allow account admins with :read_roster to view user profile

but not logins without :manage_user_logins and also not page views without :view_statistics test plan: * create an account admin role with ability to "See the list of users" and "Become other users" * should be able to use the account users list to view users and become them closes #CNVS-24914 Change-Id: I0a7f7bcf72fca2562a5654d69ef196d33b14c5a2 Reviewed-on: https://gerrit.instructure.com/66978 Tested-by: Jenkins Reviewed-by: Jeremy Stanley <jeremy@instructure.com> QA-Review: Ryan Allen <rallen@instructure.com> Product-Review: Cosme Salazar <cosme@instructure.com>
2015-11-11 13:42:48 -07:00 · 2015-11-11 13:42:48 -07:00 · 3295b01b54
parent 9bc2dc05bb
commit 3295b01b54
5 changed files with 10 additions and 5 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -997,7 +997,7 @@ class UsersController < ApplicationController
    get_context
    @context_account = @context.is_a?(Account) ? @context : @domain_root_account
    @user = params[:id] && params[:id] != 'self' ? User.find(params[:id]) : @current_user
-    if authorized_action(@user, @current_user, :view_statistics)
+    if authorized_action(@user, @current_user, :read_full_profile)
      add_crumb(t('crumbs.profile', "%{user}'s profile", :user => @user.short_name), @user == @current_user ? user_profile_path(@current_user) : user_path(@user) )

      @group_memberships = @user.current_group_memberships
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -1052,7 +1052,10 @@ class User < ActiveRecord::Base
      can :view_statistics and can :read and can :read_reports and can :manage_feature_flags and can :read_grades

    given {|user| self.check_accounts_right?(user, :manage_user_logins) }
-    can :view_statistics and can :read and can :read_reports
+    can :read and can :read_reports
+
+    given {|user| self.check_accounts_right?(user, :read_roster) }
+    can :read_full_profile

    given {|user| self.check_accounts_right?(user, :view_all_grades) }
    can :read_grades
--- a/app/views/users/_logins.html.erb
+++ b/app/views/users/_logins.html.erb
@ -1,3 +1,4 @@
+<% if can_do(@user, @current_user, :manage, :manage_user_details) %>
  <% css_bundle :user_logins %>
  <% js_bundle :user_logins %>
  <% js_env :PASSWORD_POLICY => (@domain_root_account.try(:password_policy) || {}) %>
@ -136,3 +137,4 @@
      <button type="submit" class="btn btn-primary submit_button"><%= t('buttons.update_login', 'Update Login') %></button>
    </div>
  <% end %>
+<% end %>
--- a/app/views/users/show.html.erb
+++ b/app/views/users/show.html.erb
@ -94,7 +94,7 @@
  </fieldset>
  </div>

-  <% if page_views_enabled? %>
+  <% if can_do(@user, @current_user, :view_statistics) && page_views_enabled? %>
    <h3>
      <%= t('page_views', 'Page Views') %>
    </h3>
--- a/spec/integration/users_controller_spec.rb
+++ b/spec/integration/users_controller_spec.rb
@ -170,12 +170,12 @@ describe UsersController do
      assert_status(401)
    end

-    it "should show user to account users that have the view_statistics permission" do
+    it "should show user to account users that have the read_roster permission" do
      account_model
      student_in_course(:account => @account)

      role = custom_account_role('custom', :account => @account)
-      RoleOverride.create!(:context => @account, :permission => 'view_statistics',
+      RoleOverride.create!(:context => @account, :permission => 'read_roster',
                           :role => role, :enabled => true)
      @account.account_users.create!(user: user, role: role)
      user_session(@user)