add datafix migration for manage courses granular permissions

closes FOO-1761
flag = granular_permissions_manage_courses

test plan:
 • ensure migration covers the proper role overrides to populate
   any derived custome role types from the parent base role type

Change-Id: Ife2e1a7a4a3a1f4dcdddd6de69f72580620749ae
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/261089
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>

db/migrate/20210316214934_granular_manage_courses_permissions.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+#
+# Copyright (C) 2021 - present Instructure, Inc.
+#
+# This file is part of Canvas.
+#
+# Canvas is free software: you can redistribute it and/or modify it under
+# the terms of the GNU Affero General Public License as published by the Free
+# Software Foundation, version 3 of the License.
+#
+# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+class GranularManageCoursesPermissions < ActiveRecord::Migration[6.0]
+  tag :postdeploy
+
+  def change
+    DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesDelete.run(
+      base_role_type: 'AccountAdmin'
+    )
+    DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesDelete.run(
+      base_role_type: 'AccountMembership'
+    )
+    DataFixup::AddRoleOverridesForNewPermission.run(
+      :change_course_state,
+      :manage_courses_delete,
+      base_role_type: 'TeacherEnrollment'
+    )
+    DataFixup::AddRoleOverridesForNewPermission.run(
+      :change_course_state,
+      :manage_courses_delete,
+      base_role_type: 'DesignerEnrollment'
+    )
+    DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesAdd.run
+    DataFixup::AddRoleOverridesForNewPermission.run(:manage_courses, :manage_courses_admin)
+    DataFixup::AddRoleOverridesForNewPermission.run(:manage_courses, :manage_courses_add)
+    DataFixup::AddRoleOverridesForNewPermission.run(:change_course_state, :manage_courses_publish)
+    DataFixup::AddRoleOverridesForNewPermission.run(:change_course_state, :manage_courses_conclude)
+  end
+end

lib/data_fixup/granular_permissions/add_role_overrides_for_manage_courses_add.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+#
+# Copyright (C) 2021 - present Instructure, Inc.
+#
+# This file is part of Canvas.
+#
+# Canvas is free software: you can redistribute it and/or modify it under
+# the terms of the GNU Affero General Public License as published by the Free
+# Software Foundation, version 3 of the License.
+#
+# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+
+module DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesAdd
+  # Find all roles with a base role type of %w[TeacherEnrollment DesignerEnrollment]
+  # or %w[StudentEnrollment ObserverEnrollment] that also have a correlating root account
+  # setting allowing teachers_can_create_courses? or students_can_create_courses?
+  # Creates new role overrides for those roles based upon the prior scope, excluding site admin
+  # Defaults to: [enabled: true, locked: false, applies_to_self: true, applies_to_descendants: true]
+  class << self
+    def run
+      add_new_role_overrides(%w[TeacherEnrollment DesignerEnrollment])
+      add_new_role_overrides(%w[StudentEnrollment ObserverEnrollment])
+    end
+
+    def add_new_role_overrides(base_role_types)
+      roles = Role.where.not(workflow_state: 'deleted').where(base_role_type: base_role_types)
+
+      roles.each do |role|
+        next if role.root_account.site_admin? || role.root_account.id == 0
+
+        root_account = role.root_account
+        role_context = role.built_in? ? root_account : role.account
+        scope = root_account.enrollments.active
+
+        if base_role_types == %w[TeacherEnrollment DesignerEnrollment]
+          if root_account.teachers_can_create_courses? && scope.where(type: base_role_types).exists?
+            create_role_override(role, role_context)
+          end
+        elsif base_role_types == %w[StudentEnrollment ObserverEnrollment]
+          if root_account.students_can_create_courses? && scope.where(type: base_role_types).exists?
+            create_role_override(role, role_context)
+          end
+        end
+      end
+    end
+
+    def create_role_override(role, role_context)
+      if RoleOverride.where(permission: 'manage_courses_add', context: role_context, role: role)
+           .exists?
+        return
+      end
+
+      RoleOverride.create!(
+        context: role_context,
+        permission: 'manage_courses_add',
+        role: role,
+        enabled: true
+      )
+    end
+  end
+end

