htwkmooc/codeocean
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

forbid users to import an exercise they do not have access to (previously a new one was created)

Browse Source
This commit is contained in:
Karol
2019-12-18 17:52:34 +01:00
parent 12c76b2fe4
commit f49cd0bed4
5 changed files with 24 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/exercises_controller.rb
View File

@ -188,6 +188,8 @@ class ExercisesController < ApplicationController
exercise.save! exercise.save!
return render json: {}, status: 201 return render json: {}, status: 201
end end
rescue Proforma::ExerciseNotOwned
render json: {}, status: 401
rescue Proforma::ProformaError rescue Proforma::ProformaError
render json: t('exercises.import_codeharbor.import_errors.invalid'), status: 400 render json: t('exercises.import_codeharbor.import_errors.invalid'), status: 400
rescue StandardError rescue StandardError

5
app/errors/proforma/exercise_not_owned.rb Normal file
View File

@ -0,0 +1,5 @@
# frozen_string_literal: true
module Proforma
class ExerciseNotOwned < StandardError; end
end

8
app/services/proforma_service/import.rb
View File

@ -28,9 +28,13 @@ module ProformaService
def base_exercise def base_exercise
exercise = Exercise.find_by(uuid: @task.uuid) exercise = Exercise.find_by(uuid: @task.uuid)
return exercise if exercise && ExercisePolicy.new(@user, exercise).update? if exercise
raise Proforma::ExerciseNotOwned unless ExercisePolicy.new(@user, exercise).update?
Exercise.new(uuid: @task.uuid, unpublished: true) exercise
else
Exercise.new(uuid: @task.uuid, unpublished: true)
end
end end
def import_multi def import_multi

9
spec/controllers/exercises_controller_spec.rb
View File

@ -489,6 +489,15 @@ describe ExercisesController do
end end
end end
context 'when import fails with ExerciseNotOwned' do
before { allow(ProformaService::Import).to receive(:call).and_raise(Proforma::ExerciseNotOwned) }
it 'responds with correct status code' do
post_request
expect(response).to have_http_status(:unauthorized)
end
end
context 'when import fails due to another error' do context 'when import fails due to another error' do
before { allow(ProformaService::Import).to receive(:call).and_raise(StandardError) } before { allow(ProformaService::Import).to receive(:call).and_raise(StandardError) }

4
spec/services/proforma_service/import_spec.rb
View File

@ -155,8 +155,8 @@ describe ProformaService::Import do
context 'when another user imports the exercise' do context 'when another user imports the exercise' do
let(:import_user) { FactoryBot.create(:teacher) } let(:import_user) { FactoryBot.create(:teacher) }
it 'raises a validation error' do it 'raises a proforma error' do
expect { imported_exercise.save! } .to raise_error ActiveRecord::RecordInvalid expect { imported_exercise.save! } .to raise_error Proforma::ExerciseNotOwned
end end
end end
end end