render unauthorized for unpublished modules

test plan: - create a module - link to the module from a wiki page - unpublish the module - try to follow the link as a student - you should get an "unauthorized" message rather than a page error fixes CNVS-19411 Change-Id: Ib458a885c94b7a93cf7d910b3ceadd3a9cca5fd7 Reviewed-on: https://gerrit.instructure.com/50713 Tested-by: Jenkins Reviewed-by: James Williams <jamesw@instructure.com> QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com> Product-Review: Jeremy Stanley <jeremy@instructure.com>
2015-03-20 12:49:06 -06:00 · 2015-03-20 12:49:06 -06:00 · b70322e2a1
parent 62d8b2e1de
commit b70322e2a1
3 changed files with 30 additions and 5 deletions
--- a/app/controllers/context_modules_controller.rb
+++ b/app/controllers/context_modules_controller.rb
@ -268,10 +268,12 @@ class ContextModulesController < ApplicationController
  end
  
  def show
-    @module = @context.modules_visible_to(@current_user).find(params[:id])
-    respond_to do |format|
-      format.html { redirect_to named_context_url(@context, :context_context_modules_url, :anchor => "module_#{params[:id]}") }
-      format.json { render :json => @module.content_tags_visible_to(@current_user) }
+    @module = @context.context_modules.not_deleted.find(params[:id])
+    if authorized_action @module, @current_user, :read
+      respond_to do |format|
+        format.html { redirect_to named_context_url(@context, :context_context_modules_url, :anchor => "module_#{params[:id]}") }
+        format.json { render :json => @module.content_tags_visible_to(@current_user) }
+      end
    end
  end
  
--- a/app/models/context_module.rb
+++ b/app/models/context_module.rb
@ -213,7 +213,7 @@ class ContextModule < ActiveRecord::Base
    given {|user, session| self.context.grants_right?(user, session, :read_as_admin) }
    can :read_as_admin

-    given {|user, session| self.context.grants_right?(user, session, :read) }
+    given {|user, session| self.context.grants_right?(user, session, :read) && self.active? }
    can :read
  end

--- a/spec/controllers/context_modules_controller_spec.rb
+++ b/spec/controllers/context_modules_controller_spec.rb
@ -546,4 +546,27 @@ describe ContextModulesController do
      end
    end
  end
+
+  describe "GET 'show'" do
+    before :once do
+      course_with_teacher(active_all: true)
+    end
+
+    it "should redirect to the module on the index page" do
+      @m2 = @course.context_modules.create!(:name => "published hey")
+      user_session(@teacher)
+      get 'show', course_id: @course.id, id: @m2.id
+      expect(response).to redirect_to course_context_modules_url(course_id: @course.id, anchor: "module_#{@m2.id}")
+    end
+
+    it "should unauthorized for students and unpublished modules" do
+      @m1 = @course.context_modules.create(:name => "unpublished oi")
+      @m1.workflow_state = 'unpublished'
+      @m1.save!
+      student_in_course active_all: true
+      user_session(@student)
+      get 'show', course_id: @course.id, id: @m1.id
+      assert_unauthorized
+    end
+  end
 end