Students unable to update their own projects (#447)

closes #446

---------

Co-authored-by: create-issue-branch[bot] <53036503+create-issue-branch[bot]@users.noreply.github.com>
Co-authored-by: Dan Halson <[email protected]>

Author: create-issue-branch[bot]

app/models/ability.rb

@@ -68,7 +68,6 @@ def define_school_owner_abilities(school:)
     can(%i[read create create_batch update destroy], :school_student)
     can(%i[create create_copy], Lesson, school_id: school.id)
     can(%i[read update destroy], Lesson, school_id: school.id, visibility: %w[teachers students public])
-    can(%i[create], Project, school_id: school.id)
   end
 
   def define_school_teacher_abilities(user:, school:)
@@ -88,7 +87,7 @@ def define_school_teacher_abilities(user:, school:)
     can(%i[create], Project) do |project|
       school_teacher_can_manage_project?(user:, school:, project:)
     end
-    can(%i[read], Project, school_id: school.id, lesson: { visibility: %w[teachers students] })
+    can(%i[read update], Project, school_id: school.id, lesson: { visibility: %w[teachers students] })
     can(%i[read], Project,
         remixed_from_id: Project.where(user_id: user.id, school_id: school.id, remixed_from_id: nil).pluck(:id))
   end
@@ -98,7 +97,7 @@ def define_school_student_abilities(user:, school:)
     can(%i[read], SchoolClass, school: { id: school.id }, members: { student_id: user.id })
     # Ensure no access to ClassMember resources, relationships otherwise allow access in some circumstances.
     can(%i[read], Lesson, school_id: school.id, visibility: 'students', school_class: { members: { student_id: user.id } })
-    can(%i[create], Project, school_id: school.id, user_id: user.id, lesson_id: nil)
+    can(%i[read create update], Project, school_id: school.id, user_id: user.id, lesson_id: nil)
     can(%i[read], Project, lesson: { school_id: school.id, school_class: { members: { student_id: user.id } } })
     can(%i[toggle_finished], Project) do |project|
       school_student_can_toggle_finished?(user:, school:, project:)

spec/features/project/creating_a_project_spec.rb

@@ -4,7 +4,7 @@
 
 RSpec.describe 'Creating a project', type: :request do
   before do
-    authenticated_in_hydra_as(owner)
+    authenticated_in_hydra_as(teacher)
     mock_phrase_generation
   end
 
@@ -118,6 +118,7 @@
   context 'when the project is associated with a lesson' do
     let(:school) { create(:school) }
     let(:lesson) { create(:lesson, school:, user_id: teacher.id) }
+    let(:lesson_created_by_owner) { create(:lesson, school:, user_id: owner.id) }
     let(:teacher) { create(:teacher, school:) }
 
     let(:params) do
@@ -147,7 +148,16 @@
 
     it 'responds 422 Unprocessable when when the user_id is not the owner of the lesson' do
       user_id = SecureRandom.uuid
-      new_params = { project: params[:project].merge(user_id:) }
+      project = {
+        project: {
+          name: 'Test Project',
+          components: [],
+          school_id: school.id,
+          lesson_id: lesson_created_by_owner.id,
+          user_id: teacher.id
+        }
+      }
+      new_params = { project: project.merge(user_id:) }
 
       post('/api/projects', headers:, params: new_params)
       expect(response).to have_http_status(:unprocessable_entity)

spec/models/ability_spec.rb

@@ -11,7 +11,7 @@
   let(:starter_project) { build(:project, user_id: nil) }
 
   describe 'Project' do
-    context 'when no user' do
+    context 'with no user' do
       let(:user) { nil }
 
       context 'with a starter project' do
@@ -31,7 +31,7 @@
       end
     end
 
-    context 'when user present' do
+    context 'with a standard user' do
       let(:user) { build(:user, id: user_id) }
       let(:another_project) { build(:project) }
 