lib/data_fixup/granular_permissions/add_role_overrides_for_manage_courses_delete.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+#
+# Copyright (C) 2021 - present Instructure, Inc.
+#
+# This file is part of Canvas.
+#
+# Canvas is free software: you can redistribute it and/or modify it under
+# the terms of the GNU Affero General Public License as published by the Free
+# Software Foundation, version 3 of the License.
+#
+# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+
+module DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesDelete
+  # Find all role overrides with a permission of :manage_courses and :change_course_state
+  # that share the same base role type. Use that as the new scoped relation for migrating
+  # to the new granular role override permission :manage_courses_delete
+  class << self
+    def run(base_role_type: nil)
+      roles_for_manage_courses_delete =
+        Role
+          .joins(:role_overrides)
+          .where.not(workflow_state: 'deleted')
+          .where(base_role_type: base_role_type)
+          .where(
+            'role_overrides.permission = ? OR role_overrides.permission = ?',
+            'manage_courses',
+            'change_course_state'
+          )
+          .distinct
+
+      role_overrides =
+        RoleOverride
+          .where(
+            permission: %w[manage_courses change_course_state],
+            role_id: roles_for_manage_courses_delete
+          )
+          .index_by { |ro| [ro.role_id, ro.permission] }
+
+      roles_for_manage_courses_delete.each do |role|
+        manage_courses_ro = role_overrides[[role.id, 'manage_courses']]
+        change_course_state_ro = role_overrides[[role.id, 'change_course_state']]
+
+        if base_role_type == 'AccountAdmin' &&
+             (
+               (manage_courses_ro && !manage_courses_ro.enabled) ||
+                 (change_course_state_ro && !change_course_state_ro.enabled)
+             )
+          check_locked_state_and_create_ro(manage_courses_ro, change_course_state_ro)
+        elsif base_role_type == 'AccountMembership' &&
+              (manage_courses_ro&.enabled && change_course_state_ro&.enabled)
+          check_locked_state_and_create_ro(manage_courses_ro, change_course_state_ro, enabled: true)
+        else
+          next
+        end
+      end
+    end
+
+    def check_locked_state_and_create_ro(manage_courses_ro, change_course_state_ro, enabled: false)
+      if change_course_state_ro&.locked
+        # use change_course_state role override if locked
+        add_new_role_override(change_course_state_ro, enabled)
+      else
+        # otherwise use manage_courses role override for the copy unless nil
+        add_new_role_override(manage_courses_ro || change_course_state_ro, enabled)
+      end
+    end
+
+    def add_new_role_override(base_override, enabled)
+      new_ro = RoleOverride.new
+      new_ro.permission = 'manage_courses_delete'
+      attrs =
+        base_override.attributes.slice(
+          *%w[
+            context_type
+            context_id
+            role_id
+            locked
+            enabled
+            applies_to_self
+            applies_to_descendants
+            applies_to_env
+            root_account_id
+          ]
+        )
+      new_ro.assign_attributes(attrs)
+      new_ro.enabled = enabled
+      new_ro.save!
+    end
+  end
+end

spec/lib/data_fixup/granular_permissions/add_role_overrides_for_manage_courses_add_spec.rb

