scheduler: hide signups in courses the teacher isn't enrolled in

test plan: 1. set up an appointment group in Course A and Course B 2. enroll a teacher in Course A (but not Course B) 3. enroll students in both courses 4. have each student sign up for a slot 5. ensure Teacher A doesn't see Student B's signup on their calendar fixes CNVS-28513 Change-Id: I59a4e4833b3e7521e016028c17c6eda1ea3217a3 Reviewed-on: https://gerrit.instructure.com/76452 Tested-by: Jenkins Reviewed-by: Joel Hough <joel@instructure.com> QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com> Product-Review: Jeremy Stanley <jeremy@instructure.com>
2016-04-06 13:08:28 -06:00 · 2016-04-06 13:08:28 -06:00 · 05b3c30dd2
parent 92d7a726e3
commit 05b3c30dd2
2 changed files with 35 additions and 20 deletions
--- a/lib/api/v1/calendar_event.rb
+++ b/lib/api/v1/calendar_event.rb
@ -65,10 +65,18 @@ module Api::V1::CalendarEvent
    end

    if event.effective_context_code
-      if appointment_group
-        common_context_codes = common_ag_context_codes(appointment_group, user, event, include_child_events)
-        hash['context_code'] = (event.effective_context_code.split(',') & common_context_codes).first
-        hash['effective_context_code'] = hash['context_code']
+      if appointment_group && include_child_events
+        common_context_codes = common_ag_context_codes(appointment_group, user, event)
+        effective_context_code = (event.effective_context_code.split(',') & common_context_codes).first
+        if effective_context_code
+          hash['context_code'] = hash['effective_context_code'] = effective_context_code
+        else
+          # the teacher has no courses in common with the signups
+          include_child_events = false
+          hash["child_events"] = []
+          hash["child_events_count"] = 0
+          hash['effective_context_code'] = event.effective_context_code
+        end
      else
        hash['effective_context_code'] = event.effective_context_code
      end
@ -208,17 +216,15 @@ module Api::V1::CalendarEvent

  private

-  # find context codes shared by the viewing user and the user signed up (if any),
-  # falling back on the viewing user's contexts
-  def common_ag_context_codes(appointment_group, user, event, include_child_events)
+  # find context codes shared by the viewing user and the user signed up,
+  # falling back on the viewing user's contexts if no users are signed up
+  def common_ag_context_codes(appointment_group, user, event)
    codes_for_user = appointment_group.context_codes_for_user(user)

-    event_user = event.user
-    event_user ||= infer_user_from_child_events(event.child_events) if include_child_events
+    event_user = event.user || infer_user_from_child_events(event.child_events)
    if event_user
      codes_for_event_user = appointment_group.context_codes_for_user(event_user)
-      common_codes = codes_for_user & codes_for_event_user
-      return common_codes if common_codes.any?
+      return codes_for_user & codes_for_event_user
    end
    codes_for_user
  end
--- a/spec/apis/v1/calendar_events_api_spec.rb
+++ b/spec/apis/v1/calendar_events_api_spec.rb
@ -483,19 +483,28 @@ describe CalendarEventsApiController, type: :request do
        )
      end

-      it "returns the teacher's context to the teacher for a student enrolled in a disparate course" do
-        @course1 = course_with_teacher(:active_all => true).course
-        @teacher1 = @teacher
-        @course2 = course_with_student(:active_all => true).course
+      it "excludes signups in courses the teacher isn't enrolled in" do
+        te1 = course_with_teacher(:active_all => true)
+        te2 = course_with_teacher(:active_all => true)
+        student1 = student_in_course(:course => te1.course, :active_all => true).user
+        student2 = student_in_course(:course => te2.course, :active_all => true).user
        ag = AppointmentGroup.create!(:title => "something", :participants_per_appointment => 1,
                                      :new_appointments => [["2012-01-01 12:00:00", "2012-01-01 13:00:00"],
                                                            ["2012-01-01 13:00:00", "2012-01-01 14:00:00"]],
-                                      :contexts => [@course1, @course2])
-        ag.appointments.first.reserve_for(@student, @teacher1)
-        json = api_call_as_user(@teacher1, :get, "/api/v1/calendar_events?start_date=2012-01-01&end_date=2012-01-31&context_codes[]=#{@course1.asset_string}", {
+                                      :contexts => [te1.course, te2.course])
+        ag.appointments.first.reserve_for(student1, te1.user)
+        ag.appointments.last.reserve_for(student2, te2.user)
+        json = api_call_as_user(te1.user, :get, "/api/v1/calendar_events?start_date=2012-01-01&end_date=2012-01-31&context_codes[]=#{te1.course.asset_string}", {
          :controller => 'calendar_events_api', :action => 'index', :format => 'json',
-          :context_codes => [@course1.asset_string], :start_date => '2012-01-01', :end_date => '2012-01-31'})
-        expect(json.map { |event| event['context_code'] }).to eq([@course1.asset_string, @course1.asset_string])
+          :context_codes => [te1.course.asset_string], :start_date => '2012-01-01', :end_date => '2012-01-31'})
+
+        a1 = json.detect { |h| h['id'] == ag.appointments.first.id }
+        expect(a1['child_events_count']).to eq 1
+        expect(a1['child_events'][0]['user']['id']).to eq student1.id
+
+        a2 = json.detect { |h| h['id'] == ag.appointments.last.id }
+        expect(a2['child_events_count']).to eq 0
+        expect(a2['child_events']).to be_empty
      end

      context "reservations" do