Add project context route (#531)

loiswells97 · web-flow · commit 491c72859f66 · 2025-03-25T12:02:18.000Z
## Status closes RaspberryPiFoundation/digital-editor-issues#479 ## What's changed? - Added project context route to allow apps to request contextual data about a project. This will return the school, class and lesson ids for the project. - Stopped students from viewing their work if the associated lesson is no longer visible to students
diff --git a/app/controllers/api/projects/remixes_controller.rb b/app/controllers/api/projects/remixes_controller.rb
@@ -5,6 +5,7 @@ module Projects
     class RemixesController < ApiController
       before_action :authorize_user
       load_and_authorize_resource :school, only: :index
+      before_action :load_and_authorize_remix, only: %i[show]
 
       def index
         projects = Project.where(remixed_from_id: project.id).accessible_by(current_ability)
@@ -13,8 +14,6 @@ def index
       end
 
       def show
-        @project = Project.find_by!(remixed_from_id: project.id, user_id: current_user&.id)
-
         render '/api/projects/show', formats: [:json]
       end
 
@@ -40,6 +39,11 @@ def project
         @project ||= Project.find_by!(identifier: params[:project_id])
       end
 
+      def load_and_authorize_remix
+        @project = Project.find_by!(remixed_from_id: project.id, user_id: current_user&.id)
+        authorize! :show, @project
+      end
+
       def remix_params
         params.require(:project)
               .permit(:name,
diff --git a/app/controllers/api/projects_controller.rb b/app/controllers/api/projects_controller.rb
@@ -5,7 +5,7 @@
 module Api
   class ProjectsController < ApiController
     before_action :authorize_user, only: %i[create update index destroy]
-    before_action :load_project, only: %i[show update destroy]
+    before_action :load_project, only: %i[show update destroy show_context]
     before_action :load_projects, only: %i[index]
     load_and_authorize_resource
     before_action :verify_lesson_belongs_to_school, only: :create
@@ -52,6 +52,11 @@ def destroy
       head :ok
     end
 
+    # Returns the identifier, school_id, lesson_id, and class_id of the project so the full context can be loaded
+    def show_context
+      render :context, formats: [:json]
+    end
+
     private
 
     def verify_lesson_belongs_to_school
diff --git a/app/models/ability.rb b/app/models/ability.rb
@@ -60,7 +60,7 @@ def define_school_owner_abilities(school:)
     can(%i[read update destroy], School, id: school.id)
     can(%i[read], :school_member)
     can(%i[read create update destroy], SchoolClass, school: { id: school.id })
-    can(%i[read], Project, school_id: school.id, lesson: { visibility: %w[teachers students] })
+    can(%i[read show_context], Project, school_id: school.id, lesson: { visibility: %w[teachers students] })
     can(%i[read create create_batch destroy], ClassStudent, school_class: { school: { id: school.id } })
     can(%i[read create destroy], :school_owner)
     can(%i[read create destroy], :school_teacher)
@@ -85,7 +85,7 @@ def define_school_teacher_abilities(user:, school:)
     can(%i[create], Project) do |project|
       school_teacher_can_manage_project?(user:, school:, project:)
     end
-    can(%i[read update], Project, school_id: school.id, lesson: { visibility: %w[teachers students] })
+    can(%i[read update show_context], Project, school_id: school.id, lesson: { visibility: %w[teachers students] })
     can(%i[read], Project,
         remixed_from_id: Project.where(school_id: school.id, remixed_from_id: nil, lesson_id: Lesson.where(school_class_id: ClassTeacher.where(teacher_id: user.id).select(:school_class_id))).pluck(:id))
   end
@@ -95,8 +95,8 @@ def define_school_student_abilities(user:, school:)
     can(%i[read], SchoolClass, school: { id: school.id }, students: { student_id: user.id })
     # Ensure no access to ClassMember resources, relationships otherwise allow access in some circumstances.
     can(%i[read], Lesson, school_id: school.id, visibility: 'students', school_class: { students: { student_id: user.id } })
-    can(%i[read create update], Project, school_id: school.id, user_id: user.id, lesson_id: nil)
-    can(%i[read], Project, lesson: { school_id: school.id, school_class: { students: { student_id: user.id } } })
+    can(%i[read create update], Project, school_id: school.id, user_id: user.id, lesson_id: nil, remixed_from_id: Project.where(school_id: school.id, lesson_id: Lesson.where(visibility: 'students').select(:id)).pluck(:id))
+    can(%i[read show_context], Project, lesson: { school_id: school.id, visibility: 'students', school_class: { students: { student_id: user.id } } })
     can(%i[show_finished set_finished], SchoolProject, project: { user_id: user.id, lesson_id: nil }, school_id: school.id)
   end
 
