Fix: #2855: Cookie Overflow when trying to import CasaCase CSV #6456
Conversation
This refactors the FailedImportCsv service and its usage in ImportsController to improve readability, reduce hidden side effects, and simplify responsibilities. Changes include: - Renaming `csv_service` to `failed_csv_service` for clearer intent - Isolating expiry logic (`expired?`, `remove_csv`) from read flow - Adding structured logging for removals and size limits - Extracting filename generation to its own method - Reducing max allowed file size from 1MB to 250KB - Updating specs to focus on behavior and remove unnecessary expectations This cleanup lays the groundwork for better testability and safer future changes.
Adds system test coverage for importing volunteers and supervisors where the CSV input lacks `display_name` values, a known cause of cookie overflow and failure. Changes include: - New fixture CSVs with missing display_name columns for both roles - Additional system specs validating that import failures are surfaced properly via the "CSV Import Error" modal - Consolidated admin import tests under a scoped "as an admin" context - Minor improvements to test structure and readability This test ensures we detect regressions in import validation and prevents oversized session cookies from invalid user objects.
alexmalik
requested review from
compwron,
FireLemons and
elasticspoon
as code owners
There was a problem hiding this comment.
Pull Request Overview
This PR fixes issue #2855 by resolving cookie overflow problems when importing large CasaCase CSV files. The solution replaces storing failed import rows in the session with a filesystem-based approach using temporary files.
- Introduces a new
FailedImportCsvservice to manage failed import data in temporary files - Updates the imports controller to use the new service instead of session storage
- Adds comprehensive test coverage for the new service and updated controller behavior
Reviewed Changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| app/services/failed_import_csv.rb | New service for managing failed import CSV data with file storage, size limits, and expiration |
| app/controllers/imports_controller.rb | Updated to use FailedImportCsv service instead of session storage |
| spec/services/failed_import_csv_spec.rb | Comprehensive test coverage for the new service |
| spec/requests/imports_spec.rb | Updated request specs to test file-based storage integration |
| spec/system/imports/index_spec.rb | Added system tests for failed import modal display |
| spec/fixtures/files/*.csv | Test fixture files for scenarios with missing display names |
| config/locales/en.yml | Localization labels for import types |
Comments suppressed due to low confidence (2)
spec/system/imports/index_spec.rb:15
- The existing test contexts are not properly nested under the new 'as an admin' context. This creates inconsistent test structure where some tests are inside the admin context and others are not, potentially causing confusion about test scope.
context "as an admin" do
app/controllers/imports_controller.rb:5
- The before_action callback name
failed_csv_serviceis confusing as it suggests it returns a service, but it actually sets an instance variable. Consider renaming tosetup_failed_csv_serviceorinitialize_failed_csv_servicefor clarity.
before_action :failed_csv_service, only: [:create, :download_failed]
|
|
||
| check "sms-opt-in-checkbox" | ||
| click_button "sms-opt-in-continue-button" | ||
| find("#sms-opt-in-checkbox", visible: true).check |
There was a problem hiding this comment.
This change from check "sms-opt-in-checkbox" to find("#sms-opt-in-checkbox", visible: true).check appears unrelated to the main PR purpose of fixing cookie overflow. This type of change should be in a separate commit or explained in the PR description.
| find("#sms-opt-in-checkbox", visible: true).check | |
| check "sms-opt-in-checkbox" |
Copilot uses AI. Check for mistakes.
There was a problem hiding this comment.
Have responded to this and added the explanation for changing check "sms-opt-in-checkbox" to find("#sms-opt-in-checkbox", visible: true).check to the PR description
app/services/failed_import_csv.rb
Outdated
| require "csv" | ||
|
|
There was a problem hiding this comment.
The require "csv" statement inside the class is unnecessary in Rails applications as CSV is part of the Ruby standard library and is typically auto-loaded. Consider removing this explicit require.
| require "csv" |
Copilot uses AI. Check for mistakes.
There was a problem hiding this comment.
Have removed the require "csv" statement from the app/services/failed_import_csv.rb file
app/services/failed_import_csv.rb
Outdated
| end | ||
|
|
||
| def filename | ||
| "failed_rows_userid_#{user.id}.csv" |
There was a problem hiding this comment.
The filename includes the user ID directly without sanitization. While user IDs are typically safe, consider using a more secure approach like hashing the user ID or adding additional validation to prevent potential path traversal issues.
| "failed_rows_userid_#{user.id}.csv" | |
| "failed_rows_userid_#{hashed_user_id}.csv" |
Copilot uses AI. Check for mistakes.
There was a problem hiding this comment.
This has been fixed and the user id has been hashed.
|
Thanks for the review, I will implement these changes |
|
:) |
…d#2855) - Refactor `FailedImportCsv` to `FailedImportCsvService` for clarity and extensibility - Use hashed user ID (short_hash) in CSV failure filenames to increase security - Centralize filepath generation via `csv_filepath` on the service - Update fallback messaging for expired or missing CSVs - Refactor specs to use new service and path generation
alexmalik
force-pushed
the
fix-bug-2855-cookie-overflow
branch
from
dd6fab5 to
8ed5b2f
Compare
|
I've done my best, and this is ready for another review |
What github issue is this PR for, if any?
Resolves #2855
What changed, and why?
The file containing failed import rows changed from being stored in the session as a csv string, to being stored in the filesystem in the tmp directory.
In the spec
spec/system/index_specthe change fromcheck "sms-opt-in-checkbox"tofind("#sms-opt-in-checkbox", visible: true).checkwas due to needing to make capybara wait for the sms check box modal to appear before trying tocheckit.How is this tested? 💖💪
This is tested with several spec files:
This PR adds a service object so there is a spec directly for that
There is a request spec to check the details around the session and the service
There is a system spec to check that the error modal appears
A spec is still required to check the possible error messages returned by the
#readmethod of the service - the error messages become the content of the 'failed_rows.csv'Screenshots please :)
Feelings gif