ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Stop allowing crosslisting into BP courses 

fixes LF-1124
flag=none

Test Plan:
- Create course A, enable as a blueprint.
- Create course B, and add a student or observer to the course.
- Try to cross list the section from B in to course A.
- Ensure you can't do it either via API or UI.

Change-Id: I89705722eea8b5e103421c110a5aff22902ef05b
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/339963
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Jacob DeWar <jacob.dewar@instructure.com>
QA-Review: Jacob DeWar <jacob.dewar@instructure.com>
Product-Review: Luis Oliveira <luis.oliveira@instructure.com>
This commit is contained in:
Matheus 2024-02-07 16:48:50 -03:00 committed by Luis Oliveira
parent d214a19256
commit f40997bf82
2 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/sections_controller.rb
View File

@ -207,7 +207,7 @@ class SectionsController < ApplicationController
# cross-listing should only be allowed within the same root account
@new_course = @section.root_account.all_courses.not_deleted.where(id: course_id).first if Api::ID_REGEX.match?(course_id)
@new_course ||= @section.root_account.all_courses.not_deleted.where(sis_source_id: course_id).first if course_id.present?
allowed = @new_course && @section.grants_right?(@current_user, session, :update) && @new_course.grants_right?(@current_user, session, :manage)
allowed = @new_course && !MasterCourses::MasterTemplate.find_by(course_id: params[:new_course_id]) && @section.grants_right?(@current_user, session, :update) && @new_course.grants_right?(@current_user, session, :manage)
res = { allowed: !!allowed }
if allowed
@account = @new_course.account
@ -234,6 +234,8 @@ class SectionsController < ApplicationController
return render json: (api_request? ? section_json(@section, @current_user, session, []) : @section)
end
return render json: { error: "cannot crosslist into blueprint courses" }, status: :forbidden if MasterCourses::MasterTemplate.find_by(course_id: params[:new_course_id])
if authorized_action(@section, @current_user, :update) && authorized_action(@new_course, @current_user, :manage)
@section.crosslist_to_course(@new_course, updating_user: @current_user)
respond_to do |format|

20
spec/apis/v1/sections_api_spec.rb
View File

@ -910,6 +910,17 @@ describe SectionsController, type: :request do
expected_status: 404)
end
it "fails if the destination course is a blueprint" do
MasterCourses::MasterTemplate.set_as_master_course(@dest_course)
json = api_call(:post,
"/api/v1/sections/#{@section.id}/crosslist/#{@dest_course.id}",
@params.merge(id: @section.to_param, new_course_id: @dest_course.to_param),
{},
{},
expected_status: 403)
expect(json["error"]).to eq "cannot crosslist into blueprint courses"
end
it "fails if the destination course is under a different root account" do
foreign_account = Account.create!
foreign_course = foreign_account.courses.create!
@ -930,6 +941,15 @@ describe SectionsController, type: :request do
expect(json["course"]["id"]).to eql @dest_course.id
end
it "does not confirm crosslisting if the destination course is a blueprint" do
MasterCourses::MasterTemplate.set_as_master_course(@dest_course)
user_session(@admin)
json = api_call(:get,
"/courses/#{@course.id}/sections/#{@section.id}/crosslist/confirm/#{@dest_course.id}",
@params.merge(action: "crosslist_check", course_id: @course.to_param, section_id: @section.to_param, new_course_id: @dest_course.id))
expect(json["allowed"]).to be false
end
it "does not confirm crosslisting when the caller lacks :manage rights on the destination course" do
@course.root_account.disable_feature!(:granular_permissions_manage_courses)
account_admin =