fix poll visibility issue for students

fixes CNVS-13374 This commit addresses a mistaken assumption about poll visibility for students. Previously, there had to be opened poll sessions for a student to have read access to the poll. This has been changed to be based around a students enrollments - if the poll has a poll session associated with a course or course_section the student is enrolled in, then they are able to read the poll. Test plan - Create a poll as a teacher - Create a poll session associated with a particular course - A student enrolled in the associated course should be able to access the poll via #show, regardless of whether or not the session is opened. - A student who isn't enrolled in the associated course should not be able to access the poll via #show, regardless of whether or not the session is opened. Change-Id: Idf7d4ebeac27d15ce8d37ef498ebc3ab871a6d7e Reviewed-on: https://gerrit.instructure.com/35722 Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Jason Madsen <jmadsen@instructure.com> QA-Review: Caleb Guanzon <cguanzon@instructure.com> Product-Review: Josh Simpson <jsimpson@instructure.com>
2014-05-31 13:28:23 -06:00 · 2014-05-31 13:28:23 -06:00 · ff0b544ad1
parent 39a35ab09e
commit ff0b544ad1
3 changed files with 28 additions and 10 deletions
--- a/app/models/polling/poll.rb
+++ b/app/models/polling/poll.rb
@ -40,7 +40,7 @@ module Polling
      can :update and can :read and can :delete

      given do |user, session|
-        self.poll_sessions.any? { |poll_session| poll_session.grants_right?(user, session, :submit) }
+        self.poll_sessions.where(["course_id IN (?) AND (course_section_id IS NULL OR course_section_id IN (?))", user.enrollments.map(&:course_id).compact, user.enrollments.map(&:course_section_id).compact]).exists?
      end
      can :read
    end
--- a/spec/apis/v1/polling/poll_choices_api_spec.rb
+++ b/spec/apis/v1/polling/poll_choices_api_spec.rb
@ -103,14 +103,19 @@ describe Polling::PollChoicesController, type: :request do
        student_in_course(:active_all => true, :course => @course)
      end

-      it "is unauthorized if there are no open sessions" do
+      it "is unauthorized if there are no existing sessions" do
        get_show(true)
        response.code.should == '401'
      end

+      it "is authorized if there are existing sessions" do
+        Polling::PollSession.create!(course: @course, poll: @poll)
+        get_show(true)
+        response.code.should == '200'
+      end
+
      it "doesn't display is_correct within poll choices" do
-        session = Polling::PollSession.create!(course: @course, poll: @poll)
-        session.publish!
+        Polling::PollSession.create!(course: @course, poll: @poll)

        json = get_show
        poll_choice_json = json['poll_choices'].first
--- a/spec/apis/v1/polling/polls_api_spec.rb
+++ b/spec/apis/v1/polling/polls_api_spec.rb
@ -92,9 +92,7 @@ describe Polling::PollsController, type: :request do
    context "as a student" do
      it "doesn't display the total results of all sessions" do
        student_in_course(:active_all => true, :course => @course)
-
-        session = @poll.poll_sessions.create!(course: @course)
-        session.publish!
+        @poll.poll_sessions.create!(course: @course)

        json = get_show
        poll_json = json['polls'].first
@ -111,12 +109,27 @@ describe Polling::PollsController, type: :request do
        poll_json.should_not have_key("user_id")
      end

-      it "is unauthorized if there are no published sessions" do
+      it "shouldn't return the id of the user that created the poll" do
        student_in_course(:active_all => true, :course => @course)
-        section = @course.course_sections.create!(name: 'Section 2')
+        @poll.poll_sessions.create!(course: @course)

-        @poll.poll_sessions.create!(course: @course, course_section: section)
+        json = get_show
+        poll_json = json['polls'].first
+        poll_json.should_not have_key("user_id")
+      end

+      it "is authorized if there are sessions that belong to a course or course section the user is enrolled in" do
+        student_in_course(:active_all => true, :course => @course)
+        @poll.poll_sessions.create!(course: @course)
+
+        get_show(true)
+        response.code.should == '200'
+      end
+
+      it "is unauthorized if there are no sessions that belong to a course or course section the user is enrolled in" do
+        student_in_course(:active_all => true, :course => @course)
+        unenrolled = Course.create!(name: 'Unenrolled Course')
+        @poll.poll_sessions.create!(course: unenrolled)
        get_show(true)
        response.code.should == '401'
      end