fix role overrides fetching for site admin on a separate shard

test plan: * have site admin on one shard * make a custom account role * give it all the permissions * login as a user with that custom role * visit an account on another shard * should have all the permissions Change-Id: I2a128a672b7b6973e1d25c58d635f0147a486240 Reviewed-on: https://gerrit.instructure.com/44353 Tested-by: Jenkins <jenkins@instructure.com> QA-Review: August Thornton <august@instructure.com> Reviewed-by: Jeremy Stanley <jeremy@instructure.com> Product-Review: James Williams <jamesw@instructure.com>
2014-11-12 13:13:04 -07:00 · 2014-11-12 13:13:04 -07:00 · 9945043150
parent 57d64ec812
commit 9945043150
6 changed files with 44 additions and 9 deletions
--- a/app/models/account_user.rb
+++ b/app/models/account_user.rb
@ -134,7 +134,7 @@ class AccountUser < ActiveRecord::Base
  end

  def is_subset_of?(user)
-    needed_permissions = RoleOverride.permissions.keys.inject({}) do |result, permission|
+    needed_permissions = RoleOverride.manageable_permissions(account).keys.inject({}) do |result, permission|
      result[permission] = enabled_for?(account, permission)
      result
    end
--- a/app/models/role_override.rb
+++ b/app/models/role_override.rb
@ -838,9 +838,15 @@ class RoleOverride < ActiveRecord::Base
    overrides = @@role_override_chain[permissionless_key] ||= begin
      context.shard.activate do
        accounts = context.account_chain
-        accounts << Account.site_admin unless accounts.include?(Account.site_admin)
+        overrides = RoleOverride.where(:context_id => accounts, :context_type => 'Account', :role_id => role)
+
+        unless accounts.include?(Account.site_admin)
+          accounts << Account.site_admin
+          overrides += Account.site_admin.role_overrides.where(:role_id => role)
+        end
+
        accounts.reverse!
-        overrides = RoleOverride.where(:context_id => accounts, :context_type => 'Account', :role_id => role.id).group_by(&:permission)
+        overrides = overrides.group_by(&:permission)

        # every context has to be represented so that we can't miss role_context below
        overrides.each_key do |permission|
--- a/spec/models/pseudonym_spec.rb
+++ b/spec/models/pseudonym_spec.rb
@ -397,7 +397,12 @@ describe Pseudonym do
  end

  describe "permissions" do
-    let(:account1) { Account.default }
+    let(:account1) {
+      a = Account.default
+      a.settings[:admins_can_view_notifications] = true
+      a.save!
+      a
+    }
    let(:account2) { Account.create! }

    let(:sally) { account_admin_user(
@ -410,7 +415,8 @@ describe Pseudonym do

    let(:charlie) { student_in_course(account: account2).user }

-    let(:alice) { account_admin_user_with_role_changes(
+    let(:alice) {
+      account_admin_user_with_role_changes(
      account: account1,
      role: custom_account_role('StrongerAdmin', account: account1),
      role_changes: { view_notifications: true }) }
--- a/spec/models/role_override_spec.rb
+++ b/spec/models/role_override_spec.rb
@ -404,6 +404,15 @@ describe RoleOverride do
        end
        expect(RoleOverride.permission_for(@account, :become_user, admin_role)[:enabled]).to eq nil
      end
+
+      it "should find site-admin role overrides on a non-current shard" do
+        role = custom_account_role("custom", :account => Account.site_admin)
+        Account.site_admin.role_overrides.create!(:permission => 'become_user', :enabled => true, :role => role)
+        @shard1.activate do
+          @account = Account.create!
+        end
+        expect(RoleOverride.permission_for(@account, :become_user, role)[:enabled]).to eq [:self, :descendants]
+      end
    end
  end

--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@ -2510,7 +2510,12 @@ describe User do
    end

    describe ":reset_mfa" do
-      let(:account1) { Account.default }
+      let(:account1) {
+        a = Account.default
+        a.settings[:admins_can_view_notifications] = true
+        a.save!
+        a
+      }
      let(:account2) { Account.create! }

      let(:sally) { account_admin_user(
@ -2578,7 +2583,12 @@ describe User do
    end

    describe ":merge" do
-      let(:account1) { Account.default }
+      let(:account1) {
+        a = Account.default
+        a.settings[:admins_can_view_notifications] = true
+        a.save!
+        a
+      }
      let(:account2) { Account.create! }

      let(:sally) { account_admin_user(
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@ -476,8 +476,12 @@ RSpec.configure do |config|
    account = opts[:account] || Account.default
    if opts[:role_changes]
      opts[:role_changes].each_pair do |permission, enabled|
-        account.role_overrides.create(:permission => permission.to_s, :enabled => enabled,
-                                      :role => opts[:role] || admin_role)
+        role = opts[:role] || admin_role
+        if ro = account.role_overrides.where(:permission => permission.to_s, :role_id => role.id).first
+          ro.update_attribute(:enabled, enabled)
+        else
+          account.role_overrides.create(:permission => permission.to_s, :enabled => enabled, :role => role)
+        end
      end
    end
    RoleOverride.clear_cached_contexts