fix(PermissionForms): fix class_permission_forms? policy, add lots of…

… API specs [PT-187613639]
concord-consortium · Jul 4, 2024 · 5414204 · 5414204
1 parent b175e18
commit 5414204
Show file tree

Hide file tree

Showing 5 changed files with 254 additions and 82 deletions.
diff --git a/rails/app/controllers/api/v1/permission_forms_controller.rb b/rails/app/controllers/api/v1/permission_forms_controller.rb
@@ -164,10 +164,6 @@ def bulk_update
     end
 
     render json: { message: "Bulk update successful" }
-  rescue ActiveRecord::RecordNotFound => e
-    render json: { error: e.message }, status: :not_found
-  rescue => e
-    render json: { error: e.message }, status: :unprocessable_entity
   end
 
   private

diff --git a/rails/app/models/user.rb b/rails/app/models/user.rb
@@ -454,10 +454,12 @@ def is_project_member?(project=nil)
     is_project_admin?(project) || is_project_researcher?(project) || is_project_cohort_member?(project)
   end
 
-  def is_researcher_for_clazz?(clazz)
+  def is_researcher_for_clazz?(clazz, check_can_manage_permission_forms: false)
     # check if class has teacher in a cohort of a project the user is a researcher of using a explicit join to avoid a
     # bunch of unneeded object instantiation
-    researcher_for_projects
+    projects_scope = check_can_manage_permission_forms ? researcher_for_projects.where("can_manage_permission_forms = ?", true) : researcher_for_projects
+
+    projects_scope
       .joins("INNER JOIN admin_cohorts __ac ON __ac.project_id = admin_projects.id")
       .joins("INNER JOIN admin_cohort_items __aci ON __aci.admin_cohort_id = __ac.id AND __aci.item_type = 'Portal::Teacher'")
       .joins("INNER JOIN portal_teachers __pt ON __pt.id = __aci.item_id")

diff --git a/rails/app/policies/portal/clazz_policy.rb b/rails/app/policies/portal/clazz_policy.rb
@@ -53,7 +53,7 @@ def external_report?
   # Used by Portal::API::V1::PermissionFormsController:
 
   def class_permission_forms?
-    admin? || class_teacher? || class_project_admin? || class_researcher?
+    admin? || class_teacher? || class_project_admin? || (user && record && user.is_researcher_for_clazz?(record, check_can_manage_permission_forms: true))
   end
 
   private