redirect unauthed account admins to /settings

test plan: * enable new course user search * have an account admin without the right to read the list of users or read courses * should be redirected to the settings when viewing /accounts/X closes #CORE-1316 Change-Id: I7ba1e43c36fc550652642fbc084f8e0937937777 Reviewed-on: https://gerrit.instructure.com/150213 Tested-by: Jenkins Reviewed-by: Jeremy Stanley <jeremy@instructure.com> QA-Review: Jeremy Putnam <jeremyp@instructure.com> Product-Review: James Williams <jamesw@instructure.com>
2018-05-14 14:31:55 -06:00 · 2018-05-14 14:31:55 -06:00 · 8312806b51
parent af626792d9
commit 8312806b51
3 changed files with 19 additions and 2 deletions
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@ -176,7 +176,10 @@ class AccountsController < ApplicationController
    return unless authorized_action(@account, @current_user, :read)
    respond_to do |format|
      format.html do
-        return course_user_search if @account.feature_enabled?(:course_user_search)
+        if @account.feature_enabled?(:course_user_search)
+          @redirect_on_unauth = true
+          return course_user_search
+        end
        if value_to_boolean(params[:theme_applied])
          flash[:notice] = t("Your custom theme has been successfully applied.")
        end
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -2362,7 +2362,11 @@ class ApplicationController < ActionController::Base
    can_manage_account = @account.grants_right?(@current_user, session, :manage_account_settings)

    unless can_read_course_list || can_read_roster
-      return render_unauthorized_action
+      if @redirect_on_unauth
+        return redirect_to account_settings_url(@account)
+      else
+        return render_unauthorized_action
+      end
    end

    js_env({
--- a/spec/controllers/accounts_controller_spec.rb
+++ b/spec/controllers/accounts_controller_spec.rb
@ -206,6 +206,16 @@ describe AccountsController do
      expect(assigns[:associated_courses_count]).to eq 1
    end

+    it "should redirect for admins without course read rights when course_user_search is enabled" do
+      Account.default.enable_feature!(:course_user_search)
+      account_admin_user_with_role_changes(:role_changes => {:read_course_list => false, :read_roster => false} )
+      user_session(@admin)
+
+      get 'show', params: {:id => Account.default.id}, :format => 'html'
+
+      expect(response).to redirect_to(account_settings_url(Account.default))
+    end
+
    describe "check crosslisting" do
      before :once do
        @root_account = Account.create!