canvas-lms/spec/models/role_override_spec.rb

#
# Copyright (C) 2011 Instructure, Inc.
#
# This file is part of Canvas.
#
# Canvas is free software: you can redistribute it and/or modify it under
# the terms of the GNU Affero General Public License as published by the Free
# Software Foundation, version 3 of the License.
#
# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.
#
# You should have received a copy of the GNU Affero General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
#

require File.expand_path(File.dirname(__FILE__) + '/../spec_helper.rb')

describe RoleOverride do
  it "should retain the prior permission when it encounters the first explicit override" do
    @account = account_model(:parent_account => Account.default)
    RoleOverride.create!(:context => @account, :permission => 'moderate_forum',
                         :enrollment_type => "TeacherEnrollment", :enabled => false)
    permissions = RoleOverride.permission_for(Account.default, :moderate_forum, "TeacherEnrollment")
    permissions[:enabled].should == true
    permissions.key?(:prior_default).should == false
    permissions[:explicit].should == false

    permissions = RoleOverride.permission_for(@account, :moderate_forum, "TeacherEnrollment")
    permissions[:enabled].should == false
    permissions[:prior_default].should == true
    permissions[:explicit].should == true
  end

  it "should use the immediately parent context as the prior permission when there are multiple explicit levels" do
    a1 = account_model
    a2 = account_model(:parent_account => a1)
    a3 = account_model(:parent_account => a2)

    RoleOverride.create!(:context => a1, :permission => 'moderate_forum',
                         :enrollment_type => "TeacherEnrollment", :enabled => false)
    RoleOverride.create!(:context => a2, :permission => 'moderate_forum',
                         :enrollment_type => "TeacherEnrollment", :enabled => true)

    permissions = RoleOverride.permission_for(a1, :moderate_forum, "TeacherEnrollment")
    permissions[:enabled].should == false
    permissions[:prior_default].should == true
    permissions[:explicit].should == true

    permissions = RoleOverride.permission_for(a2, :moderate_forum, "TeacherEnrollment")
    permissions[:enabled].should == true
    permissions[:prior_default].should == false
    permissions[:explicit].should == true

    permissions = RoleOverride.permission_for(a3, :moderate_forum, "TeacherEnrollment")
    permissions[:enabled].should == true
    permissions[:prior_default].should == true
    permissions[:explicit].should == true
  end

  it "should not fail when a context's associated accounts are missing" do
    group_model
    @group.account.should be_nil
    lambda {
      RoleOverride.permission_for(@group, :read_course_content, "TeacherEnrollment")
    }.should_not raise_error
  end

  describe "student view permissions" do
    it "should mirror student permissions" do
      permission = 'comment_on_others_submissions'

      course_with_teacher(:active_all => true)
      student_in_course(:active_all => true)
      @fake_student = @course.student_view_student

      @student.enrollments.first.has_permission_to?(permission.to_sym).should be_false
      @fake_student.enrollments.first.has_permission_to?(permission.to_sym).should be_false

      RoleOverride.manage_role_override(Account.default, 'StudentEnrollment', permission, :override => true)
      RoleOverride.clear_cached_contexts

      @student.enrollments.first.has_permission_to?(permission.to_sym).should be_true
      @fake_student.enrollments.first.has_permission_to?(permission.to_sym).should be_true
    end
  end

  describe "manage_role_override" do
    before :each do
      @account = account_model(:parent_account => Account.default)
      @role = 'NewRole'
      @permission = 'read_reports'
    end

    describe "override already exists" do
      before :each do
        @existing_override = @account.role_overrides.build(
          :permission => @permission,
          :enrollment_type => @role)
        @existing_override.enabled = true
        @existing_override.locked = false
        @existing_override.save!
        @initial_count = @account.role_overrides.size
      end

      it "should update an existing override if override has a value" do
        new_override = RoleOverride.manage_role_override(@account, @role, @permission, :override => false)
        @account.role_overrides.size.should == @initial_count
        new_override.should == @existing_override.reload
        @existing_override.enabled.should be_false
      end

      it "should update an existing override if override is nil but locked is truthy" do
        new_override = RoleOverride.manage_role_override(@account, @role, @permission, :locked => true)
        @account.role_overrides.size.should == @initial_count
        new_override.should == @existing_override.reload
        @existing_override.locked.should be_true
      end

      it "should only update the parts that are specified" do
        new_override = RoleOverride.manage_role_override(@account, @role, @permission, :override => false)
        @existing_override.reload
        @existing_override.locked.should be_false

