don't return forbidden to admins for unpublished files

it's still rendering the file because of app/views/files/show.html.erb:25 so this just unifies the two test plan: * in an environment with a files domain, using Safari, viewing (as an admin) an unpublished html file with an embedded relative image should work closes #LA-202 Change-Id: I15109eaa294c12f7da31f0a779984f6325324afa Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/223398 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Jeremy Stanley <jeremy@instructure.com> QA-Review: Anju Reddy <areddy@instructure.com> Product-Review: James Williams <jamesw@instructure.com>
2020-01-15 14:28:54 -07:00 · 2020-01-15 14:28:54 -07:00 · 1c03b9fdf8
parent a35f126ec4
commit 1c03b9fdf8
3 changed files with 9 additions and 2 deletions
--- a/app/controllers/files_controller.rb
+++ b/app/controllers/files_controller.rb
@ -572,7 +572,7 @@ class FilesController < ApplicationController
          attachment.context_module_action(@current_user, :read)
        end
        format.html do
-          if attachment.locked_for?(@current_user)
+          if attachment.locked_for?(@current_user, :check_policies => true)
            render :show, status: :forbidden
          else
            if attachment.inline_content? && !attachment.canvadocable? && safer_domain_available? && !params[:fd_cookie_set]
--- a/app/views/files/show.html.erb
+++ b/app/views/files/show.html.erb
@ -22,7 +22,7 @@
 <% add_crumb @attachment.display_name, context_url(@context, :context_file_url, @attachment) %>
 <% download_url = context_url(@context, :context_file_download_url, @attachment.id, download_frd: 1) %>
 <% js_bundle 'module_sequence_footer' %>
-<% if !can_do(@attachment.context, @current_user, :read_as_admin) && (locked = @attachment.locked_for?(@current_user)) %>
+<% if (locked = @attachment.locked_for?(@current_user, :check_policies => true)) %>
  <div style="margin: 10px 50px;">
    <% if @attachment.folder && @attachment.folder.locked? %>
      <%= t 'messages.folder_locked', "The folder \"%{folder},\" which includes this file, has been locked.", :folder => @attachment.folder.name %>
--- a/spec/controllers/files_controller_spec.rb
+++ b/spec/controllers/files_controller_spec.rb
@ -524,6 +524,13 @@ describe FilesController do
        get 'show', params: {:user_id => @student.id, :id => @attachment.id, :inline => 1}
        expect(response).to be_successful
      end
+
+      it "is successful when viewing as an admin even if locked" do
+        @file.locked = true
+        @file.save!
+        get 'show', params: {:course_id => @course.id, :id => @file.id}
+        expect(response).to be_successful
+      end
    end

    describe "canvadoc_session_url" do