prevent userobserver pairs from merging together

test plan: * create a student user * enable self-registration for observer accounts on the root account * use the form on the login screen to create a parent (observer) account for the student * should have sent an e-mail to confirm the account with a link to register the account * while logged in as the student, follow the confirmation link * should not recieve a prompt to "add this e-mail address to your current account" (i.e. merge together) closes #CNVS-15619 Change-Id: I24a8c339875abf416d0e7853944b7eeae64f78e3 Reviewed-on: https://gerrit.instructure.com/44756 Reviewed-by: Jeremy Stanley <jeremy@instructure.com> Tested-by: Jenkins <jenkins@instructure.com> QA-Review: Matt Fairbourn <mfairbourn@instructure.com> Product-Review: Cosme Salazar <cosme@instructure.com>
2014-11-21 12:23:25 -07:00 · 2014-11-21 12:23:25 -07:00 · 4241387ce2
parent 4e9d392337
commit 4241387ce2
2 changed files with 30 additions and 0 deletions
--- a/app/controllers/communication_channels_controller.rb
+++ b/app/controllers/communication_channels_controller.rb
@ -245,6 +245,8 @@ class CommunicationChannelsController < ApplicationController
      # load merge opportunities
      merge_users = cc.merge_candidates
      merge_users << @current_user if @current_user && !@user.registered? && !merge_users.include?(@current_user)
+      user_observers = UserObserver.where("user_id = ? OR observer_id = ?", @user.id, @user.id)
+      merge_users = merge_users.reject { |u| user_observers.any?{|uo| uo.user == u || uo.observer == u} }
      # remove users that don't have a pseudonym for this account, or one can't be created
      merge_users = merge_users.select { |u| u.find_or_initialize_pseudonym_for_account(@root_account, @domain_root_account) }
      @merge_opportunities = []
--- a/spec/controllers/communication_channels_controller_spec.rb
+++ b/spec/controllers/communication_channels_controller_spec.rb
@ -459,6 +459,34 @@ describe CommunicationChannelsController do
        expect(@logged_user.communication_channels.all? { |cc| cc.active? }).to be_truthy
      end

+      it "should not allow merging with someone that's observed through a UserObserver relationship" do
+        user_with_pseudonym(:username => 'jt@instructure.com', :active_all => 1)
+        @not_logged_user = @user
+        user_with_pseudonym(:username => 'jt+1@instructure.com', :active_all => 1)
+        @logged_user = @user
+
+        @not_logged_user.observers << @logged_user
+
+        user_session(@logged_user, @pseudonym)
+
+        get 'confirm', :nonce => @not_logged_user.email_channel.confirmation_code, :confirm => 1
+        expect(response).to render_template('confirm_failed')
+      end
+
+      it "should not allow merging with someone that's observing through a UserObserver relationship" do
+        user_with_pseudonym(:username => 'jt@instructure.com', :active_all => 1)
+        @not_logged_user = @user
+        user_with_pseudonym(:username => 'jt+1@instructure.com', :active_all => 1)
+        @logged_user = @user
+
+        @logged_user.observers << @not_logged_user
+
+        user_session(@logged_user, @pseudonym)
+
+        get 'confirm', :nonce => @not_logged_user.email_channel.confirmation_code, :confirm => 1
+        expect(response).to render_template('confirm_failed')
+      end
+
      it "should not allow merging with someone that's not a merge opportunity" do
        user_with_pseudonym(:username => 'jt@instructure.com', :active_all => 1)
        @not_logged_user = @user