Skip to content

Commit 961e2a5

Browse files
authored
Restrict teacher ability so that they can only access their own class projects (#900)
## Status - Part of RaspberryPiFoundation/digital-editor-issues#526 ## What's changed? - Fixed a bug where teachers could access projects in school classes they don't belong to by adding class membership check to the project rule in school teacher abilities.
1 parent f567c3e commit 961e2a5

2 files changed

Lines changed: 9 additions & 9 deletions

File tree

app/models/ability.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,7 @@ def define_school_teacher_abilities(user:, school:)
9191
can(%i[create], Project) do |project|
9292
school_teacher_can_manage_project?(user:, school:, project:)
9393
end
94-
can(%i[read update show_context], Project, school_id: school.id, lesson: { visibility: %w[teachers students] })
94+
can(%i[read update show_context], Project, school_id: school.id, lesson: { visibility: %w[teachers students], school_class: { teachers: { teacher_id: user.id } } })
9595
teacher_project_ids = Project.where(
9696
school_id: school.id,
9797
remixed_from_id: nil,

spec/models/ability_spec.rb

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -186,15 +186,15 @@
186186
it { is_expected.not_to be_able_to(:destroy, project) }
187187
end
188188

189-
context 'when user is a school teacher' do
189+
context 'when user is another teacher in the same school' do
190190
before do
191191
create(:teacher_role, user_id: user.id, school:)
192192
end
193193

194-
it { is_expected.to be_able_to(:read, project) }
195-
it { is_expected.to be_able_to(:show_context, project) }
194+
it { is_expected.not_to be_able_to(:read, project) }
195+
it { is_expected.not_to be_able_to(:show_context, project) }
196196
it { is_expected.not_to be_able_to(:create, project) }
197-
it { is_expected.to be_able_to(:update, project) }
197+
it { is_expected.not_to be_able_to(:update, project) }
198198
it { is_expected.not_to be_able_to(:set_finished, project.school_project) }
199199
it { is_expected.not_to be_able_to(:destroy, project) }
200200
end
@@ -248,15 +248,15 @@
248248
it { is_expected.not_to be_able_to(:destroy, project) }
249249
end
250250

251-
context 'when user is a school teacher' do
251+
context 'when user is another teacher in the same school' do
252252
before do
253253
create(:teacher_role, user_id: user.id, school:)
254254
end
255255

256-
it { is_expected.to be_able_to(:read, project) }
257-
it { is_expected.to be_able_to(:show_context, project) }
256+
it { is_expected.not_to be_able_to(:read, project) }
257+
it { is_expected.not_to be_able_to(:show_context, project) }
258258
it { is_expected.not_to be_able_to(:create, project) }
259-
it { is_expected.to be_able_to(:update, project) }
259+
it { is_expected.not_to be_able_to(:update, project) }
260260
it { is_expected.not_to be_able_to(:set_finished, project.school_project) }
261261
it { is_expected.not_to be_able_to(:destroy, project) }
262262
end

0 commit comments

Comments
 (0)