fix permissions for file replacement for other contexts

test plan: * files attached to quiz submissions should be able to be deleted via the API (using replace=1) by account admins closes #LA-200 Change-Id: I446946fedb357e36d313e0993555668a1d85f1d1 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/219089 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Tested-by: Jenkins Reviewed-by: Mysti Lilla <mysti@instructure.com> QA-Review: Jeremy Putnam <jeremyp@instructure.com> Product-Review: James Williams <jamesw@instructure.com>
2019-12-02 10:50:28 -07:00 · 2019-12-02 10:50:28 -07:00 · 103f67bce4
parent 5ab9718818
commit 103f67bce4
2 changed files with 22 additions and 1 deletions
--- a/app/controllers/files_controller.rb
+++ b/app/controllers/files_controller.rb
@ -1195,7 +1195,14 @@ class FilesController < ApplicationController
    if @context.is_a?(User)
      @context.can_masquerade?(@current_user, @domain_root_account)
    else
-      @context.grants_right?(@current_user, nil, :manage_files) &&
+      permission_context =
+        case @context
+        when Course, Account, Group
+          @context
+        else
+          @context.respond_to?(:context) ? @context.context : @context
+        end
+      permission_context.grants_right?(@current_user, nil, :manage_files) &&
        @domain_root_account.grants_right?(@current_user, nil, :become_user)
    end
  end
--- a/spec/apis/v1/files_controller_api_spec.rb
+++ b/spec/apis/v1/files_controller_api_spec.rb
@ -1083,6 +1083,20 @@ describe "Files API", type: :request do
      api_call(:delete, @file_path, @file_path_options, {}, {}, expected_status: 200)
    end

+    it 'should delete/replace a file tied to a quiz submission' do
+      course_with_student(:active_all => true)
+      quiz_model(:course => @course)
+      @quiz.update_attribute :one_question_at_a_time, true
+      @qs = @quiz.generate_submission(@student, false)
+
+      account_admin_user(account: @account)
+      @att.context = @qs
+      @att.save!
+      expect_any_instantiation_of(@att).to receive(:destroy_content_and_replace).once
+      @file_path_options[:replace] = true
+      api_call(:delete, @file_path, @file_path_options, {}, {}, expected_status: 200)
+    end
+
    it "should not be authorized to delete/replace a file" do
      course_with_teacher(active_all: true, user: user_with_pseudonym)
      @file_path_options[:replace] = true