RaspberryPiFoundation · loiswells97 · Nov 4, 2025 · Nov 4, 2025 · Nov 4, 2025 · Nov 6, 2025
diff --git a/app/controllers/api/feedback_controller.rb b/app/controllers/api/feedback_controller.rb
@@ -12,9 +12,7 @@ def index
       end
 
       # Checks that the user is authorised to read the feedback so that if not we can return a 403 rather than an empty array
-      project_feedback.each do |feedback|
-        authorize! :read, feedback
-      end
+      can :read_feedback, project.school_project
       @feedback = project_feedback.accessible_by(current_ability)
       render :index, formats: [:json], status: :ok
     end

diff --git a/app/controllers/api/lessons_controller.rb b/app/controllers/api/lessons_controller.rb
@@ -10,7 +10,10 @@ def index
       archive_scope = params[:include_archived] == 'true' ? Lesson : Lesson.unarchived
       scope = params[:school_class_id] ? archive_scope.where(school_class_id: params[:school_class_id]) : archive_scope
       ordered_scope = scope.order(created_at: :asc)
-      @lessons_with_users = ordered_scope.accessible_by(current_ability).with_users
+      accessible_lessons = ordered_scope.accessible_by(current_ability)
+      lessons_with_users = accessible_lessons.with_users
+      remixes = user_remixes(accessible_lessons)
+      @lessons_with_users_and_remixes = lessons_with_users.zip(remixes)
       render :index, formats: [:json], status: :ok
     end
 
@@ -74,6 +77,22 @@ def verify_school_class_belongs_to_school
       raise ParameterError, 'school_class_id does not correspond to school_id'
     end
 
+    def user_remixes(lessons)
+      lessons.map do |lesson|
+        next nil unless lesson&.project&.remixes&.any?
+
+        user_remix(lesson)
+      end
+    end
+
+    def user_remix(lesson)
+      lesson.project&.remixes
+            &.where(user_id: current_user.id)
+            &.accessible_by(current_ability)
+            &.order(created_at: :asc)
+            &.first
+    end
+
     def lesson_params
       base_params.merge(user_id: current_user.id)
     end

diff --git a/app/models/ability.rb b/app/models/ability.rb
@@ -112,8 +112,8 @@ def define_school_student_abilities(user:, school:)
     # Ensure no access to ClassMember resources, relationships otherwise allow access in some circumstances.
     can(%i[read], Lesson, school_id: school.id, visibility: 'students', school_class: { students: { student_id: user.id } })
     can(%i[read create update], Project, school_id: school.id, user_id: user.id, lesson_id: nil, remixed_from_id: visible_lesson_project_ids)
+    can(%i[read_feedback], SchoolProject, project: { school_id: school.id, user_id: user.id, lesson_id: nil, remixed_from_id: visible_lesson_project_ids })
     can(%i[read show_context], Project, lesson: { school_id: school.id, visibility: 'students', school_class: { students: { student_id: user.id } } })
-    can(%i[read], Feedback, school_project: { project: { school_id: school.id, user_id: user.id, lesson_id: nil, remixed_from_id: visible_lesson_project_ids } })
     can(%i[show_finished set_finished show_status unsubmit submit], SchoolProject, project: { user_id: user.id, lesson_id: nil }, school_id: school.id)
   end
 

diff --git a/app/views/api/lessons/index.json.jbuilder b/app/views/api/lessons/index.json.jbuilder
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
-json.array!(@lessons_with_users) do |lesson, user|
+json.array!(@lessons_with_users_and_remixes) do |lesson_with_user, remix|
+  lesson, user = lesson_with_user # Destructure the pair
   json.call(
     lesson,
     :id,
@@ -26,4 +27,6 @@ json.array!(@lessons_with_users) do |lesson, user|
   end
 
   json.user_name(user&.name)
+
+  json.remix_identifier(remix.identifier) if remix.present?
 end
diff --git a/spec/features/lesson/listing_lessons_spec.rb b/spec/features/lesson/listing_lessons_spec.rb
@@ -210,6 +210,17 @@
       expect(data.size).to eq(1)
     end
 
+    it "includes the remix identifier when the user has remixed the lesson's project" do
+      student = create(:student, school:)
+      authenticated_in_hydra_as(student)
+      create(:class_student, school_class:, student_id: student.id)
+      student_project = create(:project, school:, lesson:, parent: lesson.project, user_id: student.id)
+
+      get('/api/lessons', headers:)
+      data = JSON.parse(response.body, symbolize_names: true)
+      expect(data.first[:remix_identifier]).to eq(student_project.identifier)
+    end
+
     it "does not include the lesson when the user is not a school-student within the lesson's class" do
       student = create(:student, school:)
       authenticated_in_hydra_as(student)