Allow experience-cs admin to create projects

floehopper · floehopper · commit 195923c20a54 · 2025-05-25T12:50:30.000+01:00
This gives users with the "experience-cs-admin" role permission to
create projects. I've added examples to the "Creating a project" feature
spec to check this works as intended.

Note that I've had to add support for `User#roles` to
`UserProfileMock#user_to_hash` for the new examples that I've added to
the feature spec.
diff --git a/app/models/ability.rb b/app/models/ability.rb
@@ -14,6 +14,8 @@ def initialize(user)
       define_school_teacher_abilities(user:, school:) if user.school_teacher?(school)
       define_school_owner_abilities(school:) if user.school_owner?(school)
     end
+
+    define_experience_cs_admin_abilities(user)
   end
 
   private
@@ -100,6 +102,12 @@ def define_school_student_abilities(user:, school:)
     can(%i[show_finished set_finished], SchoolProject, project: { user_id: user.id, lesson_id: nil }, school_id: school.id)
   end
 
+  def define_experience_cs_admin_abilities(user)
+    return unless user&.experience_cs_admin?
+
+    can :create, Project
+  end
+
   def school_teacher_can_manage_lesson?(user:, school:, lesson:)
     is_my_lesson = lesson.school_id == school.id && lesson.user_id == user.id
     is_my_class = lesson.school_class&.teacher_ids&.include?(user.id)
diff --git a/spec/features/project/creating_a_project_spec.rb b/spec/features/project/creating_a_project_spec.rb
@@ -207,4 +207,48 @@
       expect(response).to have_http_status(:forbidden)
     end
   end
+
+  context 'when the user is an Experience CS admin' do
+    let(:experience_cs_admin) { create(:experience_cs_admin_user) }
+    let(:params) do
+      {
+        project: {
+          name: 'Test Project',
+          locale: 'fr',
+          project_type: Project::Types::SCRATCH,
+          components: []
+        }
+      }
+    end
+
+    before do
+      authenticated_in_hydra_as(experience_cs_admin)
+    end
+
+    it 'responds 201 Created' do
+      post('/api/projects', headers:, params:)
+      expect(response).to have_http_status(:created)
+    end
+
+    it 'sets the project name to the specified value' do
+      post('/api/projects', headers:, params:)
+      data = JSON.parse(response.body, symbolize_names: true)
+
+      expect(data[:name]).to eq('Test Project')
+    end
+
+    it 'sets the project locale to the specified value' do
+      post('/api/projects', headers:, params:)
+      data = JSON.parse(response.body, symbolize_names: true)
+
+      expect(data[:locale]).to eq('fr')
+    end
+
+    it 'sets the project type to the specified value' do
+      post('/api/projects', headers:, params:)
+      data = JSON.parse(response.body, symbolize_names: true)
+
+      expect(data[:project_type]).to eq(Project::Types::SCRATCH)
+    end
+  end
 end
diff --git a/spec/models/ability_spec.rb b/spec/models/ability_spec.rb
@@ -29,6 +29,8 @@
         it { is_expected.not_to be_able_to(:update, project) }
         it { is_expected.not_to be_able_to(:destroy, project) }
       end
+
+      it { is_expected.not_to be_able_to(:create, :Project) }
     end
 
     context 'with a standard user' do
@@ -56,6 +58,8 @@
         it { is_expected.not_to be_able_to(:update, another_project) }
         it { is_expected.not_to be_able_to(:destroy, another_project) }
       end
+
+      it { is_expected.not_to be_able_to(:create, :Project) }
     end
 
     context 'with a teacher' do
@@ -83,6 +87,8 @@
         it { is_expected.not_to be_able_to(:update, another_project) }
         it { is_expected.not_to be_able_to(:destroy, another_project) }
       end
+
+      it { is_expected.not_to be_able_to(:create, :Project) }
     end
 
     context 'with an owner' do
@@ -110,6 +116,8 @@
         it { is_expected.not_to be_able_to(:update, another_project) }
         it { is_expected.not_to be_able_to(:destroy, another_project) }
       end
+
+      it { is_expected.not_to be_able_to(:create, :Project) }
     end
 
     context 'with a student' do
@@ -137,6 +145,14 @@
         it { is_expected.not_to be_able_to(:update, another_project) }
         it { is_expected.not_to be_able_to(:destroy, another_project) }
       end
+
+      it { is_expected.not_to be_able_to(:create, :Project) }
+    end
+
+    context 'with an experience-cs admin' do
+      let(:user) { build(:experience_cs_admin_user) }
+
+      it { is_expected.to be_able_to(:create, Project) }
     end
 
     # rubocop:disable RSpec/MultipleMemoizedHelpers
diff --git a/spec/support/user_profile_mock.rb b/spec/support/user_profile_mock.rb
@@ -31,7 +31,8 @@ def user_to_hash(user, user_type, id_field = :id)
       id_field => user_type ? "#{user_type}:#{user.id}" : user.id,
       name: user.name,
       email: user.email,
-      username: user.username
+      username: user.username,
+      roles: user.roles
     }
   end
 

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,8 @@ def user_to_hash(user, user_type, id_field = :id)`
`31`	`31`	`id_field => user_type ? "#{user_type}:#{user.id}" : user.id,`
`32`	`32`	`name: user.name,`
`33`	`33`	`email: user.email,`
`34`		`- username: user.username`
	`34`	`+ username: user.username,`
	`35`	`+ roles: user.roles`
`35`	`36`	`}`
`36`	`37`	`end`
`37`	`38`