        @existing_override.enabled = true
        @existing_override.save

        new_override = RoleOverride.manage_role_override(@account, @role, @permission, :locked => true)
        @existing_override.reload
        @existing_override.enabled.should be_true
      end

      it "should delete an existing override if override is nil and locked is not truthy" do
        new_override = RoleOverride.manage_role_override(@account, @role, @permission, :locked => false)
        @account.role_overrides.size.should == @initial_count - 1
        new_override.should be_nil
        RoleOverride.find_by_id(@existing_override.id).should be_nil
      end
    end

    describe "no override yet" do
      before :each do
        @initial_count = @account.role_overrides.size
      end

      it "should not create an override if override is nil and locked is not truthy" do
        override = RoleOverride.manage_role_override(@account, @role, @permission, :locked => false)
        override.should be_nil
        @account.role_overrides.size.should == @initial_count
      end

      it "should create the override if override has a value" do
        override = RoleOverride.manage_role_override(@account, @role, @permission, :override => false)
        @account.role_overrides.size.should == @initial_count + 1
        override.enabled.should be_false
      end

      it "should create the override if override is nil but locked is truthy" do
        override = RoleOverride.manage_role_override(@account, @role, @permission, :locked => true)
        @account.role_overrides.size.should == @initial_count + 1
        override.locked.should be_true
      end

      it "should only set the parts that are specified" do
        override = RoleOverride.manage_role_override(@account, @role, @permission, :override => false)
        override.enabled.should be_false
        override.locked.should be_nil
        override.destroy

        override = RoleOverride.manage_role_override(@account, @role, @permission, :locked => true)
        override.enabled.should be_nil
        override.locked.should be_true
      end
    end
  end
end
revert an explicit permission to the proper default In /accounts/*/role_overrides The value was being saved correctly, but the UI was incorrect and super confusing. It'd always show a bold "explicit" green checkmark, rather than the semi-transparent check/cross depending on the actual default. refs #3711 Change-Id: Ide0a0603b6c820ea0ec94646c4327239d980b09c Reviewed-on: https://gerrit.instructure.com/2194 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Brian Whitmer <brian@instructure.com> 2011-02-08 08:33:03 +08:00			`#`
			`# Copyright (C) 2011 Instructure, Inc.`
			`#`
			`# This file is part of Canvas.`
			`#`
			`# Canvas is free software: you can redistribute it and/or modify it under`
			`# the terms of the GNU Affero General Public License as published by the Free`
			`# Software Foundation, version 3 of the License.`
			`#`
			`# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY`
			`# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR`
			`# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more`
			`# details.`
			`#`
			`# You should have received a copy of the GNU Affero General Public License along`
			`# with this program. If not, see <http://www.gnu.org/licenses/>.`
			`#`

			`require File.expand_path(File.dirname(__FILE__) + '/../spec_helper.rb')`

			`describe RoleOverride do`
			`it "should retain the prior permission when it encounters the first explicit override" do`
drop course level role override "support" simplifies RoleOverride lookup logic, and the query once again uses the already existing index Change-Id: I2b165b7debc9aa7aa6fd032d7917cbbc23b4361c Reviewed-on: https://gerrit.instructure.com/5063 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: JT Olds <jt@instructure.com> 2011-08-13 00:45:55 +08:00			`@account = account_model(:parent_account => Account.default)`
			`RoleOverride.create!(:context => @account, :permission => 'moderate_forum',`
revert an explicit permission to the proper default In /accounts/*/role_overrides The value was being saved correctly, but the UI was incorrect and super confusing. It'd always show a bold "explicit" green checkmark, rather than the semi-transparent check/cross depending on the actual default. refs #3711 Change-Id: Ide0a0603b6c820ea0ec94646c4327239d980b09c Reviewed-on: https://gerrit.instructure.com/2194 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Brian Whitmer <brian@instructure.com> 2011-02-08 08:33:03 +08:00			`:enrollment_type => "TeacherEnrollment", :enabled => false)`
drop course level role override "support" simplifies RoleOverride lookup logic, and the query once again uses the already existing index Change-Id: I2b165b7debc9aa7aa6fd032d7917cbbc23b4361c Reviewed-on: https://gerrit.instructure.com/5063 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: JT Olds <jt@instructure.com> 2011-08-13 00:45:55 +08:00			`permissions = RoleOverride.permission_for(Account.default, :moderate_forum, "TeacherEnrollment")`
revert an explicit permission to the proper default In /accounts/*/role_overrides The value was being saved correctly, but the UI was incorrect and super confusing. It'd always show a bold "explicit" green checkmark, rather than the semi-transparent check/cross depending on the actual default. refs #3711 Change-Id: Ide0a0603b6c820ea0ec94646c4327239d980b09c Reviewed-on: https://gerrit.instructure.com/2194 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Brian Whitmer <brian@instructure.com> 2011-02-08 08:33:03 +08:00			`permissions[:enabled].should == true`
			`permissions.key?(:prior_default).should == false`
			`permissions[:explicit].should == false`