diff --git a/app/views/api/projects/context.json.jbuilder b/app/views/api/projects/context.json.jbuilder
@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+json.call(
+  @project,
+  :identifier,
+  :school_id,
+  :lesson_id
+)
+
+json.class_id(@project.lesson.school_class_id)
diff --git a/config/routes.rb b/config/routes.rb
@@ -34,6 +34,7 @@
 
     resources :projects, only: %i[index show update destroy create] do
       get :finished, on: :member, to: 'school_projects#show_finished'
+      get :context, on: :member, to: 'projects#show_context'
       put :finished, on: :member, to: 'school_projects#set_finished'
       resource :remix, only: %i[show create], controller: 'projects/remixes'
       resources :remixes, only: %i[index], controller: 'projects/remixes'
diff --git a/spec/features/project/creating_a_project_spec.rb b/spec/features/project/creating_a_project_spec.rb
@@ -80,12 +80,12 @@
       expect(response).to have_http_status(:created)
     end
 
-    it 'responds 201 Created when the user is a school-student for the school' do
+    it 'responds 403 Forbidden when the user is a school-student for the school' do
       student = create(:student, school:)
       authenticated_in_hydra_as(student)
 
       post('/api/projects', headers:, params:)
-      expect(response).to have_http_status(:created)
+      expect(response).to have_http_status(:forbidden)
     end
 
     it 'sets the lesson user to the specified user for school-owner users' do
diff --git a/spec/models/ability_spec.rb b/spec/models/ability_spec.rb
@@ -140,7 +140,7 @@
     end
 
     # rubocop:disable RSpec/MultipleMemoizedHelpers
-    context 'with a teachers project where the lesson is visible to students' do
+    context "with a teacher's project where the lesson is visible to students" do
       let(:user) { create(:user) }
       let(:school) { create(:school) }
       let(:teacher) { create(:teacher, school:) }
@@ -154,6 +154,7 @@
         end
 
         it { is_expected.to be_able_to(:read, project) }
+        it { is_expected.to be_able_to(:show_context, project) }
         it { is_expected.not_to be_able_to(:create, project) }
         it { is_expected.not_to be_able_to(:update, project) }
         it { is_expected.not_to be_able_to(:set_finished, project.school_project) }
@@ -166,6 +167,7 @@
         end
 
         it { is_expected.to be_able_to(:read, project) }
+        it { is_expected.to be_able_to(:show_context, project) }
         it { is_expected.not_to be_able_to(:create, project) }
         it { is_expected.to be_able_to(:update, project) }
         it { is_expected.not_to be_able_to(:set_finished, project.school_project) }
@@ -179,6 +181,7 @@
         end
 
         it { is_expected.to be_able_to(:read, project) }
+        it { is_expected.to be_able_to(:show_context, project) }
         it { is_expected.not_to be_able_to(:create, project) }
         it { is_expected.not_to be_able_to(:update, project) }
         it { is_expected.not_to be_able_to(:set_finished, project.school_project) }
@@ -191,6 +194,69 @@
         end
 
