fix: use unique perms for scorm test retrieval

thoth-tech · Jul 2, 2024 · 08a0090 · 08a0090
1 parent 5db5f35
commit 08a0090
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 11 deletions.
diff --git a/app/api/authentication_api.rb b/app/api/authentication_api.rb
@@ -373,8 +373,8 @@ class AuthenticationApi < Grape::API
   desc 'Get SCORM authentication token'
   get '/auth/scorm' do
     if authenticated?
-      unless authorise? current_user, User, :get_scorm_test
-        error!({ error: 'You cannot access SCORM tests' }, 403)
+      unless authorise? current_user, User, :get_scorm_token
+        error!({ error: 'You cannot get SCORM tokens' }, 403)
       end
 
       token = current_user.auth_tokens.find_by(token_type: 'scorm')

diff --git a/app/api/scorm_api.rb b/app/api/scorm_api.rb
@@ -53,12 +53,13 @@ def stream_file_from_zip(zip_path, file_path)
     requires :task_def_id, type: Integer, desc: 'Task Definition ID to get SCORM test data for'
   end
   get '/scorm/:task_def_id/:username/:auth_token/*file_path' do
-    unless authorise? current_user, User, :get_scorm_test
-      error!({ error: 'You cannot access SCORM tests' }, 403)
+    task_def = TaskDefinition.find(params[:task_def_id])
+
+    unless authorise? current_user, task_def.unit, :get_unit
+      error!({ error: 'You cannot access SCORM tests of unit' }, 403)
     end
 
     env['api.format'] = :txt
-    task_def = TaskDefinition.find(params[:task_def_id])
     if task_def.has_scorm_data?
       zip_path = task_def.task_scorm_data
       content_type 'application/octet-stream'

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -341,20 +341,22 @@ def self.permissions
       :convene_units,
       :get_staff_list,
       :get_teaching_periods,
-      :use_overseer
+      :use_overseer,
+      :get_scorm_token
     ]
 
     # What can tutors do with users?
     tutor_role_permissions = [
       :get_unit_roles,
       :download_unit_csv,
-      :get_teaching_periods
+      :get_teaching_periods,
+      :get_scorm_token
     ]
 
     # What can students do with users?
     student_role_permissions = [
       :get_teaching_periods,
-      :get_scorm_test
+      :get_scorm_token
     ]
 
     # Return the permissions hash

diff --git a/test/api/auth_test.rb b/test/api/auth_test.rb
@@ -270,9 +270,9 @@ def test_token_signout_works_with_multiple
   # # SCORM auth test
 
   def test_scorm_auth
-    tutor = FactoryBot.create(:user, :tutor)
+    admin = FactoryBot.create(:user, :admin)
 
-    add_auth_header_for(user: tutor)
+    add_auth_header_for(user: admin)
 
     # When user is unauthorised
     get "api/auth/scorm"

diff --git a/test/api/scorm_api_test.rb b/test/api/scorm_api_test.rb
@@ -66,7 +66,6 @@ def test_serve_scorm_content
     assert_equal 'text/javascript', last_response.content_type
 
     tutor = FactoryBot.create(:user, :tutor, username: :test_tutor)
-    unit.employ_staff(tutor, Role.tutor)
 
     # When the user is unauthorised
     get "/api/scorm/#{td.id}/#{tutor.username}/#{auth_token(tutor)}/index.html"