drop course level role override "support" simplifies RoleOverride lookup logic, and the query once again uses the already existing index Change-Id: I2b165b7debc9aa7aa6fd032d7917cbbc23b4361c Reviewed-on: https://gerrit.instructure.com/5063 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: JT Olds <jt@instructure.com> 2011-08-13 00:45:55 +08:00			`permissions = RoleOverride.permission_for(@account, :moderate_forum, "TeacherEnrollment")`
revert an explicit permission to the proper default In /accounts/*/role_overrides The value was being saved correctly, but the UI was incorrect and super confusing. It'd always show a bold "explicit" green checkmark, rather than the semi-transparent check/cross depending on the actual default. refs #3711 Change-Id: Ide0a0603b6c820ea0ec94646c4327239d980b09c Reviewed-on: https://gerrit.instructure.com/2194 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Brian Whitmer <brian@instructure.com> 2011-02-08 08:33:03 +08:00			`permissions[:enabled].should == false`
			`permissions[:prior_default].should == true`
			`permissions[:explicit].should == true`
			`end`

			`it "should use the immediately parent context as the prior permission when there are multiple explicit levels" do`
			`a1 = account_model`
			`a2 = account_model(:parent_account => a1)`
			`a3 = account_model(:parent_account => a2)`

			`RoleOverride.create!(:context => a1, :permission => 'moderate_forum',`
			`:enrollment_type => "TeacherEnrollment", :enabled => false)`
			`RoleOverride.create!(:context => a2, :permission => 'moderate_forum',`
			`:enrollment_type => "TeacherEnrollment", :enabled => true)`

			`permissions = RoleOverride.permission_for(a1, :moderate_forum, "TeacherEnrollment")`
			`permissions[:enabled].should == false`
			`permissions[:prior_default].should == true`
			`permissions[:explicit].should == true`

			`permissions = RoleOverride.permission_for(a2, :moderate_forum, "TeacherEnrollment")`
			`permissions[:enabled].should == true`
			`permissions[:prior_default].should == false`
			`permissions[:explicit].should == true`

			`permissions = RoleOverride.permission_for(a3, :moderate_forum, "TeacherEnrollment")`
			`permissions[:enabled].should == true`
			`permissions[:prior_default].should == true`
			`permissions[:explicit].should == true`
			`end`
fix invalid sql during role override lookup; fixes #5966 Change-Id: I3fa6ecaf63cd5c501ded72b95cf5d45b4ab4f7dd Reviewed-on: https://gerrit.instructure.com/6219 Reviewed-by: JT Olds <jt@instructure.com> Tested-by: Hudson <hudson@instructure.com> 2011-10-16 13:51:01 +08:00
			`it "should not fail when a context's associated accounts are missing" do`
			`group_model`
			`@group.account.should be_nil`
			`lambda {`
			`RoleOverride.permission_for(@group, :read_course_content, "TeacherEnrollment")`
			`}.should_not raise_error`
			`end`
Roles API; refs #6182 only adds the creation mechanism requested by #6182 for now test-plan: - try the API action to create a new admin role specifying explicit/enabled/lock for some or all permissions - try without giving a role name; should fail - try giving an already used role name; should fail - try using a reserved role name; should fail Change-Id: I3b38247dccb704da694b0fd32df16cdd63df6810 Reviewed-on: https://gerrit.instructure.com/7553 Reviewed-by: Cody Cutrer <cody@instructure.com> Tested-by: Hudson <hudson@instructure.com> 2011-12-17 05:27:59 +08:00
student view; closes #6995 allows course admins to view the course from a student perspective. this is accessible from a button on the course/settings page. They should be able to interact with the course as a student would, including submitting homework and quizzes. Right now there is one student view student per course, so if the course has multiple administrators, they will all share the same student view student. There are a few things that won't work in student view the way the would for a normal student, most notably access to conversations is disabled. Additionally, any publicly visible action that the teacher takes while in student view will still be publicly visible -- for example if the teacher posts a discussion topic/reply as the student view student, it will be visible to the whole class. test-plan: - (the following should be tried both as a full teacher and as a section-limited course admin) - set up a few assignments, quizzes, discussions, and module progressions in a course. - enter student view from the coures settings page. - work through the things you set up above. - leave student view from the upper right corner of the page. - as a teacher you should be able to grade the fake student so that they can continue to progress. - the student should not show up in the course users list - the student should not show up at the account level at all: * total user list * statistics Change-Id: I886a4663777f3ef2bdae594349ff6da6981e14ed Reviewed-on: https://gerrit.instructure.com/9484 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Cody Cutrer <cody@instructure.com> 2012-03-14 04:08:19 +08:00			`describe "student view permissions" do`
			`it "should mirror student permissions" do`
			`permission = 'comment_on_others_submissions'`

			`course_with_teacher(:active_all => true)`
			`student_in_course(:active_all => true)`
			`@fake_student = @course.student_view_student`

