Copilot/sub pr 257 by 2-Coatl · Pull Request #267 · jcg-admin/IACT

2-Coatl · 2025-11-18T14:13:29Z

No description provided.

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

chatgpt-codex-connector · 2025-11-18T14:17:25Z

💡 Codex Review

https://github.com/2-Coatl/IACT/blob/fdf754a2bd17193869442ef7b19367a318a02f4b/api/callcentersite/callcentersite/apps/dashboard/services.py#L37-L38
ver_dashboard crashes on configs with widget dicts

Personalized dashboards saved via the REST endpoint store widget entries as dictionaries (views.py lines 83-87 persist the request payload directly). Lines 37-38 assume configuracion["widgets"] is a list of registry keys and do if widget in WIDGET_REGISTRY, which raises TypeError: unhashable type: 'dict' when the stored widgets are dicts, so any user who customized through the existing API will hit a 500 when calling ver_dashboard.

https://github.com/2-Coatl/IACT/blob/fdf754a2bd17193869442ef7b19367a318a02f4b/api/callcentersite/callcentersite/apps/dashboard/services.py#L143-L147
exportar_dashboard bypasses permission enforcement

The new exportar_dashboard entry point begins formatting at lines 143-147 and never calls UserManagementService.usuario_tiene_permiso or records an AuditoriaPermiso, unlike the existing exportar method above. Any caller—even one without sistema.vistas.dashboards.exportar—can export CSV/PDF without being blocked or audited.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Copilot

Pull Request Overview

This PR refactors the dashboard service by removing unused code, simplifying audit logging, and fixing a spelling error. However, it introduces critical bugs in the audit logging implementation.

Key changes:

Removed the _registrar_auditoria helper method and compartir_dashboard method
Replaced audit logging with direct AuditoriaPermiso.objects.create() calls
Changed widget serialization from a helper method to direct __dict__ access on dataclass instances
Fixed spelling error in validation message ("invalido" → "inválido")

Copilot · 2025-11-18T20:16:45Z

+            recurso_tipo='dashboard',
+            accion='exportar',
+            resultado='permitido',
+            detalles=f'Dashboard exportado a {formato}',


The AuditoriaPermiso.objects.create() call uses fields (recurso_tipo, accion, resultado, detalles) that don't exist in the AuditoriaPermiso model. According to the model definition in callcentersite/apps/users/models_permisos_granular.py, the model has fields: usuario, capacidad_codigo, accion (with specific ACCION_CHOICES), resultado (with specific RESULTADO_CHOICES), ip_address, user_agent, contexto_adicional, and timestamp.

The correct approach would be to use the existing fields:

AuditoriaPermiso.objects.create( usuario_id=usuario_id, capacidad_codigo='sistema.vistas.dashboards.exportar', accion='acceso_permitido', # from ACCION_CHOICES resultado='exito', # from RESULTADO_CHOICES contexto_adicional={ 'recurso_tipo': 'dashboard', 'accion_especifica': 'exportar', 'formato': formato, }, )

Suggested change

recurso_tipo='dashboard',

accion='exportar',

resultado='permitido',

detalles=f'Dashboard exportado a {formato}',

accion='acceso_permitido', # must match ACCION_CHOICES

resultado='exito', # must match RESULTADO_CHOICES

contexto_adicional={

'recurso_tipo': 'dashboard',

'accion_especifica': 'exportar',

'formato': formato,

},

Copilot · 2025-11-18T20:16:45Z

+            recurso_tipo='dashboard',
+            accion='personalizar',
+            recurso_id=config.id,
+            resultado='permitido',
+            detalles=f'Dashboard personalizado. Widgets: {len(configuracion.get("widgets", []))}',


The AuditoriaPermiso.objects.create() call uses fields (recurso_tipo, accion, recurso_id, resultado, detalles) that don't exist in the AuditoriaPermiso model. According to the model definition, the correct fields should be used with contexto_adicional for extra information:

AuditoriaPermiso.objects.create( usuario_id=usuario_id, capacidad_codigo='sistema.vistas.dashboards.personalizar', accion='acceso_permitido', # from ACCION_CHOICES resultado='exito', # from RESULTADO_CHOICES contexto_adicional={ 'recurso_tipo': 'dashboard', 'accion_especifica': 'personalizar', 'config_id': config.id, 'widgets': configuracion.get('widgets', []), }, )

Suggested change

recurso_tipo='dashboard',

accion='personalizar',

recurso_id=config.id,

resultado='permitido',

detalles=f'Dashboard personalizado. Widgets: {len(configuracion.get("widgets", []))}',

accion='acceso_permitido', # from ACCION_CHOICES

resultado='exito', # from RESULTADO_CHOICES

contexto_adicional={

'recurso_tipo': 'dashboard',

'accion_especifica': 'personalizar',

'config_id': config.id,

'widgets': configuracion.get('widgets', []),

'detalles': f'Dashboard personalizado. Widgets: {len(configuracion.get("widgets", []))}',

