forbid users to import an exercise they do not have access to (previously a new one was created)

2019-12-18 17:52:34 +01:00
parent 12c76b2fe4
commit f49cd0bed4
5 changed files with 24 additions and 4 deletions
--- a/app/controllers/exercises_controller.rb
+++ b/app/controllers/exercises_controller.rb
@ -188,6 +188,8 @@ class ExercisesController < ApplicationController
      exercise.save!
      return render json: {}, status: 201
    end
+  rescue Proforma::ExerciseNotOwned
+    render json: {}, status: 401
  rescue Proforma::ProformaError
    render json: t('exercises.import_codeharbor.import_errors.invalid'), status: 400
  rescue StandardError
--- a/app/errors/proforma/exercise_not_owned.rb
+++ b/app/errors/proforma/exercise_not_owned.rb
@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Proforma
+  class ExerciseNotOwned < StandardError; end
+end
--- a/app/services/proforma_service/import.rb
+++ b/app/services/proforma_service/import.rb
@ -28,10 +28,14 @@ module ProformaService

    def base_exercise
      exercise = Exercise.find_by(uuid: @task.uuid)
-      return exercise if exercise && ExercisePolicy.new(@user, exercise).update?
+      if exercise
+        raise Proforma::ExerciseNotOwned unless ExercisePolicy.new(@user, exercise).update?

+        exercise
+      else
        Exercise.new(uuid: @task.uuid, unpublished: true)
      end
+    end

    def import_multi
      Zip::File.open(@zip.path) do |zip_file|
--- a/spec/controllers/exercises_controller_spec.rb
+++ b/spec/controllers/exercises_controller_spec.rb
@ -489,6 +489,15 @@ describe ExercisesController do
      end
    end

+    context 'when import fails with ExerciseNotOwned' do
+      before { allow(ProformaService::Import).to receive(:call).and_raise(Proforma::ExerciseNotOwned) }
+
+      it 'responds with correct status code' do
+        post_request
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+
    context 'when import fails due to another error' do
      before { allow(ProformaService::Import).to receive(:call).and_raise(StandardError) }

--- a/spec/services/proforma_service/import_spec.rb
+++ b/spec/services/proforma_service/import_spec.rb
@ -155,8 +155,8 @@ describe ProformaService::Import do
      context 'when another user imports the exercise' do
        let(:import_user) { FactoryBot.create(:teacher) }

-        it 'raises a validation error' do
-          expect { imported_exercise.save! } .to raise_error ActiveRecord::RecordInvalid
+        it 'raises a proforma error' do
+          expect { imported_exercise.save! } .to raise_error Proforma::ExerciseNotOwned
        end
      end
    end