         it { is_expected.not_to be_able_to(:read, project) }
+        it { is_expected.not_to be_able_to(:show_context, project) }
+        it { is_expected.not_to be_able_to(:create, project) }
+        it { is_expected.not_to be_able_to(:update, project) }
+        it { is_expected.not_to be_able_to(:set_finished, project.school_project) }
+        it { is_expected.not_to be_able_to(:destroy, project) }
+      end
+    end
+
+    context 'with a teachers project where the lesson is not visible to students' do
+      let(:user) { create(:user) }
+      let(:school) { create(:school) }
+      let(:teacher) { create(:teacher, school:) }
+      let(:school_class) { build(:school_class, school:, teacher_ids: [teacher.id]) }
+      let(:lesson) { build(:lesson, school:, school_class:, user_id: teacher.id, visibility: 'teachers') }
+      let!(:project) { build(:project, school:, lesson:, user_id: teacher.id) }
+
+      context 'when user is a school owner' do
+        before do
+          create(:owner_role, user_id: user.id, school:)
+        end
+
+        it { is_expected.to be_able_to(:read, project) }
+        it { is_expected.to be_able_to(:show_context, project) }
+        it { is_expected.not_to be_able_to(:create, project) }
+        it { is_expected.not_to be_able_to(:update, project) }
+        it { is_expected.not_to be_able_to(:set_finished, project.school_project) }
+        it { is_expected.not_to be_able_to(:destroy, project) }
+      end
+
+      context 'when user is a school teacher' do
+        before do
+          create(:teacher_role, user_id: user.id, school:)
+        end
+
+        it { is_expected.to be_able_to(:read, project) }
+        it { is_expected.to be_able_to(:show_context, project) }
+        it { is_expected.not_to be_able_to(:create, project) }
+        it { is_expected.to be_able_to(:update, project) }
+        it { is_expected.not_to be_able_to(:set_finished, project.school_project) }
+        it { is_expected.not_to be_able_to(:destroy, project) }
+      end
+
+      context 'when user is a school student and belongs to the teachers class' do
+        before do
+          create(:student_role, user_id: user.id, school:)
+          create(:class_student, school_class:, student_id: user.id)
+        end
+
+        it { is_expected.not_to be_able_to(:read, project) }
+        it { is_expected.not_to be_able_to(:show_context, project) }
+        it { is_expected.not_to be_able_to(:create, project) }
+        it { is_expected.not_to be_able_to(:update, project) }
+        it { is_expected.not_to be_able_to(:set_finished, project.school_project) }
+        it { is_expected.not_to be_able_to(:destroy, project) }
+      end
+
+      context 'when user is a school student and does not belong to the teachers class' do
+        before do
+          create(:student_role, user_id: user.id, school:)
+        end
+
+        it { is_expected.not_to be_able_to(:read, project) }
+        it { is_expected.not_to be_able_to(:show_context, project) }
         it { is_expected.not_to be_able_to(:create, project) }
         it { is_expected.not_to be_able_to(:update, project) }
         it { is_expected.not_to be_able_to(:set_finished, project.school_project) }
@@ -200,7 +266,7 @@
 
     # TODO: Handle other visibilities
 
-    context 'with a remix of a teachers project' do
+    context "with a remix of a teacher's project" do
       let(:school) { create(:school) }
       let(:student) { create(:student, school:) }
       let(:teacher) { create(:teacher, school:) }
@@ -221,6 +287,19 @@
         it { is_expected.to be_able_to(:set_finished, remixed_project.school_project) }
       end
 
+      context 'when user is a student and the lesson is not visible to students' do
+        let(:user) { student }
+
+        before do
+          lesson.update(visibility: 'teachers')
+        end
+
+        it { is_expected.not_to be_able_to(:read, remixed_project) }
+        it { is_expected.not_to be_able_to(:create, remixed_project) }
+        it { is_expected.not_to be_able_to(:update, remixed_project) }
+        it { is_expected.not_to be_able_to(:destroy, remixed_project) }
+      end
+
       context 'when user is teacher that does not own the orginal project' do
         let(:user) { create(:teacher, school:) }
 
diff --git a/spec/requests/projects/show_context_spec.rb b/spec/requests/projects/show_context_spec.rb
diff --git a/spec/requests/projects/update_spec.rb b/spec/requests/projects/update_spec.rb