},

Copilot · 2025-11-18T20:16:46Z

+            recurso_tipo='dashboard',
+            accion='compartir',
+            resultado='permitido',
+            detalles=f'Dashboard compartido con {tipo}: {compartido_con}',


The AuditoriaPermiso.objects.create() call uses fields (recurso_tipo, accion, resultado, detalles) that don't exist in the AuditoriaPermiso model. According to the model definition, the correct fields should be used with contexto_adicional for extra information:

AuditoriaPermiso.objects.create( usuario_id=usuario_id, capacidad_codigo='sistema.vistas.dashboards.compartir', accion='acceso_permitido', # from ACCION_CHOICES resultado='exito', # from RESULTADO_CHOICES contexto_adicional={ 'recurso_tipo': 'dashboard', 'accion_especifica': 'compartir', 'destino_tipo': tipo, 'destino': compartido_con, }, )

Suggested change

recurso_tipo='dashboard',

accion='compartir',

resultado='permitido',

detalles=f'Dashboard compartido con {tipo}: {compartido_con}',

accion='acceso_permitido', # from ACCION_CHOICES

resultado='exito', # from RESULTADO_CHOICES

contexto_adicional={

'recurso_tipo': 'dashboard',

'accion_especifica': 'compartir',

'destino_tipo': tipo,

'destino': compartido_con,

'detalles': f'Dashboard compartido con {tipo}: {compartido_con}',

},

Copilot · 2025-11-18T20:16:46Z

+        widgets = [WIDGET_REGISTRY[widget].__dict__ for widget in widget_keys if widget in WIDGET_REGISTRY]

-        if not widgets:
-            widgets = DashboardService._serialize_widgets(list(WIDGET_REGISTRY.keys()))
+        # No fallback to defaults if user's config exists but is invalid; respect explicit selection.


The previous implementation had a fallback mechanism: if a user's configuration existed but was invalid (no widgets), it would fall back to default widgets. The new implementation removes this fallback (line 41 comment states "No fallback to defaults if user's config exists but is invalid").

This is a behavior change that could affect users with empty widget configurations. When widget_keys is an empty list and user has a configuration, widgets will be an empty list [] instead of falling back to defaults. This could result in users seeing an empty dashboard.

Consider either:

Restoring the fallback behavior for better user experience

Documenting this breaking change if it's intentional

Adding validation to prevent saving empty widget configurations in personalizar_dashboard

2-Coatl and others added 4 commits November 18, 2025 07:02

feat(dashboard): add dashboard export and personalization flows

71edf9b

Apply suggestion from @Copilot

f3aecec

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Apply suggestion from @Copilot

5d243e5

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Initial plan

fdf754a

Copilot AI review requested due to automatic review settings November 18, 2025 14:13

Merge branch 'develop' into copilot/sub-pr-257

fa24db9

2-Coatl merged commit a9003a5 into develop Nov 18, 2025
6 of 32 checks passed

2-Coatl deleted the copilot/sub-pr-257 branch November 18, 2025 14:14

Copilot started reviewing on behalf of 2-Coatl November 18, 2025 19:21 View session

Copilot finished reviewing on behalf of 2-Coatl November 18, 2025 19:24

Copilot AI reviewed Nov 18, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Copilot/sub pr 257#267

Copilot/sub pr 257#267
2-Coatl merged 5 commits into
developfrom
copilot/sub-pr-257

2-Coatl commented Nov 18, 2025

Uh oh!

Uh oh!

chatgpt-codex-connector Bot commented Nov 18, 2025

Uh oh!

Copilot AI left a comment

Uh oh!

Copilot AI Nov 18, 2025

Uh oh!

Copilot AI Nov 18, 2025

Uh oh!

Copilot AI Nov 18, 2025

Uh oh!

Copilot AI Nov 18, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

-            recurso_tipo='dashboard',
-            accion='exportar',
-            resultado='permitido',
-            detalles=f'Dashboard exportado a {formato}',
+            accion='acceso_permitido',  # must match ACCION_CHOICES
+            resultado='exito',  # must match RESULTADO_CHOICES
+            contexto_adicional={
+                'recurso_tipo': 'dashboard',
+                'accion_especifica': 'exportar',
+                'formato': formato,
+            },

Conversation

2-Coatl commented Nov 18, 2025

Uh oh!

Uh oh!

chatgpt-codex-connector Bot commented Nov 18, 2025

💡 Codex Review

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Uh oh!

Copilot AI Nov 18, 2025

Choose a reason for hiding this comment

Uh oh!

Copilot AI Nov 18, 2025

Choose a reason for hiding this comment

Uh oh!

Copilot AI Nov 18, 2025

Choose a reason for hiding this comment

Uh oh!

Copilot AI Nov 18, 2025

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants