graphql: hide scores for muted assignments

fixes CNVS-38623

Test plan:
  make sure students cannot access muted grades through graphql

Change-Id: I7456160e3a069cfe266d109bb0d1425fb9407ff3
Reviewed-on: https://gerrit.instructure.com/124922
Tested-by: Jenkins
Reviewed-by: Jonathan Featherstone <jfeatherstone@instructure.com>
QA-Review: Collin Parrish <cparrish@instructure.com>
Product-Review: Cameron Matheson <cameron@instructure.com>

app/graphql/types/submission_type.rb

@@ -11,9 +11,9 @@ module Types
 
     field :user, UserType, resolve: ->(s, _, _) { Loaders::IDLoader.for(User).load(s.user_id) }
 
-    field :score, types.Float
+    field :score, types.Float, resolve: SubmissionHelper.protect_submission_grades(:score)
 
-    field :grade, types.String
+    field :grade, types.String, resolve: SubmissionHelper.protect_submission_grades(:grade)
 
     field :excused, types.Boolean,
       "excused assignments are ignored when calculating grades",
@@ -22,4 +22,14 @@ module Types
     field :submittedAt, TimeType, property: :submitted_at
     field :gradedAt, TimeType, property: :graded_at
   end
+
+  class SubmissionHelper
+    def self.protect_submission_grades(attr)
+      ->(submission, _, ctx) {
+        submission.user_can_read_grade?(ctx[:current_user], ctx[:session]) ?
+          submission.send(attr) :
+          nil
+      }
+    end
+  end
 end

spec/graphql/types/submission_type_spec.rb

@@ -20,11 +20,46 @@ require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
 require File.expand_path(File.dirname(__FILE__) + '/../../helpers/graphql_type_tester')
 
 describe Types::SubmissionType do
-  let(:submission) { Submission.new(score: 5) }
-  let(:submission_type) { GraphQLTypeTester.new(Types::SubmissionType, submission) }
+  before(:once) do
+    student_in_course(active_all: true)
+    @assignment = @course.assignments.create! name: "asdf", points_possible: 10
+    @submission, _ = @assignment.grade_student(@student, score: 8, grader: @teacher)
+  end
+
+  let(:submission_type) { GraphQLTypeTester.new(Types::SubmissionType, @submission) }
 
   it "works" do
-    expect(submission_type.score).to eq submission.score
+    expect(submission_type.user).to eq @student
     expect(submission_type.excused).to eq false
+    expect(submission_type.assignment).to eq @assignment
+  end
+
+  describe "score and grade" do
+    context "muted assignment" do
+      before { @assignment.update_attribute(:muted, true) }
+
+      it "returns score/grade for teachers when assignment is muted" do
+        expect(submission_type.score(current_user: @teacher)).to eq @submission.score
+        expect(submission_type.grade(current_user: @teacher)).to eq @submission.grade
+      end
+
+      it "doesn't return score/grade for students when assignment is muted" do
+        expect(submission_type.score(current_user: @student)).to be_nil
+        expect(submission_type.grade(current_user: @student)).to be_nil
+      end
+    end
+
+    context "regular assignment" do
+      it "returns the score and grade for authorized users" do
+        expect(submission_type.score(current_user: @student)).to eq @submission.score
+        expect(submission_type.grade(current_user: @student)).to eq @submission.grade
+      end
+
+      it "returns nil for unauthorized users" do
+        @student2 = student_in_course(active_all: true).user
+        expect(submission_type.score(current_user: @student2)).to be_nil
+        expect(submission_type.grade(current_user: @student2)).to be_nil
+      end
+    end
   end
 end