From 54e052a0d3de7dc4424f0ddd8196c4c767f49716 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Omar=20Gerardo=20Soto-Fortu=C3=B1o?=
 <omar.soto@instructure.com>
Date: Thu, 4 Jan 2024 09:44:37 -0500
Subject: [PATCH] Prevent setting restricted fields for parent assignments
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

refs VICE-4020
flag=none

test plan:
  - Specs pass.

qa risk: low

Change-Id: I87579353484660aea9dd88ab21e3fc897a6e0a24
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/336653
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Drake Harper <drake.harper@instructure.com>
QA-Review: Jason Gillett <jason.gillett@instructure.com>
Product-Review: Omar Soto-Fortuño <omar.soto@instructure.com>
---
 app/graphql/mutations/assignment_base.rb      | 17 ++++++
 app/graphql/mutations/create_assignment.rb    |  2 +
 .../mutations/create_assignment_spec.rb       | 56 +++++++++++++++++++
 3 files changed, 75 insertions(+)

diff --git a/app/graphql/mutations/assignment_base.rb b/app/graphql/mutations/assignment_base.rb
index 0c46dceb243..553d1cf472b 100644
--- a/app/graphql/mutations/assignment_base.rb
+++ b/app/graphql/mutations/assignment_base.rb
@@ -149,6 +149,7 @@ class Mutations::AssignmentBase < Mutations::BaseMutation
            "requires anonymous_marking course feature to be set to true",
            required: false
   argument :module_ids, [ID], required: false
+  argument :for_checkpoints, Boolean, required: false
 
   # the return data if the update is successful
   field :assignment, Types::AssignmentType, null: true
@@ -178,6 +179,10 @@ class Mutations::AssignmentBase < Mutations::BaseMutation
 
   def prepare_overrides!(input_hash, api_proxy)
     if input_hash.key?(:assignment_overrides) && input_hash[:assignment_overrides].present?
+      if input_hash[:for_checkpoints]
+        raise GraphQL::ExecutionError, "Assignment overrides are not allowed in the parent assignment for checkpoints."
+      end
+
       api_proxy.load_root_account
       input_hash[:assignment_overrides].each do |override|
         if override[:id].blank?
@@ -285,4 +290,16 @@ class Mutations::AssignmentBase < Mutations::BaseMutation
 
     @working_assignment.restore
   end
+
+  def validate_for_checkpoints(input_hash)
+    return unless input_hash[:for_checkpoints]
+
+    restricted_keys = %i[points_possible due_at lock_at unlock_at].freeze
+
+    restricted_keys.each do |key|
+      if input_hash.key?(key)
+        raise GraphQL::ExecutionError, "Cannot set #{key} in the parent assignment for checkpoints."
+      end
+    end
+  end
 end
diff --git a/app/graphql/mutations/create_assignment.rb b/app/graphql/mutations/create_assignment.rb
index 539e58839c2..69848c2d2d9 100644
--- a/app/graphql/mutations/create_assignment.rb
+++ b/app/graphql/mutations/create_assignment.rb
@@ -50,6 +50,8 @@ class Mutations::CreateAssignment < Mutations::AssignmentBase
 
     api_proxy = ApiProxy.new(context[:request], @working_assignment, context[:session], current_user)
 
+    validate_for_checkpoints(input_hash)
+
     # modifies input_hash
     prepare_input_params!(input_hash, api_proxy)
 
diff --git a/spec/graphql/mutations/create_assignment_spec.rb b/spec/graphql/mutations/create_assignment_spec.rb
index 1e0c062243f..47de61b5cea 100644
--- a/spec/graphql/mutations/create_assignment_spec.rb
+++ b/spec/graphql/mutations/create_assignment_spec.rb
@@ -400,4 +400,60 @@ describe Mutations::CreateAssignment do
     expect(errors).to_not be_nil
     expect(errors[0]["message"]).to include "invalid course"
   end
+
+  it "gets an error when trying to set a restricted params (pointsPossible) and forCheckpoints is true" do
+    result = execute_with_input <<~GQL
+      name: "Parent Assignment for Checkpoints"
+      courseId: "#{@course.to_param}"
+      pointsPossible: 100
+      forCheckpoints: true
+    GQL
+    errors = result["errors"]
+
+    expect(errors[0]["message"]).to eq "Cannot set points_possible in the parent assignment for checkpoints."
+  end
+
+  it "allows to set a restricted params (pointsPossible) and forCheckpoints is undefined thus false" do
+    result = execute_with_input <<~GQL
+      name: "Regular Assignment"
+      courseId: "#{@course.to_param}"
+      pointsPossible: 100
+    GQL
+    errors = result["errors"]
+
+    expect(errors).to be_nil
+  end
+
+  it "gets an error when trying to set assignmentOverrides and forCheckpoints is true" do
+    result = execute_with_input <<~GQL
+      name: "Parent Assignment for Checkpoints"
+      courseId: "#{@course.to_param}"
+      assignmentOverrides: [
+        {
+          noopId: "1",
+          title: "Mastery Paths"
+        }
+      ]
+      forCheckpoints: true
+    GQL
+    errors = result["errors"]
+
+    expect(errors[0]["message"]).to eq "Assignment overrides are not allowed in the parent assignment for checkpoints."
+  end
+
+  it "allows to set assignmentOverrides and forCheckpoints is undefined thus false" do
+    result = execute_with_input <<~GQL
+      name: "Regular Assignment"
+      courseId: "#{@course.to_param}"
+      assignmentOverrides: [
+        {
+          noopId: "1",
+          title: "Mastery Paths"
+        }
+      ]
+    GQL
+    errors = result["errors"]
+
+    expect(errors).to be_nil
+  end
 end