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+
+#
+# Copyright (C) 2021 - present Instructure, Inc.
+#
+# This file is part of Canvas.
+#
+# Canvas is free software: you can redistribute it and/or modify it under
+# the terms of the GNU Affero General Public License as published by the Free
+# Software Foundation, version 3 of the License.
+#
+# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+# built-in roles are only associated to a root account and have nil for account_id
+# and a workflow_state of 'built_in'
+
+require 'spec_helper'
+
+describe 'DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesAdd' do
+  before(:once) { @account = account_model(parent_account: Account.default) }
+
+  it "doesn't create role overrides if 'teachers/students can create courses' setting is not enabled" do
+    @account.roles.create(name: 'Custom Teacher Role', base_role_type: 'TeacherEnrollment')
+    @account.roles.create(name: 'Custom Student Role', base_role_type: 'StudentEnrollment')
+    teacher_in_course(active_all: true)
+    student_in_course(active_all: true)
+
+    DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesAdd.run
+
+    expect(RoleOverride.where(permission: 'manage_courses_add').count).to eq 0
+  end
+
+  it "doesn't create role overrides if there are no active enrollments for specified setting" do
+    @account.root_account.update(settings: { teachers_can_create_courses: true })
+    @account.roles.create(name: 'Custom Teacher Role', base_role_type: 'TeacherEnrollment')
+
+    DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesAdd.run
+
+    expect(RoleOverride.where(permission: 'manage_courses_add').count).to eq 0
+  end
+
+  it 'skips roles associated to site admin' do
+    @account.root_account.update(settings: { teachers_can_create_courses: true })
+    @account.roles.create(name: 'Custom Teacher Role', base_role_type: 'TeacherEnrollment')
+    @account.roles.create(name: 'Custom Designer Role', base_role_type: 'DesignerEnrollment')
+    teacher_in_course(active_all: true)
+    designer_in_course(active_all: true)
+
+    DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesAdd.run
+
+    expect(
+      RoleOverride.where(permission: 'manage_courses_add').map { |ro| ro.root_account.site_admin? }
+    ).not_to include(true)
+  end
+
+  it 'creates role overrides for all built-in / base roles that are supported' do
+    @account.root_account.update(
+      settings: {
+        teachers_can_create_courses: true,
+        students_can_create_courses: true
+      }
+    )
+    @account.roles.create(name: 'Custom Teacher Role', base_role_type: 'TeacherEnrollment')
+    @account.roles.create(name: 'Custom Designer Role', base_role_type: 'DesignerEnrollment')
+    @account.roles.create(name: 'Custom Student Role', base_role_type: 'StudentEnrollment')
+    @account.roles.create(name: 'Custom Observer Role', base_role_type: 'ObserverEnrollment')
+    teacher_in_course(active_all: true)
+    student_in_course(active_all: true)
+
+    DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesAdd.run
+
+    # four built-in roles on the root account + the additional
+    # four custom roles with the same base role type on the sub-account
+    expect(RoleOverride.where(permission: 'manage_courses_add').count).to eq 8
+  end
+
+  context 'teachers can create courses' do
+    it 'creates role overrides for built-in and custom TeacherEnrollment' do
+      @account.root_account.update(settings: { teachers_can_create_courses: true })
+      @account.roles.create(name: 'Custom Teacher Role', base_role_type: 'TeacherEnrollment')
+      teacher_in_course(active_all: true)
+
+      DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesAdd.run
+
+      expect(RoleOverride.where(permission: 'manage_courses_add').count).to eq 3
+    end
+
+    it 'creates role overrides for built-in and custom DesignerEnrollment' do
+      @account.root_account.update(settings: { teachers_can_create_courses: true })
+      @account.roles.create(name: 'Custom Designer Role', base_role_type: 'DesignerEnrollment')
+      designer_in_course(active_all: true)
+
+      DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesAdd.run
+
+      expect(RoleOverride.where(permission: 'manage_courses_add').count).to eq 3
+    end
+  end
+
+  context 'students can create courses' do
+    it 'creates role overrides for built-in / base roles StudentEnrollment, ObserverEnrollment' do
+      @account.root_account.update(settings: { students_can_create_courses: true })
+      @account.roles.create(name: 'Custom Student Role', base_role_type: 'StudentEnrollment')
+      student_in_course(active_all: true)
+
+      DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesAdd.run
+
+      expect(RoleOverride.where(permission: 'manage_courses_add').count).to eq 3
+    end
+
+    it 'creates role overrides for built-in / base roles ObserverEnrollment, StudentEnrollment' do
+      @account.root_account.update(settings: { students_can_create_courses: true })
+      @account.roles.create(name: 'Custom Observer Role', base_role_type: 'ObserverEnrollment')
+      observer_in_course(active_all: true)
+
+      DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesAdd.run
+
+      expect(RoleOverride.where(permission: 'manage_courses_add').count).to eq 3
+    end
+  end
+end

spec/lib/data_fixup/granular_permissions/add_role_overrides_for_manage_courses_delete_spec.rb

