allow readonly view of quiz with group that pulls from question bank

fixes CNVS-17126

test plan:
  - as a teacher
    - create a quiz with a single group that pulls questions from a bank
    - save the quiz

  - go to permissions at /accounts/self/permissions
    - change "Manage (add / edit / delete) assignments and quizzes"
    - set to "Disabled" for teacher

  - as a teacher visit the created quiz
    - you should see "See Full Quiz" link in the sidebar
    - visit this page
    - it should show you the quiz in readonly mode without giving an error

  - also check for regressions around quiz edit page with question banks

Change-Id: Ifa9ad9577407199b1c355e67faa37270f91adc0d
Reviewed-on: https://gerrit.instructure.com/45061
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Ahmad Amireh <ahmad@instructure.com>
QA-Review: Trevor deHaan <tdehaan@instructure.com>
Product-Review: Derek DeVries <ddevries@instructure.com>

app/controllers/quizzes/quizzes_controller.rb

@@ -253,11 +253,8 @@ class Quizzes::QuizzesController < ApplicationController
       @quiz.assignment_group_id = params[:assignment_group_id] if params[:assignment_group_id]
 
       student_ids = @context.student_ids
-      @banks_hash = {}
-      bank_ids = @quiz.quiz_groups.map(&:assessment_question_bank_id)
-      unless bank_ids.empty?
-        @banks_hash = AssessmentQuestionBank.active.where(id: bank_ids).index_by(&:id)
-      end
+      @banks_hash = get_banks(@quiz)
+
       if @has_student_submissions = @quiz.has_student_submissions?
         flash[:notice] = t('notices.has_submissions_already', "Keep in mind, some students have already taken or started taking this quiz")
       end
@@ -672,6 +669,8 @@ class Quizzes::QuizzesController < ApplicationController
   def read_only
     @assignment = @quiz.assignment
     if authorized_action(@quiz, @current_user, :read_statistics)
+      @banks_hash = get_banks(@quiz)
+
       add_crumb(@quiz.title, named_context_url(@context, :context_quiz_url, @quiz))
       js_env(quiz_max_combination_count: QUIZ_MAX_COMBINATION_COUNT)
       render
@@ -691,6 +690,15 @@ class Quizzes::QuizzesController < ApplicationController
 
   private
 
+  def get_banks(quiz)
+    banks_hash = {}
+    bank_ids = quiz.quiz_groups.map(&:assessment_question_bank_id)
+    unless bank_ids.empty?
+      banks_hash = AssessmentQuestionBank.active.where(id: bank_ids).index_by(&:id)
+    end
+    banks_hash
+  end
+
   def get_submission
     submission = @quiz.quiz_submissions.where(user_id: @current_user).order(:created_at).first
     if !@current_user || (params[:preview] && @quiz.grants_right?(@current_user, session, :update))

app/views/quizzes/quizzes/_question_group.html.erb

@@ -7,7 +7,9 @@
 %>
 <div class="quiz_sortable group_top <%= 'question_bank_top' if question_bank %>" style="<%= "display: none;" unless group %>" id="group_top_<%= hash_get(group, :id, 'template') %>">
   <%= form_for :quiz_group, :url => context_url(@context, :context_quiz_quiz_groups_url, @quiz.id), :html => {:class => "quiz_group_form"} do |f| %>
+    <% if can_do(@quiz, @current_user, :update) %>
     <%= render partial: "quizzes/quizzes/move_handle" %>
+    <% end %>
 
   <div style="float: left;">
     <input type="hidden" name="quiz_group[assessment_question_bank_id]" class="bank_id"/>

spec/controllers/quizzes/quizzes_controller_spec.rb

@@ -1200,6 +1200,13 @@ describe Quizzes::QuizzesController do
       get 'read_only', :course_id => @course.id, :quiz_id => @quiz.id
       assert_unauthorized
     end
+
+    it "should include banks hash" do
+      user_session(@teacher)
+      get 'read_only', :course_id => @course.id, :quiz_id => @quiz.id
+      expect(response).to be_success
+      expect(assigns[:banks_hash]).not_to be_nil
+    end
   end
 
   describe "DELETE 'destroy'" do