fix conversations permission bug for groups

When the permission to 'send messages to individual course members' is disabled, students are no longer able to send Canvas Conversation messages to group members within the same course-level group using the group as the context Test Plan - In your account permissions, disable "Send messages to individual course members" for the student role - Enroll two students into a course and into the same course-level group - As one of the students, select your group from the course selector in the inbox - Compose a message leaving the "Course" field as "Select Course" - Click the "Contacts" icon and select the other student in the group - Attempt to send the message and notice the red tooltip stating that messages can't be sent to users in the selected group fixes KNO-32 flag=none Change-Id: Ifa1e8021573d3338a16c95795437576b2d4c32f6 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/221912 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Steven Burnett <sburnett@instructure.com> QA-Review: Ben Nelson <bnelson@instructure.com> Product-Review: Matthew Lemon <mlemon@instructure.com>
2020-01-02 14:29:28 -07:00 · 2020-01-02 14:29:28 -07:00 · bcdbfb58e1
parent 45900e97e4
commit bcdbfb58e1
2 changed files with 27 additions and 1 deletions
--- a/app/controllers/conversations_controller.rb
+++ b/app/controllers/conversations_controller.rb
@ -378,7 +378,14 @@ class ConversationsController < ApplicationController
    shard = Shard.current
    if params[:context_code].present?
      context = Context.find_by_asset_string(params[:context_code])
-      return render_error('context_code', 'invalid') unless valid_context?(context)
+
+      recipients_are_instructors = all_recipients_are_instructors?(context, @recipients)
+
+      if context.is_a?(Course) && !recipients_are_instructors && !context.grants_right?(@current_user, session, :send_messages)
+        return render_error("Unable to send messages to users in #{context.name}", '')
+      elsif !valid_context?(context)
+        return render_error('context_code', 'invalid')
+      end

      shard = context.shard
      context_type = context.class.name
@ -1222,4 +1229,15 @@ class ConversationsController < ApplicationController
    false
  end

+  def all_recipients_are_instructors?(context, recipients)
+    if context.is_a?(Course)
+      all_recipients_are_instructors = true
+      recipients.each do |recipient|
+        all_recipients_are_instructors = false unless context.user_is_instructor?(recipient)
+      end
+      return all_recipients_are_instructors
+    end
+
+    false
+  end
 end
--- a/spec/controllers/conversations_controller_spec.rb
+++ b/spec/controllers/conversations_controller_spec.rb
@ -374,6 +374,14 @@ describe ConversationsController do
          end
        end
      end
+
+      it 'does not allow sending messages to other users in a group if the permission is disabled' do
+        user_session(@new_user1)
+        @course.account.role_overrides.create!(:permission => :send_messages, :role => student_role, :enabled => false)
+        post 'create', params: { recipients: [@new_user2.id.to_s], body: 'ooo eee', group_conversation: 'true', context_code: @course.asset_string }
+
+        expect(response).not_to be_successful
+      end
    end

    it "should correctly infer context tags" do