allow admins with :read_course_content to see unpublished discussions

previously, admins needed the :manage_courses permission, which felt too heavy for this use case. fixes CNVS-17996 test plan: - create a custom account admin role - give them the :read_course_content permission - go to a course with unpublished discussions - they should be able to see them Change-Id: I5a572ed0c59f7f2d1100b49d9857dce969f510df Reviewed-on: https://gerrit.instructure.com/48322 Tested-by: Jenkins Reviewed-by: Mike Nomitch <mnomitch@instructure.com> QA-Review: Adam Stone <astone@instructure.com> Product-Review: Simon Williams <simon@instructure.com>
2015-02-05 13:46:31 -07:00 · 2015-02-05 13:46:31 -07:00 · e38b564d54
parent 3424de9350
commit e38b564d54
2 changed files with 23 additions and 3 deletions
--- a/app/models/discussion_topic.rb
+++ b/app/models/discussion_topic.rb
@ -772,7 +772,7 @@ class DiscussionTopic < ActiveRecord::Base
        self.context.grants_right?(user, session, :post_to_forum) && self.visible_for?(user)}
    can :reply and can :read

-    given { |user, session| self.context.grants_right?(user, session, :post_to_forum) && self.visible_for?(user)}
+    given { |user, session| self.context.grants_any_right?(user, session, :read_forum, :post_to_forum) && self.visible_for?(user)}
    can :read

    given { |user, session|
@ -966,8 +966,9 @@ class DiscussionTopic < ActiveRecord::Base
    # user is the topic's author
    return true if user == self.user

-    # user is an admin in the context (teacher/ta/designer)
-    return true if context.grants_right?(user, :manage)
+    # user is an admin in the context (teacher/ta/designer) OR
+    # user is an account admin with appropriate permission
+    return true if context.grants_any_right?(user, :manage, :read_course_content)

    # assignment exists and isnt assigned to user (differentiated assignments)
    if for_assignment? && !self.assignment.visible_to_user?(user)
--- a/spec/models/discussion_topic_spec.rb
+++ b/spec/models/discussion_topic_spec.rb
@ -199,6 +199,25 @@ describe DiscussionTopic do
      expect(@topic.visible_for?(new_teacher)).to be_truthy
    end

+    it "unpublished topics should not be visible to custom account admins by default" do
+      @topic.unpublish
+
+      account = @course.root_account
+      nobody_role = custom_account_role('NobodyAdmin', account: account)
+      admin = account_admin_user(account: account, role: nobody_role, active_user: true)
+      expect(@topic.visible_for?(admin)).to be_falsey
+    end
+
+    it "unpublished topics should be visible to account admins with :read_course_content permission" do
+      @topic.unpublish
+
+      account = @course.root_account
+      nobody_role = custom_account_role('NobodyAdmin', account: account)
+      account_with_role_changes(account: account, role: nobody_role, role_changes: { read_course_content: true })
+      admin = account_admin_user(account: account, role: nobody_role, active_user: true)
+      expect(@topic.visible_for?(admin)).to be_truthy
+    end
+
    context "differentiated assignements" do
      before do
        @course = course(:active_course => true)