Add support for creating projects within a school’s library

If the user has the school-owner or school-teacher role, they can create
a project that is associated with a school (but not a school class).

If the user is a school-owner they can assign a teacher to the project
in the same was as lessons, otherwise the school-teacher is always set
as the project’s owner (user).

Author: tuzz

app/controllers/api/lessons_controller.rb

@@ -75,7 +75,7 @@ def lesson_params
         # A school owner must specify who the lesson user is.
         base_params
       else
-        # A school teacher may only create classes they own.
+        # A school teacher may only create lessons they own.
         base_params.merge(user_id: current_user.id)
       end
     end

app/controllers/api/projects_controller.rb

@@ -7,9 +7,8 @@ class ProjectsController < ApiController
     before_action :authorize_user, only: %i[create update index destroy]
     before_action :load_project, only: %i[show update destroy]
     before_action :load_projects, only: %i[index]
-    after_action :pagination_link_header, only: [:index]
+    after_action :pagination_link_header, only: %i[index]
     load_and_authorize_resource
-    skip_load_resource only: :create
 
     def index
       @paginated_projects = @projects.page(params[:page])
@@ -21,25 +20,23 @@ def show
     end
 
     def create
-      project_hash = project_params.merge(user_id: current_user&.id)
-      result = Project::Create.call(project_hash:)
+      result = Project::Create.call(project_hash: project_params)
 
       if result.success?
         @project = result[:project]
-        render :show, formats: [:json]
+        render :show, formats: [:json], status: :created
       else
-        render json: { error: result[:error] }, status: :internal_server_error
+        render json: { error: result[:error] }, status: :unprocessable_entity
       end
     end
 
     def update
-      update_hash = project_params.merge(user_id: current_user&.id)
-      result = Project::Update.call(project: @project, update_hash:)
+      result = Project::Update.call(project: @project, update_hash: project_params)
 
       if result.success?
         render :show, formats: [:json]
       else
-        render json: { error: result[:error] }, status: :bad_request
+        render json: { error: result[:error] }, status: :unprocessable_entity
       end
     end
 
@@ -60,7 +57,19 @@ def load_projects
     end
 
     def project_params
+      if school_owner?
+        # A school owner must specify who the project user is.
+        base_params
+      else
+        # A school teacher may only create projects they own.
+        base_params.merge(user_id: current_user&.id)
+      end
+    end
+
+    def base_params
       params.fetch(:project, {}).permit(
+        :school_id,
+        :user_id,
         :identifier,
         :name,
         :project_type,
@@ -72,6 +81,14 @@ def project_params
       )
     end
 
+    def school_owner?
+      school && current_user.school_owner?(organisation_id: school.id)
+    end
+
+    def school
+      @school ||= @project&.school || School.find_by(id: base_params[:school_id])
+    end
+
     def pagination_link_header
       pagination_links = []
       pagination_links << page_links(first_page, 'first')

app/models/ability.rb

@@ -5,19 +5,34 @@ class Ability
 
   # rubocop:disable Metrics/AbcSize
   def initialize(user)
-    can :show, Project, user_id: nil
-    can :show, Component, project: { user_id: nil }
+    # Anyone can view projects not owner by a user or a school.
+    can :show, Project, user_id: nil, school_id: nil
+    can :show, Component, project: { user_id: nil, school_id: nil }
+
+    # Anyone can read publicly shared lessons.
     can :read, Lesson, visibility: 'public'
 
     return unless user
 
-    can %i[read create update destroy], Project, user_id: user.id
-    can %i[read create update destroy], Component, project: { user_id: user.id }
+    # Any authenticated user can create projects not owned by a school.
+    can :create, Project, user_id: user.id, school_id: nil
+    can :create, Component, project: { user_id: user.id, school_id: nil }
+
+    # Any authenticated user can manage their own projects.
+    can %i[read update destroy], Project, user_id: user.id
+    can %i[read update destroy], Component, project: { user_id: user.id }
+
+    # Any authenticated user can create a school. They agree to become the school-owner.
+    can :create, School
+
+    # Any authenticated user can create a lesson, to support a RPF library of public lessons.
+    can :create, Lesson, school_id: nil, school_class_id: nil
+
+    # Any authenticated user can create a copy of a publicly shared lesson.
+    can :create_copy, Lesson, visibility: 'public'
 
-    can :create, School # The user agrees to become a school-owner by creating a school.
-    can :create, Lesson, school_id: nil, school_class_id: nil # Users can create shared lessons.
-    can :create_copy, Lesson, visibility: 'public' # Users can create a copy of any public lesson.
-    can %i[read create_copy update destroy], Lesson, user_id: user.id # Users can manage their own lessons.
+    # Any authenticated user can manage their own lessons.
+    can %i[read create_copy update destroy], Lesson, user_id: user.id
 
     user.organisation_ids.each do |organisation_id|
       define_school_owner_abilities(organisation_id:) if user.school_owner?(organisation_id:)
@@ -38,6 +53,7 @@ def define_school_owner_abilities(organisation_id:)
     can(%i[read create create_batch update destroy], :school_student)
     can(%i[create create_copy], Lesson, school_id: organisation_id)
     can(%i[read update destroy], Lesson, school_id: organisation_id, visibility: %w[teachers students public])
+    can(%i[create], Project, school_id: organisation_id)
   end
 
   def define_school_teacher_abilities(user:, organisation_id:)
@@ -50,6 +66,7 @@ def define_school_teacher_abilities(user:, organisation_id:)
     can(%i[read create create_batch update], :school_student)
     can(%i[create destroy], Lesson) { |lesson| school_teacher_can_manage_lesson?(user:, organisation_id:, lesson:) }
     can(%i[read create_copy], Lesson, school_id: organisation_id, visibility: %w[teachers students])
+    can(%i[create], Project, school_id: organisation_id, user_id: user.id)
   end
 
