verify context_code on conversation create api

fixes CNVS-16663 fixes CNVS-16654 test plan - using the api, create a conversation message with a recipient that you are allowed to send to but a context_code for a course or group to which you do not belong - ensure an "invalid context" error is returned Change-Id: I6eb39f7f50af5bca2065178e469ea9bf21a7b542 Reviewed-on: https://gerrit.instructure.com/45604 Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> Tested-by: Jenkins <jenkins@instructure.com> QA-Review: Derek Hansen <dhansen@instructure.com> Product-Review: Joel Hough <joel@instructure.com>
2014-12-11 02:57:21 -07:00 · 2014-12-11 02:57:21 -07:00 · 5f8f5d6c7a
parent 7ae763642c
commit 5f8f5d6c7a
2 changed files with 4 additions and 2 deletions
--- a/app/controllers/conversations_controller.rb
+++ b/app/controllers/conversations_controller.rb
@ -1066,8 +1066,8 @@ class ConversationsController < ApplicationController
    case context
    when nil then false
    when Account then valid_account_context?(context)
-    # might want to add some validation for Course and Group.
-    else true
+    when Course, Group then context.grants_right?(@current_user, session, :send_messages)
+    else false
    end
  end

--- a/app/models/group.rb
+++ b/app/models/group.rb
@ -469,6 +469,8 @@ class Group < ActiveRecord::Base
    can :post_to_forum and
    can :read and
    can :read_roster and
+    can :send_messages and
+    can :send_messages_all and
    can :update and
    can :view_unpublished_items