@@ -0,0 +1,184 @@
+# frozen_string_literal: true
+
+#
+# Copyright (C) 2021 - present Instructure, Inc.
+#
+# This file is part of Canvas.
+#
+# Canvas is free software: you can redistribute it and/or modify it under
+# the terms of the GNU Affero General Public License as published by the Free
+# Software Foundation, version 3 of the License.
+#
+# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'spec_helper'
+
+describe 'DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesDelete' do
+  def create_role_override(permission, role, enabled: false)
+    RoleOverride.create!(
+      context: @account,
+      permission: permission.to_s,
+      role: role,
+      enabled: enabled
+    )
+  end
+
+  before(:once) do
+    @account = account_model(parent_account: Account.default)
+    @account_membership_role =
+      @account.roles.create(name: 'Custom Account Role', base_role_type: 'AccountMembership')
+    @account_membership_role2 =
+      @account.roles.create(name: 'Custom Account Role2', base_role_type: 'AccountMembership')
+    @account_admin_role =
+      @account.roles.create(name: 'Custom Admin Role', base_role_type: 'AccountAdmin')
+    @account_admin_role2 =
+      @account.roles.create(name: 'Custom Admin Role2', base_role_type: 'AccountAdmin')
+  end
+
+  context 'AccountAdmin' do
+    it 'creates a role override that is not enabled if either base role override is not enabled' do
+      create_role_override('manage_courses', @account_admin_role, enabled: true)
+      create_role_override('change_course_state', @account_admin_role, enabled: false)
+
+      DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesDelete.run(
+        base_role_type: 'AccountAdmin'
+      )
+
+      expect(RoleOverride.where(permission: 'manage_courses_delete').count).to eq 1
+      new_ro =
+        RoleOverride.where(permission: 'manage_courses_delete', role_id: @account_admin_role.id)
+          .first
+      expect(new_ro.context).to eq @account
+      expect(new_ro.role).to eq @account_admin_role
+      expect(new_ro.enabled).to be_falsey
+      old_manage_courses_ro =
+        RoleOverride.where(permission: 'manage_courses', role_id: @account_admin_role.id).first
+      old_change_course_state_ro =
+        RoleOverride.where(permission: 'change_course_state', role_id: @account_admin_role.id).first
+      expect(old_manage_courses_ro.enabled).to be_truthy
+      expect(old_change_course_state_ro.enabled).to be_falsey
+    end
+
+    it 'should create a new role override for :manage_courses_delete that is disabled' do
+      create_role_override('manage_courses', @account_admin_role, enabled: false)
+
+      DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesDelete.run(
+        base_role_type: 'AccountAdmin'
+      )
+
+      expect(RoleOverride.where(permission: 'manage_courses_delete').count).to eq 1
+      new_ro =
+        RoleOverride.where(permission: 'manage_courses_delete', role_id: @account_admin_role.id)
+          .first
+      expect(new_ro.context).to eq @account
+      expect(new_ro.role).to eq @account_admin_role
+      expect(new_ro.enabled).to be_falsey
+      old_manage_courses_ro =
+        RoleOverride.where(permission: 'manage_courses', role_id: @account_admin_role.id).first
+      expect(old_manage_courses_ro.enabled).to be_falsey
+    end
+
+    it 'does not create a role override if both base role overrides are enabled' do
+      create_role_override('manage_courses', @account_admin_role, enabled: true)
+      create_role_override('change_course_state', @account_admin_role, enabled: true)
+
+      DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesDelete.run(
+        base_role_type: 'AccountAdmin'
+      )
+
+      expect(RoleOverride.where(permission: 'manage_courses_delete').count).to eq 0
+    end
+
+    it 'only creates one new role override per base role override type' do
