allow non-admin teachers to get user profiles

fixes CNVS-8913 test plan: - as a non-admin teacher - request student profile from api (users/:id/profile) - see that it works for your students - not for others though - as an admin - request student profile from api (users/:id/profile) - see that it works - as a student - go to profile page, see that it works - go to another students profile, see that it doesnt - request profile from api (users/:id/profile) see that it works the same Change-Id: Ic4b32bfa3beecf23ac95c75c948880306ef55d60 Reviewed-on: https://gerrit.instructure.com/45230 Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Simon Williams <simon@instructure.com> QA-Review: Adam Stone <astone@instructure.com> Product-Review: Matt Fairbourn <mfairbourn@instructure.com>
2014-12-03 15:26:37 -06:00 · 2014-12-03 15:26:37 -06:00 · 3c03c5d52e
parent e048d95bd5
commit 3c03c5d52e
2 changed files with 76 additions and 2 deletions
--- a/app/controllers/profile_controller.rb
+++ b/app/controllers/profile_controller.rb
@ -189,9 +189,9 @@ class ProfileController < ApplicationController
  def settings
    if api_request?
      # allow querying this basic profile data for the current user, or any
-      # user the current user has view_statistics access to
+      # user the current user has renaming rights for (their teachers and admins)
      @user = api_find(User, params[:user_id])
-      return unless @user == @current_user || authorized_action(@user, @current_user, :view_statistics)
+      return unless @user == @current_user || authorized_action(@user, @current_user, :rename)
    else
      @user = @current_user
      @user.dismiss_bouncing_channel_message!
--- a/spec/apis/v1/profiles_api_controller_spec.rb
+++ b/spec/apis/v1/profiles_api_controller_spec.rb
@ -0,0 +1,74 @@
+#
+# Copyright (C) 2014 Instructure, Inc.
+#
+# This file is part of Canvas.
+#
+# Canvas is free software: you can redistribute it and/or modify it under
+# the terms of the GNU Affero General Public License as published by the Free
+# Software Foundation, version 3 of the License.
+#
+# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+require File.expand_path(File.dirname(__FILE__) + '/../api_spec_helper')
+
+
+def call_setting(opts)
+  status_assertion = opts[:assert_unauthorized] ? {:expected_status => 401} : {}
+  api_call_as_user(opts[:as_user], :get,
+    "/api/v1/users/#{opts[:for_user].id}/profile.json",
+    { :controller => 'profile', :action => 'settings',
+      :format => 'json', :user_id => opts[:for_user].id },{},{}, status_assertion)
+end
+
+describe 'ProfileController', type: :request do
+  context "setting permissions" do
+    context "admin" do
+      it "should show all profiles" do
+        admin = account_admin_user
+        user = user_with_pseudonym
+
+        json = call_setting(as_user: admin, for_user: user)
+        expect(json["short_name"]).to eq("User")
+      end
+    end
+
+    context "teacher" do
+      it "should show profiles for their students" do
+        course_with_teacher(:active_all => true)
+        e = course_with_user("StudentEnrollment", course: @course, active_all: true)
+        user = e.user
+
+        json = call_setting(as_user: @teacher, for_user: user)
+        expect(json["short_name"]).to eq("User")
+      end
+      it "should return unauthorized profiles for other students" do
+        course_with_teacher(:active_all => true)
+        user = user_with_pseudonym
+
+        json = call_setting(as_user: @teacher, for_user: user, assert_unauthorized: true)
+      end
+    end
+
+    context "student" do
+      it "should show a profile if it is theirs" do
+        user = user_with_pseudonym(:active_user => true)
+
+        json = call_setting(as_user: user, for_user: user)
+        expect(json["short_name"]).to eq("User")
+      end
+      it "should return unauthorized when attempting to access another students profile" do
+        user_one = user_with_pseudonym(:active_user => true)
+        user_two = user_with_pseudonym(:active_user => true, :user => user)
+
+        json = call_setting(as_user: user_one, for_user: user_two, assert_unauthorized: true)
+      end
+    end
+  end
+end