Some variables accessible before in rules not accessible now

[mahalakshme]

Description:

Refer the below links for description:
https://github.com/avniproject/avni-security/issues/1#issuecomment-1717464830
https://github.com/avniproject/avni-security/issues/1#issuecomment-1719097094

Acceptance criteria:

Understand how this formElement was accessible before. Identify if there is possibility for any other variables to be accessible without being passed as parameters to the rules. Ideally variables not passed as parameters to the rule should not be accessible. Fix the necessary rules and the code accordingly.

[petmongrels]

https://prerelease.avniproject.org/#/appdesigner/forms/ed2c239a-00ca-439c-8f2b-76543fdc55cf -> 'Average Scores and Feedback' FEG -> 'Average Scores' FE (QuestionGroup) -> All the rules for the questions under that

Prod - https://app.avniproject.org/#/appdesigner/forms/ed2c239a-00ca-439c-8f2b-76543fdc55cf

'lfeteach' org in both environments

[petmongrels]

LFE branch seems incorrect. it has commits upto feb 23. but the apk release is only upto Jan.

[vinayvenu]

I think we planned to release lfe to fix some of the bigger items that came from our post-upgrade issues, but never got around to deploying.

In any case, the lfe branch is not required anymore since we have moved all features from lfe to our main branches.

[petmongrels]

Number of form elements that use formElement via params.formElement: 25449

select count(*) from form_element
join organisation o on form_element.organisation_id = o.id
where rule like '%params.formElement%' and rule like '%formElement%' and form_element.is_voided = false;

Number of form elements that use formElement without params.formElement: only a few form elements in LFE Teach. LFE Teach instance our main hosting is not the real prod.

select o.name, form_element.group_id from form_element
join organisation o on form_element.organisation_id = o.id
where rule not like '%params.formElement%' and rule like '%formElement%' and form_element.is_voided = false;

[mahalakshme]

@petmongrels we had discussed in standup(u were not there) that we 'll identify why the issue happened now - how the global variables are not accessible now to identify like formElement if there are some other variables as well. Just updating.

[petmongrels]

JS globals had stopped working sometime beginning of this year, after last react native upgrade I think. we had to explicitly exposed globals as in the following commits. But we also deprecated this approach. So it has been a while now that accessing things from global do not work and using from lib is deprecated.

avniproject/rules-config@cf69907
e40ff6c
LFE in use from before this, because the timer wasn't working after the previous react native upgrade.

moving back to analysis

[vinayvenu]

Verified. This is not an issue in the primary production organisation. There are issues on the lfeTeach which will need to be fixed.

Queries

select o.name, fe.name, fe.rule, fe.declarative_rule from form_element fe
                                                              inner join organisation o on fe.organisation_id = o.id
where fe.rule ~ '.*[^.]formElement.*' and fe.rule !~ '.*params.formElement.*' and fe.is_voided is false;

select distinct o.name from form_element fe
                                inner join organisation o on fe.organisation_id = o.id
where fe.rule ~ '.*[^.]formElement.*' and fe.rule !~ '.*params.formElement.*' and fe.is_voided is false;


select rule from form_element where rule ~ '.*[^.]common.*';
select rule from form_element where rule ~ '.*[^.]motherCalculations.*';
select rule from form_element where rule ~ '.*[^.]models.*';
select rule from form_element where rule ~ '.*[^.]entity.*';


select enrolment_eligibility_check_rule from program where program.enrolment_eligibility_check_rule ~ '.*[^.]common.*';
select enrolment_eligibility_check_rule from program where program.enrolment_eligibility_check_rule ~ '.*[^.]motherCalculations.*';
select enrolment_eligibility_check_rule from program where program.enrolment_eligibility_check_rule ~ '.*[^.]models.*';
select enrolment_eligibility_check_rule from program where program.enrolment_eligibility_check_rule ~ '.*[^.]entity.*';


select manual_enrolment_eligibility_check_rule from program where program.manual_enrolment_eligibility_check_rule ~ '.*[^.]common.*';
select manual_enrolment_eligibility_check_rule from program where program.manual_enrolment_eligibility_check_rule ~ '.*[^.]motherCalculations.*';
select manual_enrolment_eligibility_check_rule from program where program.manual_enrolment_eligibility_check_rule ~ '.*[^.]models.*';
select manual_enrolment_eligibility_check_rule from program where program.manual_enrolment_eligibility_check_rule ~ '.*[^.]entity.*';


select encounter_eligibility_check_rule from encounter_type where encounter_type.encounter_eligibility_check_rule ~ '.*[^.]common.*';
select encounter_eligibility_check_rule from encounter_type where encounter_type.encounter_eligibility_check_rule ~ '.*[^.]motherCalculations.*';
select encounter_eligibility_check_rule from encounter_type where encounter_type.encounter_eligibility_check_rule ~ '.*[^.]models.*';
select encounter_eligibility_check_rule from encounter_type where encounter_type.encounter_eligibility_check_rule ~ '.*[^.]entity.*';


select subject_summary_rule from subject_type where subject_type.subject_summary_rule ~ '.*[^.]common.*';
select subject_summary_rule from subject_type where subject_type.subject_summary_rule ~ '.*[^.]motherCalculations.*';
select subject_summary_rule from subject_type where subject_type.subject_summary_rule ~ '.*[^.]models.*';
select subject_summary_rule from subject_type where subject_type.subject_summary_rule ~ '.*[^.]entity.*';


select program_eligibility_check_rule from subject_type where subject_type.program_eligibility_check_rule ~ '.*[^.]common.*';
select program_eligibility_check_rule from subject_type where subject_type.program_eligibility_check_rule ~ '.*[^.]motherCalculations.*';
select program_eligibility_check_rule from subject_type where subject_type.program_eligibility_check_rule ~ '.*[^.]models.*';
select program_eligibility_check_rule from subject_type where subject_type.program_eligibility_check_rule ~ '.*[^.]entity.*';

[vinayvenu]

@mahalakshme output - we need to fix rules for all organisations within lfeTeach for them to be using the rules.

[mahalakshme]

@vinayvenu I added it in release 5.0 card yesterday - since implementation team can do it as part of the release

[mahalakshme]

@nupoorkhandelwal @salilsamanvay @vedfordev Is there a reason why the "Average scores and Feedback" is hidden for AP Teach and Teach NL UAT?

There is a problem with the rules on form elements of this page. It will break if we ever try to enable it.

[mahalakshme]

Closing this since when the rule is enabled and tested it will anyways get identified.