improve permission checks on SubAccountsController#index

refs LS-2136 fixes FOO-2728 flag = none Test plan: • Create a sub-account with at least one child sub-account • Add a user to the sub-account as an admin with the permission “Account-level settings - manage” disabled • As the admin • See that the sub-accounts tab does not display • Direct navigate to /accounts/####/sub_accounts anyways • See that the page will 401 with Access Denied • Verify the sub_account index page loads with "Account-level settings - manage" enabled Change-Id: Ief6a585173600efe1b583fafe8aa236500bcdb49 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/289644 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Jacob Burroughs <jburroughs@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: August Thornton <august@instructure.com>
2022-04-13 15:02:43 -06:00 · 2022-04-13 15:02:43 -06:00 · bdcc46f8d3
parent 3794fa12dc
commit bdcc46f8d3
2 changed files with 10 additions and 8 deletions
--- a/app/controllers/sub_accounts_controller.rb
+++ b/app/controllers/sub_accounts_controller.rb
@ -49,10 +49,12 @@ class SubAccountsController < ApplicationController
  before_action :require_account_management, except: [:index]

  def index
-    # accept :manage_courses or :manage_account_settings so the course settings page can query subaccounts
-    return unless require_account_management(
-      permissions: %i[manage_account_settings manage_courses manage_courses_admin]
-    )
+    if !api_request? && params[:term]
+      # accept :manage_courses or :manage_courses_admin so course settings page can query subaccounts
+      require_account_management(permissions: [:manage_courses, :manage_courses_admin])
+    else
+      require_account_management
+    end

    @query = (params[:account] && params[:account][:name]) || params[:term]
    if @query
--- a/spec/controllers/sub_accounts_controller_spec.rb
+++ b/spec/controllers/sub_accounts_controller_spec.rb
@ -155,15 +155,15 @@ describe SubAccountsController do
        @sub_account = @root_account.sub_accounts.create!(name: "sub")
      end

-      it "accepts :manage_courses permission" do
+      it "accepts :manage_courses permission if term query param is provided" do
        @root_account.disable_feature!(:granular_permissions_manage_courses)
        admin = account_admin_user_with_role_changes(role_changes: { manage_account_settings: false, manage_courses: true }, account: @root_account, role: Role.get_built_in_role("AccountMembership", root_account_id: @root_account))
        user_session(admin)
-        get "index", params: { account_id: @root_account.id }
+        get "index", params: { term: "sub-account", account_id: @root_account.id }
        expect(response.status).to eq 200
      end

-      it "accepts :manage_courses_admin permission (granular permissions)" do
+      it "accepts :manage_courses_admin permission if term query param is provided (granular permissions)" do
        @root_account.enable_feature!(:granular_permissions_manage_courses)
        admin =
          account_admin_user_with_role_changes(
@ -175,7 +175,7 @@ describe SubAccountsController do
            role: Role.get_built_in_role("AccountMembership", root_account_id: @root_account)
          )
        user_session(admin)
-        get "index", params: { account_id: @root_account.id }
+        get "index", params: { term: "sub-account", account_id: @root_account.id }
        expect(response.status).to eq 200
      end