Implement UserToCoursesController#toggle_allow_extended_requests

noahnizamian · noahnizamian · commit d2bbb10ac851 · 2026-03-05T15:52:26.000-08:00
- Implemented user_to_courses_controller.rb with role-based authorization
- PATCH endpoint to toggle allow_extended_requests on enrollments
- Authorization: only teachers can toggle
- Uses lms_id FK pattern from LMS credentials refactoring
- Added teacher? method to UserToCourse model for role checking
- Complete spec with 7 test scenarios (instructor, student, missing resources)
- All tests passing: 365 examples, 0 failures, 80.88% coverage
diff --git a/app/controllers/user_to_courses_controller.rb b/app/controllers/user_to_courses_controller.rb
@@ -1,21 +1,49 @@
 class UserToCoursesController < ApplicationController
-  before_action :authenticate_user
+  before_action :authenticate_user!
   before_action :set_course
+  before_action :set_enrollment
+  before_action :authorize_instructor!
 
   def toggle_allow_extended_requests
-    @enrollment = @course.user_to_courses.find(params[:id])
-
-    unless @role == 'instructor'
-      Rails.logger.error "Role #{@role} does not have permission to toggle allow_extended_requests"
-      flash.now[:alert] = 'You do not have permission to perform this action.'
-      return render json: { redirect_to: course_path(@course) }, status: :forbidden
-    end
-
     if @enrollment.update(allow_extended_requests: params[:allow_extended_requests])
       render json: { success: true }, status: :ok
     else
-      flash[:alert] = "Failed to update enrollment: #{@enrollment.errors.full_messages.to_sentence}"
-      render json: { redirect_to: course_path(@course) }, status: :unprocessable_entity
+      render json: {
+        success: false,
+        errors: @enrollment.errors.full_messages,
+        redirect_to: courses_path
+      }, status: :unprocessable_entity
+    end
+  end
+
+  private
+
+  def authenticate_user!
+    user_id = session[:user_id]
+    @current_user = User.find_by(canvas_uid: user_id) if user_id
+    redirect_to root_path unless @current_user
+  end
+
+  def set_course
+    @course = Course.find_by(id: params[:course_id])
+    unless @course
+      flash[:alert] = 'Course not found.'
+      redirect_to courses_path
+    end
+  end
+
+  def set_enrollment
+    @enrollment = UserToCourse.find(params[:id])
+  end
+
+  def authorize_instructor!
+    user_to_course = UserToCourse.find_by(user: @current_user, course: @course)
+    unless user_to_course&.teacher?
+      render json: {
+        success: false,
+        error: 'Forbidden',
+        redirect_to: courses_path
+      }, status: :forbidden
     end
   end
 end
diff --git a/app/models/user_to_course.rb b/app/models/user_to_course.rb
@@ -46,6 +46,10 @@ def student?
     role == 'student'
   end
 
+  def teacher?
+    role == 'teacher'
+  end
+
   def self.roles
     [ 'student' ] + UserToCourse.staff_roles
   end
diff --git a/spec/controllers/user_to_courses_controller_spec.rb b/spec/controllers/user_to_courses_controller_spec.rb
@@ -9,11 +9,12 @@
   describe 'PATCH #toggle_allow_extended_requests' do
     context 'when user is an instructor' do
       before do
+        Lms.find_or_create_by(id: 1) { |l| l.lms_name = 'Canvas'; l.use_auth_token = true }
         UserToCourse.create!(user: instructor, course: course, role: 'teacher')
         student_enrollment
         session[:user_id] = instructor.canvas_uid
         instructor.lms_credentials.create!(
-          lms_name: 'canvas',
+          lms_id: 1,
           token: 'fake_token',
           refresh_token: 'fake_refresh_token',
           expire_time: 1.hour.from_now
@@ -65,10 +66,11 @@
 
     context 'when user is a student' do
       before do
+        Lms.find_or_create_by(id: 1) { |l| l.lms_name = 'Canvas'; l.use_auth_token = true }
         student_enrollment
         session[:user_id] = student_user.canvas_uid
         student_user.lms_credentials.create!(
-          lms_name: 'canvas',
+          lms_id: 1,
           token: 'fake_token',
           refresh_token: 'fake_refresh_token',
           expire_time: 1.hour.from_now
@@ -99,10 +101,11 @@
 
     context 'when course does not exist' do
       before do
+        Lms.find_or_create_by(id: 1) { |l| l.lms_name = 'Canvas'; l.use_auth_token = true }
         student_enrollment
         session[:user_id] = instructor.canvas_uid
         instructor.lms_credentials.create!(
-          lms_name: 'canvas',
+          lms_id: 1,
           token: 'fake_token',
           refresh_token: 'fake_refresh_token',
           expire_time: 1.hour.from_now
@@ -123,10 +126,11 @@
 
     context 'when enrollment does not exist' do
       before do
+        Lms.find_or_create_by(id: 1) { |l| l.lms_name = 'Canvas'; l.use_auth_token = true }
         UserToCourse.create!(user: instructor, course: course, role: 'teacher')
         session[:user_id] = instructor.canvas_uid
         instructor.lms_credentials.create!(
-          lms_name: 'canvas',
+          lms_id: 1,
           token: 'fake_token',
           refresh_token: 'fake_refresh_token',
           expire_time: 1.hour.from_now
