ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

render unauthorized for unpublished modules 

test plan:
 - create a module
 - link to the module from a wiki page
 - unpublish the module
 - try to follow the link as a student
 - you should get an "unauthorized" message rather than
   a page error

fixes CNVS-19411

Change-Id: Ib458a885c94b7a93cf7d910b3ceadd3a9cca5fd7
Reviewed-on: https://gerrit.instructure.com/50713
Tested-by: Jenkins
Reviewed-by: James Williams  <jamesw@instructure.com>
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
This commit is contained in:
Jeremy Stanley 2015-03-20 12:49:06 -06:00
parent 62d8b2e1de
commit b70322e2a1
3 changed files with 30 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
app/controllers/context_modules_controller.rb
View File

@ -268,10 +268,12 @@ class ContextModulesController < ApplicationController
end end
def show def show
@module = @context.modules_visible_to(@current_user).find(params[:id]) @module = @context.context_modules.not_deleted.find(params[:id])
respond_to do |format| if authorized_action @module, @current_user, :read
format.html { redirect_to named_context_url(@context, :context_context_modules_url, :anchor => "module_#{params[:id]}") } respond_to do |format|
format.json { render :json => @module.content_tags_visible_to(@current_user) } format.html { redirect_to named_context_url(@context, :context_context_modules_url, :anchor => "module_#{params[:id]}") }
format.json { render :json => @module.content_tags_visible_to(@current_user) }
end
end end
end end

2
app/models/context_module.rb
View File

@ -213,7 +213,7 @@ class ContextModule < ActiveRecord::Base
given {|user, session| self.context.grants_right?(user, session, :read_as_admin) } given {|user, session| self.context.grants_right?(user, session, :read_as_admin) }
can :read_as_admin can :read_as_admin
given {|user, session| self.context.grants_right?(user, session, :read) } given {|user, session| self.context.grants_right?(user, session, :read) && self.active? }
can :read can :read
end end

23
spec/controllers/context_modules_controller_spec.rb
View File

@ -546,4 +546,27 @@ describe ContextModulesController do
end end
end end
end end
describe "GET 'show'" do
before :once do
course_with_teacher(active_all: true)
end
it "should redirect to the module on the index page" do
@m2 = @course.context_modules.create!(:name => "published hey")
user_session(@teacher)
get 'show', course_id: @course.id, id: @m2.id
expect(response).to redirect_to course_context_modules_url(course_id: @course.id, anchor: "module_#{@m2.id}")
end
it "should unauthorized for students and unpublished modules" do
@m1 = @course.context_modules.create(:name => "unpublished oi")
@m1.workflow_state = 'unpublished'
@m1.save!
student_in_course active_all: true
user_session(@student)
get 'show', course_id: @course.id, id: @m1.id
assert_unauthorized
end
end
end end