@@ -58,8 +58,89 @@
       end
     end
 
+    context 'with a teacher' do
+      let(:user) { build(:teacher, id: user_id) }
+      let(:another_project) { build(:project) }
+
+      context 'with a starter project' do
+        it { is_expected.not_to be_able_to(:index, starter_project) }
+        it { is_expected.to be_able_to(:show, starter_project) }
+        it { is_expected.not_to be_able_to(:create, starter_project) }
+        it { is_expected.not_to be_able_to(:update, starter_project) }
+        it { is_expected.not_to be_able_to(:destroy, starter_project) }
+      end
+
+      context 'with own project' do
+        it { is_expected.to be_able_to(:read, project) }
+        it { is_expected.to be_able_to(:create, project) }
+        it { is_expected.to be_able_to(:update, project) }
+        it { is_expected.to be_able_to(:destroy, project) }
+      end
+
+      context 'with another user\'s project' do
+        it { is_expected.not_to be_able_to(:read, another_project) }
+        it { is_expected.not_to be_able_to(:create, another_project) }
+        it { is_expected.not_to be_able_to(:update, another_project) }
+        it { is_expected.not_to be_able_to(:destroy, another_project) }
+      end
+    end
+
+    context 'with an owner' do
+      let(:user) { build(:owner, id: user_id) }
+      let(:another_project) { build(:project) }
+
+      context 'with a starter project' do
+        it { is_expected.not_to be_able_to(:index, starter_project) }
+        it { is_expected.to be_able_to(:show, starter_project) }
+        it { is_expected.not_to be_able_to(:create, starter_project) }
+        it { is_expected.not_to be_able_to(:update, starter_project) }
+        it { is_expected.not_to be_able_to(:destroy, starter_project) }
+      end
+
+      context 'with own project' do
+        it { is_expected.to be_able_to(:read, project) }
+        it { is_expected.to be_able_to(:create, project) }
+        it { is_expected.to be_able_to(:update, project) }
+        it { is_expected.to be_able_to(:destroy, project) }
+      end
+
+      context 'with another user\'s project' do
+        it { is_expected.not_to be_able_to(:read, another_project) }
+        it { is_expected.not_to be_able_to(:create, another_project) }
+        it { is_expected.not_to be_able_to(:update, another_project) }
+        it { is_expected.not_to be_able_to(:destroy, another_project) }
+      end
+    end
+
+    context 'with a student' do
+      let(:user) { build(:student, id: user_id) }
+      let(:another_project) { build(:project) }
+
+      context 'with a starter project' do
+        it { is_expected.not_to be_able_to(:index, starter_project) }
+        it { is_expected.to be_able_to(:show, starter_project) }
+        it { is_expected.not_to be_able_to(:create, starter_project) }
+        it { is_expected.not_to be_able_to(:update, starter_project) }
+        it { is_expected.not_to be_able_to(:destroy, starter_project) }
+      end
+
+      context 'with own project' do
+        it { is_expected.to be_able_to(:read, project) }
+        it { is_expected.to be_able_to(:create, project) }
+        it { is_expected.to be_able_to(:update, project) }
+        it { is_expected.to be_able_to(:destroy, project) }
+      end
+
+      context 'with another user\'s project' do
+        it { is_expected.not_to be_able_to(:read, another_project) }
+        it { is_expected.not_to be_able_to(:create, another_project) }
+        it { is_expected.not_to be_able_to(:update, another_project) }
+        it { is_expected.not_to be_able_to(:destroy, another_project) }
+      end
+    end
+
     # rubocop:disable RSpec/MultipleMemoizedHelpers
-    context 'when the project belongs to a school and the associated lesson is not private' do
+    context 'with a teachers project where the lesson is visible to students' do
       let(:user) { create(:user) }
       let(:school) { create(:school) }
       let(:teacher) { create(:teacher, school:) }
@@ -73,6 +154,7 @@
         end
 
         it { is_expected.to be_able_to(:read, school_project) }
+        it { is_expected.not_to be_able_to(:create, school_project) }
         it { is_expected.not_to be_able_to(:update, school_project) }
         it { is_expected.not_to be_able_to(:toggle_finished, school_project) }
         it { is_expected.not_to be_able_to(:destroy, school_project) }
@@ -84,36 +166,41 @@
         end
 
         it { is_expected.to be_able_to(:read, school_project) }
-        it { is_expected.not_to be_able_to(:update, school_project) }
+        it { is_expected.not_to be_able_to(:create, school_project) }
+        it { is_expected.to be_able_to(:update, school_project) }
         it { is_expected.not_to be_able_to(:toggle_finished, school_project) }
         it { is_expected.not_to be_able_to(:destroy, school_project) }
       end
 
-      context 'when user is a school student and belongs to a class' do
+      context 'when user is a school student and belongs to the teachers class' do
         before do
           create(:student_role, user_id: user.id, school:)
           create(:class_member, school_class:, student_id: user.id)
         end
 
         it { is_expected.to be_able_to(:read, school_project) }
+        it { is_expected.not_to be_able_to(:create, school_project) }
         it { is_expected.not_to be_able_to(:update, school_project) }
         it { is_expected.not_to be_able_to(:toggle_finished, school_project) }
         it { is_expected.not_to be_able_to(:destroy, school_project) }
       end
 
-      context 'when user is a school student and does not belong to a class' do
+      context 'when user is a school student and does not belong to the teachers class' do
         before do
           create(:student_role, user_id: user.id, school:)
         end
 
         it { is_expected.not_to be_able_to(:read, school_project) }
+        it { is_expected.not_to be_able_to(:create, school_project) }
         it { is_expected.not_to be_able_to(:update, school_project) }
         it { is_expected.not_to be_able_to(:toggle_finished, school_project) }
         it { is_expected.not_to be_able_to(:destroy, school_project) }
       end
     end
 
-    context 'when the project belongs to a student' do
+    # TODO: Handle other visibilities
+
+    context 'with a remix of a teachers project' do
       let(:school) { create(:school) }
       let(:student) { create(:student, school:) }
       let(:teacher) { create(:teacher, school:) }
@@ -126,13 +213,18 @@
       context 'when user is the student' do
         let(:user) { student }
 
+        it { is_expected.to be_able_to(:read, remixed_project) }
+        it { is_expected.to be_able_to(:create, remixed_project) }
+        it { is_expected.to be_able_to(:update, remixed_project) }
+        it { is_expected.not_to be_able_to(:destroy, remixed_project) }
         it { is_expected.to be_able_to(:toggle_finished, remixed_project) }
       end
 
       context 'when user is teacher that does not own the orginal project' do
         let(:user) { create(:teacher, school:) }
 
         it { is_expected.not_to be_able_to(:read, remixed_project) }
+        it { is_expected.not_to be_able_to(:create, remixed_project) }
         it { is_expected.not_to be_able_to(:update, remixed_project) }
         it { is_expected.not_to be_able_to(:destroy, remixed_project) }
         it { is_expected.not_to be_able_to(:toggle_finished, remixed_project) }
@@ -142,6 +234,7 @@
         let(:user) { teacher }
 
         it { is_expected.to be_able_to(:read, remixed_project) }
+        it { is_expected.not_to be_able_to(:create, remixed_project) }
         it { is_expected.not_to be_able_to(:update, remixed_project) }
         it { is_expected.not_to be_able_to(:destroy, remixed_project) }
         it { is_expected.not_to be_able_to(:toggle_finished, remixed_project) }