Description
Describe the bug
You are not supposed to be able to delete a project until you have deleted its rules and completed a project update cycle. But if you cancel the project update cycle that deletes its rules, you are able to then go delete the project.
To Reproduce
- Create a project with rules and update projects.
- Attempt to delete the project and it refuses, telling you to delete all rules first. ✔️
- Delete the rule. The edits pending banner appears, the rule goes away on-screen and, if you navigate to Projects List, the project is "Edits Pending". ✔️
- Attempt to delete the project and it still refuses; now it is waiting for the project update. ✔️
- Start a project update
, then cancel the project update.✔️
The edits pending banner remains on-screen. - Now try to delete the project and you can. ❌
Expected behavior
At first blush, one would think to just check if the last project update completed before allowing the user to do the deletion operation. But between the time you check-and-notify-the-user, there is plenty of time for another user to, for example, go add a new rule to that project.
I think a better solution would be to attempt to do the operation, but let the authz server fail the requested project deletion if the last project update was cancelled. Now that is not really correct. We do not know that the rules for the project were removed in that particular cancelled project update. There is, in fact, no mechanism currently to tie a particular rule deletion to a particular project update. But if we want to ensure that rules were deleted, that might be the best we could do.