+      create_role_override('manage_courses', @account_admin_role, enabled: false)
+      create_role_override('change_course_state', @account_admin_role, enabled: false)
+      create_role_override('manage_courses', @account_admin_role2, enabled: false)
+      create_role_override('change_course_state', @account_admin_role2, enabled: false)
+
+      DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesDelete.run(
+        base_role_type: 'AccountAdmin'
+      )
+
+      expect(RoleOverride.where(permission: 'manage_courses_delete').count).to eq 2
+    end
+
+    it 'does not create a new role override if no base role overrides exist' do
+      DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesDelete.run(
+        base_role_type: 'AccountAdmin'
+      )
+
+      expect(RoleOverride.where(permission: 'manage_courses_delete').count).to eq 0
+      expect(RoleOverride.where(permission: 'manage_courses').count).to eq 0
+      expect(RoleOverride.where(permission: 'change_course_state').count).to eq 0
+    end
+  end
+
+  context 'AccountMembership' do
+    it 'only creates a role override if both base role overrides are enabled' do
+      create_role_override('manage_courses', @account_membership_role, enabled: true)
+      create_role_override('change_course_state', @account_membership_role, enabled: true)
+
+      DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesDelete.run(
+        base_role_type: 'AccountMembership'
+      )
+
+      expect(RoleOverride.where(permission: 'manage_courses_delete').count).to eq 1
+      new_ro =
+        RoleOverride.where(
+          permission: 'manage_courses_delete',
+          role_id: @account_membership_role.id
+        ).first
+      expect(new_ro.context).to eq @account
+      expect(new_ro.role).to eq @account_membership_role
+      expect(new_ro.enabled).to be_truthy
+      old_manage_courses_ro =
+        RoleOverride.where(permission: 'manage_courses', role_id: @account_membership_role.id).first
+      old_change_course_state_ro =
+        RoleOverride.where(permission: 'change_course_state', role_id: @account_membership_role.id)
+          .first
+      expect(old_manage_courses_ro.enabled).to be_truthy
+      expect(old_change_course_state_ro.enabled).to be_truthy
+    end
+
+    it 'does not create a role override if either base role override is disabled' do
+      create_role_override('manage_courses', @account_membership_role, enabled: true)
+      create_role_override('change_course_state', @account_membership_role, enabled: false)
+
+      DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesDelete.run(
+        base_role_type: 'AccountMembership'
+      )
+
+      expect(RoleOverride.where(permission: 'manage_courses_delete').count).to eq 0
+    end
+
+    it 'does not create a new role override if no base role overrides exist' do
+      DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesDelete.run(
+        base_role_type: 'AccountMembership'
+      )
+
+      expect(RoleOverride.where(permission: 'manage_courses_delete').count).to eq 0
+      expect(RoleOverride.where(permission: 'manage_courses').count).to eq 0
+      expect(RoleOverride.where(permission: 'change_course_state').count).to eq 0
+    end
+
+    it 'only creates one new role override per base role override type' do
+      create_role_override('manage_courses', @account_membership_role, enabled: true)
+      create_role_override('change_course_state', @account_membership_role, enabled: true)
+      create_role_override('manage_courses', @account_membership_role2, enabled: true)
+      create_role_override('change_course_state', @account_membership_role2, enabled: true)
+
+      DataFixup::GranularPermissions::AddRoleOverridesForManageCoursesDelete.run(
+        base_role_type: 'AccountMembership'
+      )
+
+      expect(RoleOverride.where(permission: 'manage_courses_delete').count).to eq 2
+    end
+  end
+end