Enable classes to be loaded from school and class codes (#525)

## Status

closes #517

Author: loiswells97

app/controllers/api/school_classes_controller.rb

@@ -3,8 +3,8 @@
 module Api
   class SchoolClassesController < ApiController
     before_action :authorize_user
-    load_and_authorize_resource :school
-    load_and_authorize_resource :school_class, through: :school, through_association: :classes
+    before_action :load_and_authorize_school
+    before_action :load_and_authorize_school_class
 
     def index
       school_classes = @school.classes.accessible_by(current_ability)
@@ -53,6 +53,29 @@ def destroy
 
     private
 
+    def load_and_authorize_school
+      @school = if params[:school_id].match?(/\d\d-\d\d-\d\d/)
+                  School.find_by(code: params[:school_id])
+                else
+                  School.find(params[:school_id])
+                end
+      authorize! :read, @school
+    end
+
+    def load_and_authorize_school_class
+      if %w[index create].include?(params[:action])
+        authorize! params[:action].to_sym, SchoolClass
+      else
+        @school_class = if params[:id].match?(/\d\d-\d\d-\d\d/)
+                          @school.classes.find_by(code: params[:id])
+                        else
+                          @school.classes.find(params[:id])
+                        end
+
+        authorize! params[:action].to_sym, @school_class
+      end
+    end
+
     def school_class_params
       # A school teacher may only create classes they own.
       params.require(:school_class).permit(:name, :description)

spec/features/school_class/showing_a_school_class_spec.rb

@@ -14,93 +14,192 @@
   let(:teacher) { create(:teacher, school:, name: 'School Teacher') }
   let(:owner) { create(:owner, school:) }
 
-  it 'responds 200 OK' do
-    get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
-    expect(response).to have_http_status(:ok)
-  end
+  context 'when school and class ids are provided' do
+    it 'responds 200 OK' do
+      get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
+      expect(response).to have_http_status(:ok)
+    end
 
-  it 'responds 200 OK when the user is the class teacher' do
-    authenticated_in_hydra_as(teacher)
+    it 'responds 200 OK when the user is the class teacher' do
+      authenticated_in_hydra_as(teacher)
 
-    get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
-    expect(response).to have_http_status(:ok)
-  end
+      get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
+      expect(response).to have_http_status(:ok)
+    end
 
-  it 'responds 200 OK when the user is a student in the class' do
-    student = create(:student, school:)
-    authenticated_in_hydra_as(student)
-    create(:class_student, school_class:, student_id: student.id)
+    it 'responds 200 OK when the user is a student in the class' do
+      student = create(:student, school:)
+      authenticated_in_hydra_as(student)
+      create(:class_student, school_class:, student_id: student.id)
 
-    get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
-    expect(response).to have_http_status(:ok)
-  end
+      get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
+      expect(response).to have_http_status(:ok)
+    end
 
-  it 'responds with the school class JSON' do
-    get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
-    data = JSON.parse(response.body, symbolize_names: true)
+    it 'responds with the school class JSON' do
+      get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
+      data = JSON.parse(response.body, symbolize_names: true)
 
-    expect(data[:name]).to eq('Test School Class')
-  end
+      expect(data[:name]).to eq('Test School Class')
+    end
 
-  it 'includes the school class code in the response' do
-    get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
-    data = JSON.parse(response.body, symbolize_names: true)
+    it 'includes the school class code in the response' do
+      get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
+      data = JSON.parse(response.body, symbolize_names: true)
 
-    expect(data[:code]).to eq(school_class.code)
-  end
+      expect(data[:code]).to eq(school_class.code)
+    end
 
-  it 'responds with the teacher JSON' do
-    get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
-    data = JSON.parse(response.body, symbolize_names: true)
+    it 'responds with the teacher JSON' do
+      get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
+      data = JSON.parse(response.body, symbolize_names: true)
 
-    expect(data[:teachers].first[:name]).to eq('School Teacher')
-  end
+      expect(data[:teachers].first[:name]).to eq('School Teacher')
+    end
 
-  it "responds with nil attributes for the teacher if their user profile doesn't exist" do
-    stub_user_info_api_for_unknown_users(user_id: teacher.id)
+    it "responds with nil attributes for the teacher if their user profile doesn't exist" do
+      stub_user_info_api_for_unknown_users(user_id: teacher.id)
 
-    get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
-    data = JSON.parse(response.body, symbolize_names: true)
+      get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
+      data = JSON.parse(response.body, symbolize_names: true)
 
-    expect(data[:teacher_name]).to be_nil
-  end
+      expect(data[:teacher_name]).to be_nil
+    end
 
-  it 'responds 404 Not Found when no school exists' do
-    get("/api/schools/not-a-real-id/classes/#{school_class.id}", headers:)
-    expect(response).to have_http_status(:not_found)
-  end
+    it 'responds 404 Not Found when no school exists' do
+      get("/api/schools/not-a-real-id/classes/#{school_class.id}", headers:)
+      expect(response).to have_http_status(:not_found)
+    end
 
-  it 'responds 404 Not Found when no school class exists' do
-    get("/api/schools/#{school.id}/classes/not-a-real-id", headers:)
-    expect(response).to have_http_status(:not_found)
-  end
+    it 'responds 404 Not Found when no school class exists' do
+      get("/api/schools/#{school.id}/classes/not-a-real-id", headers:)
+      expect(response).to have_http_status(:not_found)
+    end
 
