From 1db954dfd282e67feaa266d0b86079586ceba5d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Omar=20Gerardo=20Soto-Fortu=C3=B1o?=
 <omar.soto@instructure.com>
Date: Tue, 19 Jul 2022 15:04:28 -0400
Subject: [PATCH] Throw error when channel doesn't belong to user

flag=none
closes VICE-3027

Test Plan:
 - Tests pass

Change-Id: I62f3996ec25bd9f69707bac0944c8317c2323627
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/296569
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Drake Harper <drake.harper@instructure.com>
Product-Review: Drake Harper <drake.harper@instructure.com>
QA-Review: Chawn Neal <chawn.neal@instructure.com>
---
 .../mutations/update_notification_preferences.rb |  5 +++++
 .../update_notification_preferences_spec.rb      | 16 ++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/app/graphql/mutations/update_notification_preferences.rb b/app/graphql/mutations/update_notification_preferences.rb
index 6408163465e..1adc3bad329 100644
--- a/app/graphql/mutations/update_notification_preferences.rb
+++ b/app/graphql/mutations/update_notification_preferences.rb
@@ -87,6 +87,11 @@ class Mutations::UpdateNotificationPreferences < Mutations::BaseMutation
     # check for the presence of one of the arguments needed to update notification policies
     if input[:communication_channel_id]
       communication_channel = CommunicationChannel.find(input[:communication_channel_id])
+
+      if communication_channel.user_id != current_user.id
+        raise GraphQL::ExecutionError, "not found"
+      end
+
       if input[:is_policy_override]
         NotificationPolicyOverride.create_or_update_for(communication_channel, input[:notification_category].tr("_", " "), input[:frequency], context)
       else
diff --git a/spec/graphql/mutations/update_notification_preferences_spec.rb b/spec/graphql/mutations/update_notification_preferences_spec.rb
index 557bc379f94..3530f852c55 100644
--- a/spec/graphql/mutations/update_notification_preferences_spec.rb
+++ b/spec/graphql/mutations/update_notification_preferences_spec.rb
@@ -333,6 +333,22 @@ RSpec.describe Mutations::UpdateNotificationPreferences do
         result.dig(:data, :updateNotificationPreferences, :user, :notificationPreferences, :channels, 0, :notificationPolicies, 0, :frequency)
       ).to eq("immediately")
     end
+
+    it "throw not found when communication channel doesn't belong to current_user" do
+      Notification.create!(name: "Discussion Mention", subject: "Test", category: "DiscussionMention")
+      result = CanvasSchema.execute(mutation_str(context_type: "Account",
+                                                 account_id: @account.id,
+                                                 communication_channel_id: @teacher.communication_channels.first.id,
+                                                 notification_category: "DiscussionMention",
+                                                 frequency: "immediately"), context: {
+                                                   current_user: @student,
+                                                   request: ActionDispatch::TestRequest.create,
+                                                   domain_root_account: @account
+                                                 })
+      result = result.to_h.with_indifferent_access
+
+      expect(result[:errors][0][:message]).to be "not found"
+    end
   end
 
   describe "invalid input" do