fix filename manipulation upload problem

fixes CNVS-23728 test plan: - Create New Assignment with File Upload Submission Type - As a student, submit a file to the assignment - As a teacher, Download Submissions from the assignment page - Unzip file - Note that file names use the following format lastname--firstname_CanvasUserID_CanvasFileID_filename.extension - Rename one of the files, but change only the CanvasFileID part - Zip file - Re-Upload Submissions from the assignment page Change-Id: Ia533d60b0c8a80b82e3328cc0dff08a859dd91f2 Reviewed-on: https://gerrit.instructure.com/65575 Tested-by: Jenkins Reviewed-by: John Corrigan <jcorrigan@instructure.com> QA-Review: Michael Hargiss <mhargiss@instructure.com> QA-Review: Landon Holmstead <lholmstead@instructure.com> Product-Review: Jason Sparks <jsparks@instructure.com>
2015-10-21 14:33:37 -06:00 · 2015-10-21 14:33:37 -06:00 · 03d7a8ceae
parent adc8b4a05e
commit 03d7a8ceae
2 changed files with 14 additions and 1 deletions
--- a/app/models/assignment.rb
+++ b/app/models/assignment.rb
@ -2041,7 +2041,9 @@ class Assignment < ActiveRecord::Base
    end
    attachment = Attachment.where(id: attachment_id).first if attachment_id

-    if !attachment || !submission
+    if !attachment || !submission ||
+       !attachment.grants_right?(user, :read) ||
+       !submission.attachments.where(:id => attachment_id).exists?
      @ignored_files << fullpath
      return nil
    end
--- a/spec/models/assignment_spec.rb
+++ b/spec/models/assignment_spec.rb
@ -2432,6 +2432,17 @@ describe Assignment do
      expect(@assignment.instance_variable_get(:@ignored_files)).to eq [ignore_file]
    end

+    it "should ignore when assignment.id does not belog to the user" do
+      create_and_submit
+      false_attachment = @attachment
+      student_in_course(active_all: true, user_name: "other user")
+      create_and_submit
+      ignore_file = [@user.last_name_first, @user.id, false_attachment.id, @attachment.display_name].join("_")
+      @assignment.instance_variable_set :@ignored_files, []
+      expect(@assignment.send(:infer_comment_context_from_filename, ignore_file)).to be_nil
+      expect(@assignment.instance_variable_get(:@ignored_files)).to eq [ignore_file]
+    end
+
    it "should mark comments as hidden for submission zip uploads" do
      @assignment = @course.assignments.create! name: "Mute Comment Test",
                                                submission_types: %w(online_upload)