			`@student.enrollments.first.has_permission_to?(permission.to_sym).should be_false`
			`@fake_student.enrollments.first.has_permission_to?(permission.to_sym).should be_false`

			`RoleOverride.manage_role_override(Account.default, 'StudentEnrollment', permission, :override => true)`
			`RoleOverride.clear_cached_contexts`

			`@student.enrollments.first.has_permission_to?(permission.to_sym).should be_true`
			`@fake_student.enrollments.first.has_permission_to?(permission.to_sym).should be_true`
			`end`
			`end`

Roles API; refs #6182 only adds the creation mechanism requested by #6182 for now test-plan: - try the API action to create a new admin role specifying explicit/enabled/lock for some or all permissions - try without giving a role name; should fail - try giving an already used role name; should fail - try using a reserved role name; should fail Change-Id: I3b38247dccb704da694b0fd32df16cdd63df6810 Reviewed-on: https://gerrit.instructure.com/7553 Reviewed-by: Cody Cutrer <cody@instructure.com> Tested-by: Hudson <hudson@instructure.com> 2011-12-17 05:27:59 +08:00			`describe "manage_role_override" do`
			`before :each do`
			`@account = account_model(:parent_account => Account.default)`
			`@role = 'NewRole'`
			`@permission = 'read_reports'`
			`end`

			`describe "override already exists" do`
			`before :each do`
			`@existing_override = @account.role_overrides.build(`
			`:permission => @permission,`
			`:enrollment_type => @role)`
			`@existing_override.enabled = true`
			`@existing_override.locked = false`
			`@existing_override.save!`
			`@initial_count = @account.role_overrides.size`
			`end`

			`it "should update an existing override if override has a value" do`
			`new_override = RoleOverride.manage_role_override(@account, @role, @permission, :override => false)`
			`@account.role_overrides.size.should == @initial_count`
			`new_override.should == @existing_override.reload`
			`@existing_override.enabled.should be_false`
			`end`

			`it "should update an existing override if override is nil but locked is truthy" do`
			`new_override = RoleOverride.manage_role_override(@account, @role, @permission, :locked => true)`
			`@account.role_overrides.size.should == @initial_count`
			`new_override.should == @existing_override.reload`
			`@existing_override.locked.should be_true`
			`end`

			`it "should only update the parts that are specified" do`
			`new_override = RoleOverride.manage_role_override(@account, @role, @permission, :override => false)`
			`@existing_override.reload`
			`@existing_override.locked.should be_false`

			`@existing_override.enabled = true`
			`@existing_override.save`

			`new_override = RoleOverride.manage_role_override(@account, @role, @permission, :locked => true)`
			`@existing_override.reload`
			`@existing_override.enabled.should be_true`
			`end`

			`it "should delete an existing override if override is nil and locked is not truthy" do`
			`new_override = RoleOverride.manage_role_override(@account, @role, @permission, :locked => false)`
			`@account.role_overrides.size.should == @initial_count - 1`
			`new_override.should be_nil`
			`RoleOverride.find_by_id(@existing_override.id).should be_nil`
			`end`
			`end`

			`describe "no override yet" do`
			`before :each do`
			`@initial_count = @account.role_overrides.size`
			`end`

			`it "should not create an override if override is nil and locked is not truthy" do`
			`override = RoleOverride.manage_role_override(@account, @role, @permission, :locked => false)`
			`override.should be_nil`
			`@account.role_overrides.size.should == @initial_count`
			`end`

			`it "should create the override if override has a value" do`
			`override = RoleOverride.manage_role_override(@account, @role, @permission, :override => false)`
			`@account.role_overrides.size.should == @initial_count + 1`
			`override.enabled.should be_false`
			`end`

			`it "should create the override if override is nil but locked is truthy" do`
			`override = RoleOverride.manage_role_override(@account, @role, @permission, :locked => true)`
			`@account.role_overrides.size.should == @initial_count + 1`
			`override.locked.should be_true`
			`end`

			`it "should only set the parts that are specified" do`
			`override = RoleOverride.manage_role_override(@account, @role, @permission, :override => false)`
			`override.enabled.should be_false`
			`override.locked.should be_nil`
			`override.destroy`

			`override = RoleOverride.manage_role_override(@account, @role, @permission, :locked => true)`
			`override.enabled.should be_nil`
			`override.locked.should be_true`
			`end`
			`end`
			`end`
revert an explicit permission to the proper default In /accounts/*/role_overrides The value was being saved correctly, but the UI was incorrect and super confusing. It'd always show a bold "explicit" green checkmark, rather than the semi-transparent check/cross depending on the actual default. refs #3711 Change-Id: Ide0a0603b6c820ea0ec94646c4327239d980b09c Reviewed-on: https://gerrit.instructure.com/2194 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Brian Whitmer <brian@instructure.com> 2011-02-08 08:33:03 +08:00			`end`