switched away from this. I'll get back to you.
|
|
||
| def self.find_relations(object) | ||
| if object.class < ApplicationRecord | ||
| object = object.attributes |
There was a problem hiding this comment.
I believe AR has a method something along the lines of reflect_on_associations.
There was a problem hiding this comment.
It does—this was a quick and dirty way of adding a shortcut for [anything]_id, but it would be nice to work with other association types too.
Summary of the problem
HCB engineers and operations staff frequently need to access information about a record that isn't show in the interface. Sometimes records can get into broken states, and you can't access the intended admin page. Or, sometimes we just don't show enough about an object, requiring staff to use Blazer or use the production console.
Describe your changes
This PR proposes adding an admin-only inspection toolbar. Inspired by Stripe and Cockpit, this toolbar intelligently detects the primary object of the current page you're on (using some Rails routing magic) and renders a text-based representation of the object to assist with troubleshooting and debugging. It also allows you to follow any direct associations or look up an object manually by and of its primary fields.