fix: Visiting groups tab in k5 public course shows error

This PS removes the groups tab if the user does not have the read_roster role, which is the same used to hide/remove the people tab and the one used to check if the user is authorized to request the groups API fixes: LS-2939 flag= none Test plan: - Set a k5 subject as public - Access to the course without logging in - Notice the groups tab is not present and the 401 error does not appear anymore - Access to the course as a user that is not enrolled in the course - Expect not to see the Groups tab - Access to the course as a user that is enrolled in the course - Expect to see the Groups tab as usual Change-Id: Ia1422a630111e433f14547d3d051e95a77a4f231 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/282957 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Product-Review: Jonathan Guardado <jonathan.guardado@instructure.com> Reviewed-by: Robin Kuss <rkuss@instructure.com> QA-Review: Robin Kuss <rkuss@instructure.com>
2022-01-17 22:16:53 -06:00 · 2022-01-17 22:16:53 -06:00 · 30695971cf
parent 643961cc17
commit 30695971cf
2 changed files with 25 additions and 0 deletions
--- a/app/models/course.rb
+++ b/app/models/course.rb
@ -3234,6 +3234,7 @@ class Course < ActiveRecord::Base
        tabs -= hidden_external_tabs if hidden_external_tabs.present? && !(opts[:api] && check_for_permission.call(:read_as_admin))

        delete_unless.call([TAB_GRADES], :read_grades, :view_all_grades, :manage_grades)
+        delete_unless.call([TAB_GROUPS], :read_roster)

        delete_unless.call([TAB_PEOPLE], :read_roster)
        delete_unless.call([TAB_DISCUSSIONS], :read_forum, :post_to_forum, :create_forum, :moderate_forum)
--- a/spec/models/course_spec.rb
+++ b/spec/models/course_spec.rb
@ -3052,6 +3052,30 @@ describe Course do
              expect(last_tab_id).to start_with "context_external_tool_"
            end
          end
+
+          context "public k5 subject" do
+            before :once do
+              @course.update(is_public: true, indexed: true)
+              @course.groups.create!
+            end
+
+            it "does not show groups tabs without a current user" do
+              tab_ids = @course.tabs_available(nil, course_subject_tabs: true).pluck(:id)
+              expect(tab_ids).not_to include(Course::TAB_GROUPS)
+            end
+
+            it "does not show groups tabs to a user not enrolled in the class" do
+              user_factory
+              tab_ids = @course.tabs_available(@user, course_subject_tabs: true).pluck(:id)
+              expect(tab_ids).not_to include(Course::TAB_GROUPS)
+            end
+
+            it "shows the groups tab to an enrolled user" do
+              @course.enroll_student(user_factory).accept!
+              tab_ids = @course.tabs_available(@user, course_subject_tabs: true).pluck(:id)
+              expect(tab_ids).to include(Course::TAB_GROUPS)
+            end
+          end
        end
      end