respect section privs in Quiz#show and Quiz#moderate

refs #9548 test plan: * create a course with two sections and a quiz * enroll a student in each section * enroll a TA in one section, with privileges limited to that section * take the quiz as each student * log in as the TA * verify that the "Show Student Quiz Results" button does not let you see the results for the student outside your section * verify that the "Moderate This Quiz" button does not let you see the results for the student outside your section Change-Id: I5f25f3b8272790366c9213ba4e1d58abbdfd6752 Reviewed-on: https://gerrit.instructure.com/13979 Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Cody Cutrer <cody@instructure.com>
2012-09-27 09:45:11 -06:00 · 2012-09-27 09:45:11 -06:00 · 231e0842e0
parent bbcdfdfe21
commit 231e0842e0
2 changed files with 71 additions and 4 deletions
--- a/app/controllers/quizzes_controller.rb
+++ b/app/controllers/quizzes_controller.rb
@ -166,11 +166,10 @@ class QuizzesController < ApplicationController
  end

  def managed_quiz_data
-    @submissions = @quiz.quiz_submissions.select{|s| !s.settings_only? }
+    students = @context.students_visible_to(@current_user).order_by_sortable_name.to_a
+    @submissions = @quiz.quiz_submissions.for_user_ids(students.map(&:id)).select{|s| !s.settings_only? }
    submission_ids = {}
    @submissions.each{|s| submission_ids[s.user_id] = s.id }
-    submission_users = @submissions.map{|s| s.user_id}
-    students = @context.students.order_by_sortable_name.to_a
    @submitted_students = students.select{|stu| submission_ids[stu.id] }
    if @quiz.survey? && @quiz.anonymous_submissions
      @submitted_students = @submitted_students.sort_by{|stu| submission_ids[stu.id] }
@ -431,7 +430,7 @@ class QuizzesController < ApplicationController

  def moderate
    if authorized_action(@quiz, @current_user, :grade)
-      @all_students = @context.students.order_by_sortable_name
+      @all_students = @context.students_visible_to(@current_user).order_by_sortable_name
      if @quiz.survey? && @quiz.anonymous_submissions
        @students = @all_students.paginate(:per_page => 50, :page => params[:page], :order => :uuid)
      else
--- a/spec/controllers/quizzes_controller_spec.rb
+++ b/spec/controllers/quizzes_controller_spec.rb
@ -138,6 +138,74 @@ describe QuizzesController do
      assigns[:just_graded].should eql(false)
      assigns[:stored_params].should_not be_nil
    end
+
+    it "should respect section privilege limitations" do
+      course(:active_all => 1)
+      @section = @course.course_sections.create!(:name => 'section 2')
+      @user2 = user_with_pseudonym(:active_all => true, :name => 'Student2', :username => 'student2@instructure.com')
+      @section.enroll_user(@user2, 'StudentEnrollment', 'active')
+      @user1 = user_with_pseudonym(:active_all => true, :name => 'Student1', :username => 'student1@instructure.com')
+      @course.enroll_student(@user1)
+      @ta1 = user_with_pseudonym(:active_all => true, :name => 'TA1', :username => 'ta1@instructure.com')
+      @course.enroll_ta(@ta1).update_attribute(:limit_privileges_to_course_section, true)
+      course_quiz
+      @sub1 = @quiz.generate_submission(@user1)
+      @sub2 = @quiz.generate_submission(@user2)
+
+      user_session @teacher
+      get 'show', :course_id => @course.id, :id => @quiz.id
+      assigns[:submissions].sort_by(&:id).should ==[@sub1, @sub2].sort_by(&:id)
+      assigns[:submitted_students].sort_by(&:id).should == [@user1, @user2].sort_by(&:id)
+
+      user_session @ta1
+      get 'show', :course_id => @course.id, :id => @quiz.id
+      assigns[:submissions].should ==[@sub1]
+      assigns[:submitted_students].should == [@user1]
+    end
+  end
+
+  describe "GET 'moderate''" do
+    it "should require authorization" do
+      course_with_teacher(:active_all => true)
+      course_quiz
+      get 'moderate', :course_id => @course.id, :quiz_id => @quiz.id
+      assert_unauthorized
+    end
+
+    it "should assign variables" do
+      @student = course_with_student(:active_all => true).user
+      course_with_teacher_logged_in(:course => @course, :active_all => true)
+      course_quiz
+      @sub = @quiz.generate_submission(@student)
+      get 'moderate', :course_id => @course.id, :quiz_id => @quiz.id
+      assigns[:quiz].should == @quiz
+      assigns[:students].should == [@student]
+      assigns[:submissions].should == [@sub]
+    end
+
+    it "should respect section privilege limitations" do
+      course_with_teacher(:active_all => 1)
+      @section = @course.course_sections.create!(:name => 'section 2')
+      @user2 = user_with_pseudonym(:active_all => true, :name => 'Student2', :username => 'student2@instructure.com')
+      @section.enroll_user(@user2, 'StudentEnrollment', 'active')
+      @user1 = user_with_pseudonym(:active_all => true, :name => 'Student1', :username => 'student1@instructure.com')
+      @course.enroll_student(@user1)
+      @ta1 = user_with_pseudonym(:active_all => true, :name => 'TA1', :username => 'ta1@instructure.com')
+      @course.enroll_ta(@ta1).update_attribute(:limit_privileges_to_course_section, true)
+      course_quiz
+      @sub1 = @quiz.generate_submission(@user1)
+      @sub2 = @quiz.generate_submission(@user2)
+
+      user_session @teacher
+      get 'moderate', :course_id => @course.id, :quiz_id => @quiz.id
+      assigns[:students].sort_by(&:id).should == [@user1, @user2].sort_by(&:id)
+      assigns[:submissions].sort_by(&:id).should == [@sub1, @sub2].sort_by(&:id)
+
+      user_session @ta1
+      get 'moderate', :course_id => @course.id, :quiz_id => @quiz.id
+      assigns[:students].should == [@user1]
+      assigns[:submissions].should == [@sub1]
+    end
  end

  describe "POST 'reorder'" do