Allow teachers and owners to list SchoolEmailDomains

Add SchoolEmailDomainsController and school_email_domains route.
Return a list of domain strings.
Update CanCan ability to allow access only for teachers and owners.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: PetarSimonovic

app/controllers/api/school_email_domains_controller.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Api
+  class SchoolEmailDomainsController < ApiController
+    before_action :authorize_user
+    load_and_authorize_resource :school
+    authorize_resource :school_email_domain, class: false
+
+    def index
+      render json: school_email_domains, status: :ok
+    end
+
+    private
+
+    def school_email_domains
+      @school.school_email_domains.pluck(:domain)
+    end
+  end
+end

app/models/ability.rb

@@ -72,6 +72,7 @@ def define_school_owner_abilities(school:)
     can(%i[read update destroy], Lesson, school_id: school.id, visibility: %w[teachers students public])
     can(%i[read destroy], Feedback, school_project: { school_id: school.id })
     can(%i[exchange_code], :google_auth)
+    can(%i[read create], :school_email_domain)
   end
 
   def define_school_teacher_abilities(user:, school:)
@@ -102,6 +103,7 @@ def define_school_teacher_abilities(user:, school:)
     can(%i[show_status unsubmit return complete], SchoolProject, project: { remixed_from_id: teacher_project_ids })
     can(%i[read create destroy], Feedback, school_project: { project: { remixed_from_id: teacher_project_ids } })
     can(%i[exchange_code], :google_auth)
+    can(%i[read create], :school_email_domain)
   end
 
   def define_school_student_abilities(user:, school:)

config/routes.rb

@@ -82,6 +82,7 @@
         post :batch, on: :collection, to: 'school_students#create_batch'
         delete :batch, on: :collection, to: 'school_students#destroy_batch'
       end
+      resources :school_email_domains, only: %i[index], controller: 'school_email_domains'
     end
 
     resources :lessons, only: %i[index create show update destroy] do

spec/factories/school_email_domain.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :school_email_domain do
+    school
+    sequence(:domain) { |n| "domain#{n}.example.edu" }
+  end
+end

spec/features/school_email_domain/listing_school_email_domains_spec.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Listing school email domains', type: :request do
+  let(:headers) { { Authorization: UserProfileMock::TOKEN } }
+  let(:school) { create(:school) }
+  let(:school_email_domains) { create_list(:school_email_domain, 5, school: school) }
+
+  before do
+    school_email_domains
+  end
+
+  describe '#index' do
+    shared_examples 'a successful school email domains index' do
+      it 'responds 200 OK' do
+        expect(response).to have_http_status(:ok)
+      end
+
+      context 'when the school has domains' do
+        it 'returns a list of domains for the school' do
+          data = JSON.parse(response.body, symbolize_names: true)
+          expect(data).to match_array(school.school_email_domains.pluck(:domain))
+        end
+      end
+
+      context 'when domains do not belong to the school' do
+        let(:other_school) { create(:school) }
+        let(:school_email_domains) { create_list(:school_email_domain, 5, school: other_school) }
+
+        it 'returns an empty array' do
+          data = JSON.parse(response.body, symbolize_names: true)
+          expect(data).to eq([])
+        end
+      end
+    end
+
+    context 'with an authorised owner' do
+      let(:owner) { create(:owner, school:, name: 'School Owner') }
+
+      before do
+        authenticated_in_hydra_as(owner)
+        get("/api/schools/#{school.id}/school_email_domains", headers:)
+      end
+
+      it_behaves_like 'a successful school email domains index'
+    end
+
+    context 'with an authorised teacher' do
+      let(:teacher) { create(:teacher, school:, name: 'School Teacher') }
+
+      before do
+        authenticated_in_hydra_as(teacher)
+        get("/api/schools/#{school.id}/school_email_domains", headers:)
+      end
+
+      it_behaves_like 'a successful school email domains index'
+    end
+
+    context 'when the user does not have access' do
+      it 'responds 403 Forbidden when the user is a school-owner for a different school' do
+        other_school = create(:school)
+        other_owner = create(:owner, school: other_school, name: 'School Owner')
+        authenticated_in_hydra_as(other_owner)
+
+        get("/api/schools/#{school.id}/school_email_domains", headers:)
+        expect(response).to have_http_status(:forbidden)
+      end
+
+      it 'responds 403 Forbidden when the user is a school-teacher for a different school' do
+        other_school = create(:school)
+        other_teacher = create(:teacher, school: other_school, name: 'School Teacher')
+        authenticated_in_hydra_as(other_teacher)
+
+        get("/api/schools/#{school.id}/school_email_domains", headers:)
+        expect(response).to have_http_status(:forbidden)
+      end
+
+      it 'responds 403 Forbidden when the user is a student at the school' do
+        student = create(:student, school:)
+        authenticated_in_hydra_as(student)
+
+        get("/api/schools/#{school.id}/school_email_domains", headers:)
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
+    context 'when the user is not authenticated' do
+      it 'responds 401 Unauthorized when no token is given' do
+        get "/api/schools/#{school.id}/school_email_domains"
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+  end
+end