Stop students marking teacher project as finished (#501)

closes #500

---------

Co-authored-by: create-issue-branch[bot] <53036503+create-issue-branch[bot]@users.noreply.github.com>
Co-authored-by: Lois Wells <[email protected]>

Author: create-issue-branch[bot]

app/controllers/api/school_projects_controller.rb

@@ -7,12 +7,15 @@ class SchoolProjectsController < ApiController
 
     def show_finished
       @school_project = Project.find_by(identifier: params[:id]).school_project
+      authorize! :show_finished, @school_project
       render :finished, formats: [:json], status: :ok
     end
 
     def set_finished
       project = Project.find_by(identifier: params[:id])
-      result = SchoolProject::SetFinished.call(school_project: project.school_project, finished: params[:finished])
+      @school_project = project.school_project
+      authorize! :set_finished, @school_project
+      result = SchoolProject::SetFinished.call(school_project: @school_project, finished: params[:finished])
 
       if result.success?
         @school_project = result[:school_project]

spec/requests/school_projects/set_finished_spec.rb

@@ -65,4 +65,19 @@
       expect(student_project.school_project.finished).to be_falsey
     end
   end
+
+  context 'when the user does not own the project' do
+    before do
+      put("/api/projects/#{teacher_project.identifier}/finished", headers:, params: { finished: true })
+      teacher_project.reload
+    end
+
+    it 'returns forbidden response' do
+      expect(response).to have_http_status(:forbidden)
+    end
+
+    it 'does not change the finished flag' do
+      expect(teacher_project.school_project.finished).to be_falsey
+    end
+  end
 end

spec/requests/school_projects/show_finished_spec.rb

@@ -27,15 +27,30 @@
   context 'when the user is a student' do
     before do
       authenticated_in_hydra_as(student)
-      get("/api/projects/#{student_project.identifier}/finished", headers:)
     end
 
-    it 'returns success response' do
-      expect(response).to have_http_status(:ok)
+    context 'when user owns project' do
+      before do
+        get("/api/projects/#{student_project.identifier}/finished", headers:)
+      end
+
+      it 'returns success response' do
+        expect(response).to have_http_status(:ok)
+      end
+
+      it 'returns response containing correct school project data' do
+        expect(response.body).to eq(school_project_json)
+      end
     end
 
-    it 'returns response containing correct school project data' do
-      expect(response.body).to eq(school_project_json)
+    context 'when user does not own project' do
+      before do
+        get("/api/projects/#{teacher_project.identifier}/finished", headers:)
+      end
+
+      it 'returns forbidden response' do
+        expect(response).to have_http_status(:forbidden)
+      end
     end
   end
 end