tweak permission checks on sections list api

fixes CNVS-6507 test plan: - remove the following permissions for TAs * "See the list of users" * "View all grades" * "Edit grades" - hit the list sections api, both with and without include[]="students" - either way, you should get a list of sections, but students should not be included in the list. Change-Id: Iae910ec9f7ad32bdb8518176035550861230dc55 Reviewed-on: https://gerrit.instructure.com/21797 Tested-by: Jenkins <jenkins@instructure.com> QA-Review: Amber Taniuchi <amber@instructure.com> Reviewed-by: Cameron Matheson <cameron@instructure.com> Reviewed-by: Simon Williams <simon@instructure.com> Product-Review: Simon Williams <simon@instructure.com>
2013-06-27 09:50:18 -06:00 · 2013-06-27 09:50:18 -06:00 · e8c05ff0a9
parent 9412c19ace
commit e8c05ff0a9
2 changed files with 33 additions and 3 deletions
--- a/app/controllers/sections_controller.rb
+++ b/app/controllers/sections_controller.rb
@ -53,14 +53,17 @@ class SectionsController < ApplicationController
  # @API List course sections
  # Returns the list of sections for this course.
  #
-  # @argument include[] [optional, "students"] Associations to include with the group.
+  # @argument include[] [optional, "students"] Associations to include with the group. Note: this is only available if you have permission to view users or grades in the course
  # @argument include[] [optional, "avatar_url"] Include the avatar URLs for students returned.
  #
  # @returns [Section]
  def index
-    if authorized_action(@context, @current_user, [:read_roster, :view_all_grades, :manage_grades])
-      includes = Array(params[:include])
+    if authorized_action(@context, @current_user, [:read, :read_roster, :view_all_grades, :manage_grades])
+      if params[:include].present? && !is_authorized_action?(@context, @current_user, [:read_roster, :view_all_grades, :manage_grades])
+        params[:include] = nil
+      end

+      includes = Array(params[:include])
      result = @context.active_course_sections.map { |section| section_json(section, @current_user, session, includes) }

      render :json => result
--- a/spec/apis/v1/sections_api_spec.rb
+++ b/spec/apis/v1/sections_api_spec.rb
@ -59,6 +59,33 @@ describe SectionsController, :type => :integration do
                      { :controller => 'sections', :action => 'index', :course_id => @course2.to_param, :format => 'json' }, { :include => ['students'] })
      json.size.should == 1
    end
+
+    it "should return sections but not students if user has :read but not :read_roster, :view_all_grades, or :manage_grades" do
+      RoleOverride.create!(:context => Account.default, :permission => 'read_roster', :enrollment_type => 'TaEnrollment', :enabled => false)
+      RoleOverride.create!(:context => Account.default, :permission => 'view_all_grades', :enrollment_type => 'TaEnrollment', :enabled => false)
+      RoleOverride.create!(:context => Account.default, :permission => 'manage_grades', :enrollment_type => 'TaEnrollment', :enabled => false)
+      enrollment = course_with_ta(:active_all => true)
+      enrollment.update_attribute(:limit_privileges_to_course_section, true)
+
+      @course.grants_right?(@ta, :read).should be_true
+      @course.grants_right?(@ta, :read_roster).should be_false
+      @course.grants_right?(@ta, :view_all_grades).should be_false
+      @course.grants_right?(@ta, :manage_grades).should be_false
+
+      route_params = {
+        :controller => 'sections',
+        :action => 'index',
+        :course_id => @course.to_param,
+        :format => 'json'
+      }
+      json = api_call(:get,
+                      "/api/v1/courses/#{@course.id}/sections.json",
+                      route_params,
+                      { :include => ['students'] })
+
+      json.first["name"].should == @course.default_section.name
+      json.first.keys.include?("students").should be_false
+    end
  end

  describe "#show" do