Add authorisation logic for creating projects in a school/lesson

Author: tuzz

app/controllers/api/projects_controller.rb

@@ -7,8 +7,9 @@ class ProjectsController < ApiController
     before_action :authorize_user, only: %i[create update index destroy]
     before_action :load_project, only: %i[show update destroy]
     before_action :load_projects, only: %i[index]
-    after_action :pagination_link_header, only: %i[index]
     load_and_authorize_resource
+    before_action :verify_lesson_belongs_to_school, only: :create
+    after_action :pagination_link_header, only: %i[index]
 
     def index
       @paginated_projects = @projects.page(params[:page])
@@ -47,6 +48,13 @@ def destroy
 
     private
 
+    def verify_lesson_belongs_to_school
+      return if base_params[:lesson_id].blank?
+      return if school&.lessons&.pluck(:id)&.include?(base_params[:lesson_id])
+
+      raise ParameterError, 'lesson_id does not correspond to school_id'
+    end
+
     def load_project
       project_loader = ProjectLoader.new(params[:id], [params[:locale]])
       @project = project_loader.load
@@ -69,6 +77,7 @@ def project_params
     def base_params
       params.fetch(:project, {}).permit(
         :school_id,
+        :lesson_id,
         :user_id,
         :identifier,
         :name,

app/models/ability.rb

@@ -66,14 +66,15 @@ def define_school_teacher_abilities(user:, organisation_id:)
     can(%i[read create create_batch update], :school_student)
     can(%i[create destroy], Lesson) { |lesson| school_teacher_can_manage_lesson?(user:, organisation_id:, lesson:) }
     can(%i[read create_copy], Lesson, school_id: organisation_id, visibility: %w[teachers students])
-    can(%i[create], Project, school_id: organisation_id, user_id: user.id)
+    can(%i[create], Project) { |project| school_teacher_can_manage_project?(user:, organisation_id:, project:) }
   end
 
   # rubocop:disable Layout/LineLength
   def define_school_student_abilities(user:, organisation_id:)
     can(%i[read], School, id: organisation_id)
     can(%i[read], SchoolClass, school: { id: organisation_id }, members: { student_id: user.id })
     can(%i[read], Lesson, school_id: organisation_id, visibility: 'students', school_class: { members: { student_id: user.id } })
+    can(%i[create], Project, school_id: organisation_id, user_id: user.id, lesson_id: nil)
   end
   # rubocop:enable Layout/LineLength
 
@@ -83,4 +84,11 @@ def school_teacher_can_manage_lesson?(user:, organisation_id:, lesson:)
 
     is_my_lesson && (is_my_class || !lesson.school_class)
   end
+
+  def school_teacher_can_manage_project?(user:, organisation_id:, project:)
+    is_my_project = project.school_id == organisation_id && project.user_id == user.id
+    is_my_lesson = project.lesson && project.lesson.user_id == user.id
+
+    is_my_project && (is_my_lesson || !project.lesson)
+  end
 end

spec/features/lesson/creating_a_lesson_spec.rb

@@ -145,7 +145,7 @@
       expect(response).to have_http_status(:unprocessable_entity)
     end
 
-    it 'responds 422 Unprocessable if school_id does not correspond to school_class_id' do
+    it 'responds 422 Unprocessable if school_class_id does not correspond to school_id' do
       new_params = { lesson: params[:lesson].merge(school_id: SecureRandom.uuid) }
 
       post('/api/lessons', headers:, params: new_params)

spec/features/project/creating_a_project_spec.rb

@@ -79,6 +79,13 @@
       expect(response).to have_http_status(:created)
     end
 
+    it 'responds 201 Created when the user is a school-student for the school' do
+      stub_hydra_public_api(user_index: user_index_by_role('school-student'))
+
+      post('/api/projects', headers:, params:)
+      expect(response).to have_http_status(:created)
+    end
+
     it 'sets the lesson user to the specified user for school-owner users' do
       post('/api/projects', headers:, params:)
       data = JSON.parse(response.body, symbolize_names: true)
@@ -103,4 +110,79 @@
       expect(response).to have_http_status(:forbidden)
     end
   end
+
+  context 'when the project is associated with a lesson' do
+    let(:school) { create(:school) }
+    let(:lesson) { create(:lesson, school:) }
+    let(:teacher_index) { user_index_by_role('school-teacher') }
+    let(:teacher_id) { user_id_by_index(teacher_index) }
+
+    let(:params) do
+      {
+        project: {
+          name: 'Test Project',
+          components: [],
+          school_id: school.id,
+          lesson_id: lesson.id,
+          user_id: teacher_id
+        }
+      }
+    end
+
+    it 'responds 201 Created' do
+      post('/api/projects', headers:, params:)
+      expect(response).to have_http_status(:created)
+    end
+
+    it 'responds 201 Created when the current user is the owner of the lesson' do
+      stub_hydra_public_api(user_index: teacher_index)
+      lesson.update!(user_id: user_id_by_index(teacher_index))
+
+      post('/api/projects', headers:, params:)
+      expect(response).to have_http_status(:created)
+    end
+
+    it 'responds 422 Unprocessable when when the user_id is not the owner of the lesson' do
+      new_params = { project: params[:project].merge(user_id: SecureRandom.uuid) }
+
+      post('/api/projects', headers:, params: new_params)
+      expect(response).to have_http_status(:unprocessable_entity)
+    end
+
+    it 'responds 422 Unprocessable when lesson_id is provided but school_id is missing' do
+      new_params = { project: params[:project].without(:school_id) }
+
+      post('/api/projects', headers:, params: new_params)
+      expect(response).to have_http_status(:unprocessable_entity)
+    end
+
+    it 'responds 422 Unprocessable when lesson_id does not correspond to school_id' do
+      new_params = { project: params[:project].merge(lesson_id: SecureRandom.uuid) }
+
+      post('/api/projects', headers:, params: new_params)
+      expect(response).to have_http_status(:unprocessable_entity)
+    end
+
+    it 'responds 403 Forbidden when the user is a school-owner for a different school' do
+      new_params = { project: params[:project].without(:lesson_id).merge(school_id: SecureRandom.uuid) }
+
+      post('/api/projects', headers:, params: new_params)
+      expect(response).to have_http_status(:forbidden)
+    end
+
+    it 'responds 403 Forbidden when the current user is not the owner of the lesson' do
+      stub_hydra_public_api(user_index: teacher_index)
+      lesson.update!(user_id: SecureRandom.uuid)
+
+      post('/api/projects', headers:, params:)
+      expect(response).to have_http_status(:forbidden)
+    end
+
+    it 'responds 403 Forbidden when the user is a school-student' do
+      stub_hydra_public_api(user_index: user_index_by_role('school-student'))
+
+      post('/api/projects', headers:, params:)
+      expect(response).to have_http_status(:forbidden)
+    end
+  end
 end

spec/models/lesson_spec.rb

@@ -70,7 +70,7 @@
         lesson.update!(school: create(:school))
       end
 
-      it 'requires a user that has the school-owner or school-teacher role for the school' do
+      it 'requires that the user that has the school-owner or school-teacher role for the school' do
         lesson.user_id = '22222222-2222-2222-2222-222222222222' # school-student
         expect(lesson).to be_invalid
       end
@@ -81,7 +81,7 @@
         lesson.update!(school_class: create(:school_class))
       end
 
-      it 'requires a user that is the school-teacher for the school_class' do
+      it 'requires that the user that is the school-teacher for the school_class' do
         lesson.user_id = '00000000-0000-0000-0000-000000000000' # school-owner
         expect(lesson).to be_invalid
       end