Throw error when channel doesn't belong to user

flag=none closes VICE-3027 Test Plan: - Tests pass Change-Id: I62f3996ec25bd9f69707bac0944c8317c2323627 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/296569 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Drake Harper <drake.harper@instructure.com> Product-Review: Drake Harper <drake.harper@instructure.com> QA-Review: Chawn Neal <chawn.neal@instructure.com>
2022-07-19 15:04:28 -04:00 · 2022-07-19 15:04:28 -04:00 · 1db954dfd2
parent d718c3501f
commit 1db954dfd2
2 changed files with 21 additions and 0 deletions
--- a/app/graphql/mutations/update_notification_preferences.rb
+++ b/app/graphql/mutations/update_notification_preferences.rb
@ -87,6 +87,11 @@ class Mutations::UpdateNotificationPreferences < Mutations::BaseMutation
    # check for the presence of one of the arguments needed to update notification policies
    if input[:communication_channel_id]
      communication_channel = CommunicationChannel.find(input[:communication_channel_id])
+
+      if communication_channel.user_id != current_user.id
+        raise GraphQL::ExecutionError, "not found"
+      end
+
      if input[:is_policy_override]
        NotificationPolicyOverride.create_or_update_for(communication_channel, input[:notification_category].tr("_", " "), input[:frequency], context)
      else
--- a/spec/graphql/mutations/update_notification_preferences_spec.rb
+++ b/spec/graphql/mutations/update_notification_preferences_spec.rb
@ -333,6 +333,22 @@ RSpec.describe Mutations::UpdateNotificationPreferences do
        result.dig(:data, :updateNotificationPreferences, :user, :notificationPreferences, :channels, 0, :notificationPolicies, 0, :frequency)
      ).to eq("immediately")
    end
+
+    it "throw not found when communication channel doesn't belong to current_user" do
+      Notification.create!(name: "Discussion Mention", subject: "Test", category: "DiscussionMention")
+      result = CanvasSchema.execute(mutation_str(context_type: "Account",
+                                                 account_id: @account.id,
+                                                 communication_channel_id: @teacher.communication_channels.first.id,
+                                                 notification_category: "DiscussionMention",
+                                                 frequency: "immediately"), context: {
+                                                   current_user: @student,
+                                                   request: ActionDispatch::TestRequest.create,
+                                                   domain_root_account: @account
+                                                 })
+      result = result.to_h.with_indifferent_access
+
+      expect(result[:errors][0][:message]).to be "not found"
+    end
  end

  describe "invalid input" do