   # rubocop:disable Layout/LineLength

app/models/project.rb

@@ -18,6 +18,12 @@ class Project < ApplicationRecord
 
   scope :internal_projects, -> { where(user_id: nil) }
 
+  # Work around a CanCanCan issue with accepts_nested_attributes_for.
+  # https://github.com/CanCanCommunity/cancancan/issues/774
+  def components=(array)
+    super(array.map { |o| o.is_a?(Hash) ? Component.new(o) : o })
+  end
+
   private
 
   def check_unique_not_null

spec/features/lesson/creating_a_lesson_spec.rb

@@ -2,7 +2,7 @@
 
 require 'rails_helper'
 
-RSpec.describe 'Creating a public lesson', type: :request do
+RSpec.describe 'Creating a lesson', type: :request do
   before do
     stub_hydra_public_api
     stub_user_info_api

spec/features/lesson/showing_a_lesson_spec.rb

@@ -123,7 +123,7 @@
       expect(response).to have_http_status(:ok)
     end
 
-    it "responds 403 Forbidden when the user is not a school-student within the lesson's class" do
+    it "responds 403 Forbidden when the user is a school-student but isn't within the lesson's class" do
       stub_hydra_public_api(user_index: user_index_by_role('school-student'))
 
       get("/api/lessons/#{lesson.id}", headers:)

spec/features/project/creating_a_project_spec.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Creating a project', type: :request do
+  before do
+    stub_hydra_public_api
+    mock_phrase_generation
+  end
+
+  let(:headers) { { Authorization: UserProfileMock::TOKEN } }
+
+  let(:params) do
+    {
+      project: {
+        name: 'Test Project',
+        components: [
+          { name: 'main', extension: 'py', content: 'print("hi")' }
+        ]
+      }
+    }
+  end
+
+  it 'responds 201 Created' do
+    post('/api/projects', headers:, params:)
+    expect(response).to have_http_status(:created)
+  end
+
+  it 'responds with the project JSON' do
+    post('/api/projects', headers:, params:)
+    data = JSON.parse(response.body, symbolize_names: true)
+
+    expect(data[:name]).to eq('Test Project')
+  end
+
+  it 'responds with the components JSON' do
+    post('/api/projects', headers:, params:)
+    data = JSON.parse(response.body, symbolize_names: true)
+
+    expect(data[:components].first[:content]).to eq('print("hi")')
+  end
+
+  it 'responds 422 Unprocessable Entity when params are invalid' do
+    post('/api/projects', headers:, params: { project: { components: [{ name: ' ' }] } })
+    expect(response).to have_http_status(:unprocessable_entity)
+  end
+
+  it 'responds 401 Unauthorized when no token is given' do
+    post('/api/projects', params:)
+    expect(response).to have_http_status(:unauthorized)
+  end
+
+  context 'when the project is associated with a school (library)' do
+    let(:school) { create(:school) }
+    let(:teacher_index) { user_index_by_role('school-teacher') }
+    let(:teacher_id) { user_id_by_index(teacher_index) }
+
+    let(:params) do
+      {
+        project: {
+          name: 'Test Project',
+          components: [],
+          school_id: school.id,
+          user_id: teacher_id
+        }
+      }
+    end
+
+    it 'responds 201 Created' do
+      post('/api/projects', headers:, params:)
+      expect(response).to have_http_status(:created)
+    end
+
+    it 'responds 201 Created when the user is a school-teacher for the school' do
+      stub_hydra_public_api(user_index: user_index_by_role('school-teacher'))
+
+      post('/api/projects', headers:, params:)
+      expect(response).to have_http_status(:created)
+    end
+
+    it 'sets the lesson user to the specified user for school-owner users' do
+      post('/api/projects', headers:, params:)
+      data = JSON.parse(response.body, symbolize_names: true)
+
+      expect(data[:user_id]).to eq(teacher_id)
+    end
+
+    it 'sets the project user to the current user for school-teacher users' do
+      stub_hydra_public_api(user_index: teacher_index)
+      new_params = { project: params[:project].merge(user_id: 'ignored') }
+
+      post('/api/projects', headers:, params: new_params)
+      data = JSON.parse(response.body, symbolize_names: true)
+
+      expect(data[:user_id]).to eq(teacher_id)
+    end
+
+    it 'responds 403 Forbidden when the user is a school-owner for a different school' do
+      school.update!(id: SecureRandom.uuid)
+
+      post('/api/projects', headers:, params:)
+      expect(response).to have_http_status(:forbidden)
+    end
+  end
+end

spec/requests/projects/create_spec.rb

@@ -20,7 +20,7 @@
       it 'returns success' do
         post('/api/projects', headers:)
 
-        expect(response).to have_http_status(:ok)
+        expect(response).to have_http_status(:created)
       end
     end
 
@@ -36,7 +36,7 @@
       it 'returns error' do
         post('/api/projects', headers:)
 
-        expect(response).to have_http_status(:internal_server_error)
+        expect(response).to have_http_status(:unprocessable_entity)
       end
     end
   end

spec/requests/projects/update_spec.rb

@@ -71,7 +71,7 @@
 
       it 'returns error response' do
         put("/api/projects/#{project.identifier}", params:, headers:)
-        expect(response).to have_http_status(:bad_request)
+        expect(response).to have_http_status(:unprocessable_entity)
       end
     end
   end