graphql: use Course#users_visible_to in submissionsConnection

Test plan: * create a course with multiple sections and section-limited teachers * make submissions for students on an assignment * conclude a student's enrollment * when querying the assignment's submissionConnection: * only students belonging to the same section as the teacher should be returned * submissions belonging to concluded enrollments should not be returned closes GQL-86 flag = none Change-Id: Ie5244e368644b9ad6e3357d9e0f3e2bec8898a54 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/216038 Reviewed-by: Marc Phillips <mphillips@instructure.com> QA-Review: Cameron Matheson <cameron@instructure.com> Product-Review: Cameron Matheson <cameron@instructure.com> Tested-by: Jenkins
2019-11-05 15:09:30 -07:00 · 2019-11-05 15:09:30 -07:00 · e30dc49859
parent 7a01b17018
commit e30dc49859
2 changed files with 16 additions and 2 deletions
--- a/lib/submission_search.rb
+++ b/lib/submission_search.rb
@ -61,7 +61,9 @@ class SubmissionSearch
    end

    search_scope = if @course.grants_any_right?(@searcher, @session, :manage_grades, :view_all_grades)
-      search_scope
+      # TODO: may want to add a preloader for this
+      allowed_user_ids = @course.users_visible_to(@searcher)
+      search_scope.where(user_id: allowed_user_ids)
    elsif @course.grants_right?(@searcher, @session, :read_grades)
      # a user can see their own submission
      search_scope.where(user_id: @searcher.id)
--- a/spec/graphql/types/assignment_type_spec.rb
+++ b/spec/graphql/types/assignment_type_spec.rb
@ -271,7 +271,7 @@ describe Types::AssignmentType do
        section1_student = section1.enroll_user(User.create!, "StudentEnrollment", "active").user
        section2_student = section2.enroll_user(User.create!, "StudentEnrollment", "active").user
        @section1_student_submission = assignment.submit_homework(section1_student, body: "hello world")
-        assignment.submit_homework(section2_student, body: "hello universe")
+        @section2_student_submission = assignment.submit_homework(section2_student, body: "hello universe")
      end

      it "returns submissions only for the given section" do
@ -282,6 +282,18 @@ describe Types::AssignmentType do
        GQL
        expect(section1_submission_ids.map(&:to_i)).to contain_exactly(@section1_student_submission.id)
      end
+
+      it "respects visibility for limited teachers" do
+        teacher.enrollments.first.update! course_section: section2,
+          limit_privileges_to_course_section: true
+
+        submissions =  assignment_type.resolve(<<~GQL, current_user: teacher)
+          submissionsConnection { nodes { _id } }
+        GQL
+
+        expect(submissions).not_to include @section1_student_submission.id.to_s
+        expect(submissions).to include @section2_student_submission.id.to_s
+      end
    end
  end