-  it 'responds 401 Unauthorized when no token is given' do
-    get "/api/schools/#{school.id}/classes/#{school_class.id}"
-    expect(response).to have_http_status(:unauthorized)
-  end
+    it 'responds 401 Unauthorized when no token is given' do
+      get "/api/schools/#{school.id}/classes/#{school_class.id}"
+      expect(response).to have_http_status(:unauthorized)
+    end
 
-  it 'responds 403 Forbidden when the user is a school-owner for a different school' do
-    school = create(:school, id: SecureRandom.uuid)
-    school_class.update!(school_id: school.id)
+    it 'responds 403 Forbidden when the user is a school-owner for a different school' do
+      school = create(:school, id: SecureRandom.uuid)
+      school_class.update!(school_id: school.id)
 
-    get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
-    expect(response).to have_http_status(:forbidden)
-  end
+      get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
+      expect(response).to have_http_status(:forbidden)
+    end
+
+    it 'responds 403 Forbidden when the user is not the school-teacher for the class' do
+      teacher = create(:teacher, school:)
+      authenticated_in_hydra_as(teacher)
 
-  it 'responds 403 Forbidden when the user is not the school-teacher for the class' do
-    teacher = create(:teacher, school:)
-    authenticated_in_hydra_as(teacher)
+      get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
+      expect(response).to have_http_status(:forbidden)
+    end
 
-    get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
-    expect(response).to have_http_status(:forbidden)
+    it 'responds 403 Forbidden when the user is not a school-student for the class' do
+      student = create(:student, school:)
+      authenticated_in_hydra_as(student)
+
+      get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
+      expect(response).to have_http_status(:forbidden)
+    end
   end
 
-  it 'responds 403 Forbidden when the user is not a school-student for the class' do
-    student = create(:student, school:)
-    authenticated_in_hydra_as(student)
+  context 'when school and class codes are provided' do
+    before do
+      school.verify!
+    end
+
+    it 'responds 200 OK' do
+      get("/api/schools/#{school.code}/classes/#{school_class.code}", headers:)
+      expect(response).to have_http_status(:ok)
+    end
+
+    it 'responds 200 OK when the user is the class teacher' do
+      authenticated_in_hydra_as(teacher)
+
+      get("/api/schools/#{school.code}/classes/#{school_class.code}", headers:)
+      expect(response).to have_http_status(:ok)
+    end
+
+    it 'responds 200 OK when the user is a student in the class' do
+      student = create(:student, school:)
+      authenticated_in_hydra_as(student)
+      create(:class_student, school_class:, student_id: student.id)
+
+      get("/api/schools/#{school.code}/classes/#{school_class.code}", headers:)
+      expect(response).to have_http_status(:ok)
+    end
+
+    it 'responds with the school class JSON' do
+      get("/api/schools/#{school.code}/classes/#{school_class.code}", headers:)
+      data = JSON.parse(response.body, symbolize_names: true)
+
+      expect(data[:name]).to eq('Test School Class')
+    end
+
+    it 'includes the school class code in the response' do
+      get("/api/schools/#{school.code}/classes/#{school_class.code}", headers:)
+      data = JSON.parse(response.body, symbolize_names: true)
+
+      expect(data[:code]).to eq(school_class.code)
+    end
+
+    it 'responds with the teacher JSON' do
+      get("/api/schools/#{school.code}/classes/#{school_class.code}", headers:)
+      data = JSON.parse(response.body, symbolize_names: true)
+
+      expect(data[:teachers].first[:name]).to eq('School Teacher')
+    end
+
+    it "responds with nil attributes for the teacher if their user profile doesn't exist" do
+      stub_user_info_api_for_unknown_users(user_id: teacher.id)
+
+      get("/api/schools/#{school.code}/classes/#{school_class.code}", headers:)
+      data = JSON.parse(response.body, symbolize_names: true)
+
+      expect(data[:teacher_name]).to be_nil
+    end
+
+    it 'responds 404 Not Found when no school exists' do
+      get("/api/schools/not-a-real-code/classes/#{school_class.code}", headers:)
+      expect(response).to have_http_status(:not_found)
+    end
+
+    it 'responds 404 Not Found when no school class exists' do
+      get("/api/schools/#{school.code}/classes/not-a-real-code", headers:)
+      expect(response).to have_http_status(:not_found)
+    end
+
+    it 'responds 401 Unauthorized when no token is given' do
+      get "/api/schools/#{school.code}/classes/#{school_class.code}"
+      expect(response).to have_http_status(:unauthorized)
+    end
+
+    it 'responds 403 Forbidden when the user is a school-owner for a different school' do
+      school = create(:school, id: SecureRandom.uuid)
+      school.verify!
+      school_class.update!(school_id: school.id)
+
+      get("/api/schools/#{school.code}/classes/#{school_class.code}", headers:)
+      expect(response).to have_http_status(:forbidden)
+    end
+
+    it 'responds 403 Forbidden when the user is not the school-teacher for the class' do
+      teacher = create(:teacher, school:)
+      authenticated_in_hydra_as(teacher)
+
+      get("/api/schools/#{school.code}/classes/#{school_class.code}", headers:)
+      expect(response).to have_http_status(:forbidden)
+    end
+
+    it 'responds 403 Forbidden when the user is not a school-student for the class' do
+      student = create(:student, school:)
+      authenticated_in_hydra_as(student)
 
-    get("/api/schools/#{school.id}/classes/#{school_class.id}", headers:)
-    expect(response).to have_http_status(:forbidden)
+      get("/api/schools/#{school.code}/classes/#{school_class.code}", headers:)
+      expect(response).to have_http_status(:forbidden)
+    end
   end
 end