stats page displays courses for current and sub accounts

fixed comment typo in ovverride
matched syntax in courses to above code

fixes FOO-2536
flag=none

test plan:
1. Created a root with sub-accounts who had sub-accounts
2. Added different courses in each account
3. Checked statistics before and after deleting courses
4. Subs cannot view parent or sibling sub account courses
5. Roots can view own courses and sub account courses

Change-Id: I31212fcbcc161a11c719c0b6c20f9dfdabef0bc4
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/318094
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: August Thornton <august@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Maya Tyner <maya.tyner@instructure.com>

app/controllers/accounts_controller.rb

@@ -1435,11 +1435,9 @@ class AccountsController < ApplicationController
     if authorized_action(@account, @current_user, :view_statistics)
       add_crumb(t(:crumb_statistics, "Statistics"), statistics_account_url(@account))
       if @account.grants_right?(@current_user, :read_course_list)
-        @recently_started_courses = @account.all_courses.recently_started
-        @recently_ended_courses = @account.all_courses.recently_ended
-        if @account == Account.default
-          @recently_created_courses = @account.all_courses.recently_created
-        end
+        @recently_started_courses = @account.associated_courses.active.recently_started
+        @recently_ended_courses = @account.associated_courses.active.recently_ended
+        @recently_created_courses = @account.associated_courses.active.recently_created
       end
       if @account.grants_right?(@current_user, :read_roster)
         @recently_logged_users = @account.all_users.recently_logged_in

app/models/course.rb

@@ -885,7 +885,7 @@ class Course < ActiveRecord::Base
 
   scope :recently_started, -> { where(start_at: 1.month.ago..Time.zone.now).order("start_at DESC").limit(10) }
   scope :recently_ended, -> { where(conclude_at: 1.month.ago..Time.zone.now).order("start_at DESC").limit(10) }
-  scope :recently_created, -> { where("created_at>?", 1.month.ago).order("created_at DESC").limit(50).preload(:teachers) }
+  scope :recently_created, -> { where(created_at: 1.month.ago..Time.zone.now).order("created_at DESC").limit(50).preload(:teachers) }
   scope :for_term, ->(term) { term ? where(enrollment_term_id: term) : all }
   scope :active_first, -> { order(Arel.sql("CASE WHEN courses.workflow_state='available' THEN 0 ELSE 1 END, #{best_unicode_collation_key("name")}")) }
   scope :name_like, lambda { |query|

app/models/role_override.rb

@@ -1638,7 +1638,7 @@ class RoleOverride < ActiveRecord::Base
       },
       read_reports: {
         label: -> { t("permissions.read_reports", "Manage account or course-level reports") },
-        label_v2: -> { t("Reports - manage") }, # Reports - manage is used by both Account and Console Roles in Permissions
+        label_v2: -> { t("Reports - manage") }, # Reports - manage is used by both Account and Course Roles in Permissions
         available_to: %w[
           TaEnrollment
           DesignerEnrollment

app/views/accounts/statistics.html.erb

@@ -117,7 +117,6 @@
 <% end %>
 
 <% if can_do @account, @current_user, :read_course_list %>
-<% if @account == Account.default %>
 <h2><%= t(:recently_created_courses_title, "Recently Created Courses") %></h2>
 <ul id="recently_created_item_list" class="item_list">
   <% @recently_created_courses.each do |course| %>
@@ -137,11 +136,10 @@
       </div>
     </li>
   <% end %>
-  <% if @recently_started_courses.empty? %>
+  <% if @recently_created_courses.empty? %>
     <li><%= t(:none_message, "None to show") %></li>
   <% end %>
 </ul>
-<% end %>
 
 <h2><%= t(:recently_started_courses_title, "Recently Started Courses") %></h2>
 <ul id="recently_started_item_list" class="item_list">

spec/controllers/accounts_controller_spec.rb

@@ -1327,6 +1327,51 @@ describe AccountsController do
     end
   end
 
+  describe "#statistics" do
+    before do
+      @account = Account.create!
+      @sub1 = @account.sub_accounts.create!
+      @sub2 = @account.sub_accounts.create!
+      @ssub1 = @sub1.sub_accounts.create!
+      @cr = course_factory(account: @account, course_name: "root")
+      @c1 = course_factory(account: @sub1, course_name: "sc1")
+      @c2 = course_factory(account: @sub2, course_name: "sc2")
+      @c1_1 = course_factory(account: @ssub1, course_name: "ssc1")
+    end
+
+    it "does not allow sibling sub to view another siblings courses" do
+      admin_logged_in(@sub1)
+      get "statistics", params: { account_id: @sub1.id }
+      expect(assigns(:recently_created_courses).to_a).not_to eq([@c2])
+    end
+
+    it "does not allow child to see parents created courses" do
+      admin_logged_in(@sub2)
+      get "statistics", params: { account_id: @sub2.id }
+      expect(assigns(:recently_created_courses).to_a).to eq([@c2])
+      expect(assigns(:recently_created_courses).to_a).not_to eq([@cr])
+    end
+
+    it "returns courses created by children and grandchildren" do
+      admin_logged_in(@account)
+      get "statistics", params: { account_id: @account.id }
+      expect(assigns(:recently_created_courses).to_a).to match_array([@c1_1, @c1, @c2, @cr])
+    end
+
+    it "returns courses created by self and children" do
+      admin_logged_in(@sub1)
+      get "statistics", params: { account_id: @sub1.id }
+      expect(assigns(:recently_created_courses).to_a).to match_array([@c1, @c1_1])
+    end
+
+    it "does not return deleted courses" do
+      admin_logged_in(@sub1)
+      @c1.update!(workflow_state: "deleted")
+      get "statistics", params: { account_id: @sub1.id }
+      expect(assigns(:recently_created_courses).to_a).to match_array([@c1_1])
+    end
+  end
+
   describe "#account_courses" do
     before do
       @account = Account.create!