Reduce logged in students abilities (#427)

## Status

- Related to
https://github.com/RaspberryPiFoundation/editor-standalone/issues/335

## What's changed?

- Ensure from an API perspective students are unable to perform
project/component calls that aren't assigned to a school (i.e. only
assigned to their `user_id`)
- Remove capability to create a school or lesson
- Slight abilities refactor for readability

Limitations are in place on the frontend but this change ensures its
also not possible from the backend too

Author: sra405

app/models/ability.rb

@@ -4,22 +4,34 @@ class Ability
   include CanCan::Ability
 
   def initialize(user)
-    # Anyone can view projects not owner by a user or a school.
+    define_common_non_student_abilities(user)
+
+    return unless user
+
+    define_authenticated_non_student_abilities(user)
+
+    user.schools.each do |school|
+      define_school_student_abilities(user:, school:) if user.school_student?(school)
+      define_school_teacher_abilities(user:, school:) if user.school_teacher?(school)
+      define_school_owner_abilities(school:) if user.school_owner?(school)
+    end
+  end
+
+  private
+
+  def define_common_non_student_abilities(user)
+    return if user&.student?
+
+    # Anyone can view projects not owned by a user or a school.
     can :show, Project, user_id: nil, school_id: nil
     can :show, Component, project: { user_id: nil, school_id: nil }
 
     # Anyone can read publicly shared lessons.
     can :read, Lesson, visibility: 'public'
+  end
 
-    return unless user
-
-    # Any authenticated user can create projects not owned by a school.
-    can :create, Project, user_id: user.id, school_id: nil
-    can :create, Component, project: { user_id: user.id, school_id: nil }
-
-    # Any authenticated user can manage their own projects.
-    can %i[read update destroy], Project, user_id: user.id
-    can %i[read update destroy], Component, project: { user_id: user.id }
+  def define_authenticated_non_student_abilities(user)
+    return if user&.student?
 
     # Any authenticated user can create a school. They agree to become the school-owner.
     can :create, School
@@ -34,16 +46,16 @@ def initialize(user)
     can :create_copy, Lesson, visibility: 'public'
 
     # Any authenticated user can manage their own lessons.
-    can %i[read create_copy update destroy], Lesson, user_id: user.id
+    can %i[read create_copy update destroy], Lesson, user_id: user.id, school_id: nil
 
-    user.schools.each do |school|
-      define_school_student_abilities(user:, school:) if user.school_student?(school)
-      define_school_teacher_abilities(user:, school:) if user.school_teacher?(school)
-      define_school_owner_abilities(school:) if user.school_owner?(school)
-    end
-  end
+    # Any authenticated user can create projects not owned by a school.
+    can :create, Project, user_id: user.id, school_id: nil
+    can :create, Component, project: { user_id: user.id, school_id: nil }
 
-  private
+    # Any authenticated user can manage their own projects.
+    can %i[read update destroy], Project, user_id: user.id
+    can %i[read update destroy], Component, project: { user_id: user.id }
+  end
 
   def define_school_owner_abilities(school:)
     can(%i[read update destroy], School, id: school.id)
@@ -69,7 +81,7 @@ def define_school_teacher_abilities(user:, school:)
     can(%i[read], :school_owner)
     can(%i[read], :school_teacher)
     can(%i[read create create_batch update], :school_student)
-    can(%i[create destroy], Lesson) do |lesson|
+    can(%i[create update destroy], Lesson) do |lesson|
       school_teacher_can_manage_lesson?(user:, school:, lesson:)
     end
     can(%i[read create_copy], Lesson, school_id: school.id, visibility: %w[teachers students])

app/models/user.rb

@@ -46,6 +46,10 @@ def school_student?(school)
     Role.student.find_by(school:, user_id: id)
   end
 
+  def student?
+    Role.student.exists?(user_id: id)
+  end
+
   def admin?
     (roles&.to_s&.split(',')&.map(&:strip) || []).include?('editor-admin')
   end

spec/models/ability_spec.rb

@@ -245,6 +245,22 @@
       it { is_expected.to be_able_to(:read, school) }
       it { is_expected.not_to be_able_to(:update, school) }
       it { is_expected.not_to be_able_to(:destroy, school) }
+
+      context 'with a starter project' do
+        it { is_expected.not_to be_able_to(:index, starter_project) }
+        it { is_expected.not_to be_able_to(:show, starter_project) }
+        it { is_expected.not_to be_able_to(:create, starter_project) }
+        it { is_expected.not_to be_able_to(:update, starter_project) }
+        it { is_expected.not_to be_able_to(:destroy, starter_project) }
+      end
+
+      context 'with an owned project' do
+        it { is_expected.not_to be_able_to(:index, project) }
+        it { is_expected.not_to be_able_to(:show, project) }
+        it { is_expected.not_to be_able_to(:create, project) }
+        it { is_expected.not_to be_able_to(:update, project) }
+        it { is_expected.not_to be_able_to(:destroy, project) }
+      end
     end
   end
 

spec/models/user_spec.rb

@@ -261,6 +261,22 @@
     end
   end
 
+  describe '#student?' do
+    subject(:user) { create(:user) }
+
+    let(:school) { create(:school) }
+
+    it 'returns true when the user has a student role' do
+      create(:student_role, school:, user_id: user.id)
+      expect(user).to be_student
+    end
+
+    it 'returns false when the user does not have a student role' do
+      create(:owner_role, school:, user_id: user.id)
+      expect(user).not_to be_student
+    end
+  end
+
   describe '#admin?' do
     it 'returns true if the user has the editor-admin role in Hydra' do
       user = build(:user, roles: 'editor-admin')