Suppress submission body in GQL if can't see grade

fixes EVAL-1258 flag=none Test plan: - Have a course with a student - Create a quiz (in old quizzes) - In the Gradebook, change the quiz to be manually posted - As the student, take and submit the quiz - In a Rails console, look up the submission ID of that student's submission - As the student, submit a GraphQL request for that submission ID: query MyQuery { submission(id: "<submission id>") { id body score submissionHistoriesConnection(first: 10) { nodes { body score } } } } - The "body" attribute, in both the submission itself and the history nodes, should be returned as null - As the teacher, run the same query and check that you do get a response for the body - As the teacher, post grades for the quiz in Gradebook - Re-run the query as the student and check that the body attribute is now populated Change-Id: I09c968a509fbf0510ad4e5f07e4c63f1d74eb9bd Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/249727 Reviewed-by: Gary Mei <gmei@instructure.com> Reviewed-by: Syed Hussain <shussain@instructure.com> Reviewed-by: Spencer Olson <solson@instructure.com> QA-Review: Gary Mei <gmei@instructure.com> Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Product-Review: Syed Hussain <shussain@instructure.com>
2020-10-09 14:02:48 -05:00 · 2020-10-09 14:02:48 -05:00 · 1563b8f53e
parent e9c60dec02
commit 1563b8f53e
2 changed files with 56 additions and 9 deletions
--- a/app/graphql/interfaces/submission_interface.rb
+++ b/app/graphql/interfaces/submission_interface.rb
@ -222,15 +222,19 @@ module Interfaces::SubmissionInterface
  def body
    Loaders::AssociationLoader.for(Submission, :assignment).load(submission).then do |assignment|
      Loaders::AssociationLoader.for(Assignment, :context).load(assignment).then do
-        Loaders::ApiContentAttachmentLoader.for(assignment.context).load(object.body).then do |preloaded_attachments|
-          GraphQLHelpers::UserContent.process(
-            object.body,
-            context: assignment.context,
-            in_app: context[:in_app],
-            request: context[:request],
-            preloaded_attachments: preloaded_attachments,
-            user: current_user
-          )
+        # The "body" of submissions for (old) quiz assignments includes grade
+        # information, so exclude it if the caller can't see the grade
+        if !assignment.quiz? || submission.user_can_read_grade?(current_user, session)
+          Loaders::ApiContentAttachmentLoader.for(assignment.context).load(object.body).then do |preloaded_attachments|
+            GraphQLHelpers::UserContent.process(
+              object.body,
+              context: assignment.context,
+              in_app: context[:in_app],
+              request: context[:request],
+              preloaded_attachments: preloaded_attachments,
+              user: current_user
+            )
+          end
        end
      end
    end
--- a/spec/graphql/types/submission_type_spec.rb
+++ b/spec/graphql/types/submission_type_spec.rb
@ -144,6 +144,49 @@ describe Types::SubmissionType do
    end
  end

+  describe "body" do
+    before(:each) do
+      allow(GraphQLHelpers::UserContent).to receive(:process).and_return("bad")
+    end
+
+    context "for a quiz" do
+      let(:quiz) do
+        quiz_with_submission
+        @quiz
+      end
+      let(:assignment) { quiz.assignment }
+      let(:submission) { assignment.submission_for_student(@student) }
+
+      let(:submission_type_for_student) { GraphQLTypeTester.new(submission, current_user: @student) }
+      let(:submission_type_for_teacher) { GraphQLTypeTester.new(submission, current_user: @teacher) }
+
+      before(:each) do
+        assignment.hide_submissions
+      end
+
+      context "when the quiz is not posted" do
+        it "returns nil for users who cannot read the grade" do
+          expect(submission_type_for_student.resolve("body")).to be nil
+        end
+
+        it "returns a value for users who can read the grade" do
+          expect(submission_type_for_teacher.resolve("body")).to eq "bad"
+        end
+      end
+
+      it "returns the value of the body for a posted quiz" do
+        assignment.post_submissions
+        expect(submission_type_for_student.resolve("body")).to eq "bad"
+      end
+    end
+
+    it "returns the value of the body for a non-quiz assignment" do
+      @submission.update!(body: "bad")
+      submission_type = GraphQLTypeTester.new(@submission, current_user: @student)
+      expect(submission_type.resolve("body")).to eq "bad"
+    end
+  end
+
  describe "submissionStatus" do
    before do
      quiz_with_submission