ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

don't add verifiers for unpublished files in public syllabus 

test plan:
* create a public published course
* add a link to an unpublished file on the syllabus
* should not be accessible publicly

closes #CNVS-18404

Change-Id: I5767cd31e614ec36f1820beef8b688e98bbca4f2
Reviewed-on: https://gerrit.instructure.com/48376
Tested-by: Jenkins
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
Product-Review: James Williams  <jamesw@instructure.com>
This commit is contained in:
James Williams 2015-02-06 10:59:38 -07:00
parent 9166d023f5
commit 5f4c89e1b6
2 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/api.rb
View File

@ -412,7 +412,7 @@ module Api
end end
end end
next unless obj && (is_public || obj.grants_right?(user, nil, :download)) next unless obj && ((is_public && !obj.locked_for?(user)) || obj.grants_right?(user, nil, :download))
if ["Course", "Group", "Account", "User"].include?(obj.context_type) if ["Course", "Group", "Account", "User"].include?(obj.context_type)
opts = {:verifier => obj.uuid, :only_path => true} opts = {:verifier => obj.uuid, :only_path => true}

21
spec/integration/syllabus_spec.rb
View File

@ -40,7 +40,7 @@ describe "syllabus" do
anonymous_syllabus_access_allowed :public_syllabus anonymous_syllabus_access_allowed :public_syllabus
end end
it "should allow viewing files in a public syllabus" do it "should allow viewing available files in a public syllabus" do
course(:active_all => true) course(:active_all => true)
attachment_model attachment_model
@course.syllabus_body = "<a href=\"/courses/#{@course.id}/files/#{@attachment.id}/download\">linky</a>" @course.syllabus_body = "<a href=\"/courses/#{@course.id}/files/#{@attachment.id}/download\">linky</a>"
@ -56,6 +56,25 @@ describe "syllabus" do
expect(link.attributes['href'].value).to include("verifier=#{@attachment.uuid}") expect(link.attributes['href'].value).to include("verifier=#{@attachment.uuid}")
end end
it "should not allow viewing locked files in a public syllabus" do
course(:active_all => true)
attachment_model
@attachment.locked = true
@attachment.save!
@course.syllabus_body = "<a href=\"/courses/#{@course.id}/files/#{@attachment.id}/download\">linky</a>"
@course.public_syllabus = true
@course.save!
get "/courses/#{@course.id}/assignments/syllabus"
expect(response).to be_success
page = Nokogiri::HTML(response.body)
expect(page.css('#identity a[href="/login"]')).not_to be_nil
link = page.at_css('#course_syllabus a')
expect(link.attributes['href'].value).to_not include("verifier=#{@attachment.uuid}")
end
it "should display syllabus description on syllabus course home pages" do it "should display syllabus description on syllabus course home pages" do
course_with_teacher_logged_in(:active_all => true) course_with_teacher_logged_in(:active_all => true)
syllabus_body = "test syllabus body" syllabus_body = "test syllabus body"