let account users with :read_roster rights view enrollments

test plan: * create an account role * grant the account role the ability to "See the list of users" * as a user with that role, should be able to view the course enrollments on a user's details page closes #CNVS-14169 Change-Id: I7e5256af1e52118f14799c6a76603de61eb14f25 Reviewed-on: https://gerrit.instructure.com/39203 Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Jeremy Stanley <jeremy@instructure.com> QA-Review: Clare Strong <clare@instructure.com> Product-Review: James Williams <jamesw@instructure.com>
2014-08-13 10:28:02 -06:00 · 2014-08-13 10:28:02 -06:00 · a737356c49
parent 372194d84e
commit a737356c49
4 changed files with 13 additions and 3 deletions
--- a/app/controllers/context_module_items_api_controller.rb
+++ b/app/controllers/context_module_items_api_controller.rb
@ -619,7 +619,7 @@ class ContextModuleItemsApiController < ApplicationController
  def find_student
    if params[:student_id]
      student_enrollments = @context.student_enrollments.for_user(params[:student_id])
-      return render_unauthorized_action unless student_enrollments.any?{|e| e.grants_right?(@current_user, session, :read)}
+      return render_unauthorized_action unless student_enrollments.any?{|e| e.grants_right?(@current_user, session, :read_grades)}
      @student = student_enrollments.first.user
    elsif @context.grants_right?(@current_user, session, :participate_as_student)
      @student = @current_user
--- a/app/controllers/context_modules_api_controller.rb
+++ b/app/controllers/context_modules_api_controller.rb
@ -635,7 +635,7 @@ class ContextModulesApiController < ApplicationController
  def find_student
    if params[:student_id]
      student_enrollments = @context.student_enrollments.for_user(params[:student_id])
-      return render_unauthorized_action unless student_enrollments.any?{|e| e.grants_right?(@current_user, session, :read)}
+      return render_unauthorized_action unless student_enrollments.any?{|e| e.grants_right?(@current_user, session, :read_grades)}
      @student = student_enrollments.first.user
    elsif @context.grants_right?(@current_user, session, :participate_as_student)
      @student = @current_user
--- a/app/models/enrollment.rb
+++ b/app/models/enrollment.rb
@ -849,7 +849,7 @@ class Enrollment < ActiveRecord::Base
  end

  set_policy do
-    given {|user, session| self.course.grants_any_right?(user, session, :manage_students, :manage_admin_users) }
+    given {|user, session| self.course.grants_any_right?(user, session, :manage_students, :manage_admin_users, :read_roster)}
    can :read

    given { |user| self.user == user }
--- a/spec/models/enrollment_spec.rb
+++ b/spec/models/enrollment_spec.rb
@ -274,6 +274,16 @@ describe Enrollment do
  end

  context "permissions" do
+    it "should grant read rights to account members with the ability to read_roster" do
+      user = account_admin_user(:membership_type => "AccountMembership")
+      RoleOverride.create!(:context => Account.default, :permission => :read_roster,
+                           :enrollment_type => "AccountMembership", :enabled => true)
+      @enrollment.save
+
+      @enrollment.user.grants_right?(user, :read).should == false
+      @enrollment.grants_right?(user, :read).should == true
+    end
+
    it "should be able to read grades if the course grants management rights to the enrollment" do
      @new_user = user_model
      @enrollment.save