limit roster visibility by section

test plan: ensure that a section-limited user in a course (teacher or student) cannot view the user profile page for a user in another section by URL /courses/X/users/Y closes CNVS-34380 Change-Id: Ib095ff40a303a1b3239115430e2c735b3385f9a6 Reviewed-on: https://gerrit.instructure.com/106233 Tested-by: Jenkins Reviewed-by: James Williams <jamesw@instructure.com> QA-Review: Deepeeca Soundarrajan <dsoundarrajan@instructure.com> Product-Review: Chris Ward <cward@instructure.com>
2017-03-23 19:10:39 -06:00 · 2017-03-23 19:10:39 -06:00 · 27f7c77c4c
parent 2e927dc30b
commit 27f7c77c4c
2 changed files with 34 additions and 2 deletions
--- a/app/controllers/context_controller.rb
+++ b/app/controllers/context_controller.rb
@ -321,7 +321,7 @@ class ContextController < ApplicationController
      end
      user_id = Shard.relative_id_for(params[:id], Shard.current, @context.shard)
      if @context.is_a?(Course)
-        scope = @context.enrollments.where(user_id: user_id)
+        scope = @context.enrollments_visible_to(@current_user).where(user_id: user_id)
        scope = @context.grants_right?(@current_user, session, :read_as_admin) ? scope.active : scope.active_or_pending
        @membership = scope.first

@ -341,7 +341,7 @@ class ContextController < ApplicationController
        return
      end

-      @enrollments = @context.enrollments.for_user(@user) rescue []
+      @enrollments = @context.enrollments_visible_to(@current_user).for_user(@user) rescue []

      if @domain_root_account.enable_profiles?
        @user_data = profile_data(
--- a/spec/controllers/context_controller_spec.rb
+++ b/spec/controllers/context_controller_spec.rb
@ -158,6 +158,38 @@ describe ContextController do
        expect(response).to be_success
      end
    end
+
+    describe 'section visibility' do
+      before :once do
+        @other_section = @course.course_sections.create! :name => 'Other Section FRD'
+        @course.enroll_teacher(@teacher, :section => @other_section, :allow_multiple_enrollments => true).accept!
+        @other_student = user_factory
+        @course.enroll_student(@other_student, :section => @other_section, :limit_privileges_to_course_section => true).accept!
+      end
+
+      it 'prevents section-limited users from seeing users in other sections' do
+        user_session(@student)
+        get 'roster_user', :course_id => @course.id, :id => @other_student.id
+        expect(response).to be_success
+
+        user_session(@other_student)
+        get 'roster_user', :course_id => @course.id, :id => @student.id
+        expect(response).to be_redirect
+        expect(flash[:error]).to be_present
+      end
+
+      it 'limits enrollments by visibility' do
+        user_session(@student)
+        get 'roster_user', :course_id => @course.id, :id => @teacher.id
+        expect(response).to be_success
+        expect(assigns[:enrollments].map(&:course_section_id)).to match_array([@course.default_section.id, @other_section.id])
+
+        user_session(@other_student)
+        get 'roster_user', :course_id => @course.id, :id => @teacher.id
+        expect(response).to be_success
+        expect(assigns[:enrollments].map(&:course_section_id)).to match_array([@other_section.id])
+      end
+    end
  end

  describe "POST 'object_snippet'" do