enrollments API requires pseudonym on course's root account

jstanley0 · jstanley0 · commit 10566575a064 · 2014-04-04T20:27:19.000Z
in order to enroll a user in a course via the API, the user being enrolled must have an active pseudonym that works with the course's root account. test plan: - an account administrator or site administrator should receive a user-not-found (status 404) error when trying to use the API to enroll a user in a course where the user does not have a login in the course's root account (i.e., the user "belongs to a different institution"), AND the course's root account is _not_ the default account (since the default account trusts everybody; this allows anyone to enroll in FFT courses) - you should be able to create an Observer via the course's people page and link that observer to students in the course before creating a login for the observer. fixes CNVS-12020 Change-Id: Ib058d9b78830347e6fadfdc86bf4325aa557c325 Reviewed-on: https://gerrit.instructure.com/32374 Reviewed-by: Brian Palmer <brianp@instructure.com> Reviewed-by: Rob Orton <rob@instructure.com> Tested-by: Jenkins <jenkins@instructure.com> QA-Review: Matt Fairbourn <mfairbourn@instructure.com> Product-Review: Jeremy Stanley <jeremy@instructure.com>
diff --git a/app/controllers/enrollments_api_controller.rb b/app/controllers/enrollments_api_controller.rb
@@ -325,7 +325,9 @@ def create
     if params[:enrollment][:course_section_id].present?
       params[:enrollment][:section] = @context.course_sections.active.find params[:enrollment].delete(:course_section_id)
     end
-    user = api_find(User, params[:enrollment].delete(:user_id))
+    api_user_id = params[:enrollment].delete(:user_id)
+    user = api_find(User, api_user_id)
+    raise(ActiveRecord::RecordNotFound, "Couldn't find User with API id '#{api_user_id}'") unless user.can_be_enrolled_in_course?(@context)
     @enrollment = @context.enroll_user(user, type, params[:enrollment].merge(:allow_multiple_enrollments => true))
     @enrollment.valid? ?
       render(:json => enrollment_json(@enrollment, @current_user, session)) :
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -2314,6 +2314,11 @@ def can_create_enrollment_for?(course, session, type)
     can_add
   end
 
+  def can_be_enrolled_in_course?(course)
+    !!find_pseudonym_for_account(course.root_account, true) ||
+        (self.creation_pending? && self.enrollments.where(course_id: course).exists?)
+  end
+
   def group_member_json(context)
     h = { :user_id => self.id, :name => self.last_name_first, :display_name => self.short_name }
     if context && context.is_a?(Course)
diff --git a/spec/apis/v1/enrollments_api_spec.rb b/spec/apis/v1/enrollments_api_spec.rb
@@ -23,7 +23,7 @@
   describe "enrollment creation" do
     context "an admin user" do
       before do
-        site_admin_user(:active_all => true)
+        account_admin_user(:active_all => true)
         course(:active_course => true)
         @unenrolled_user = user_with_pseudonym
         @section         = @course.course_sections.create!
@@ -242,6 +242,12 @@
         JSON.parse(response.body)['message'].should eql 'Can\'t add an enrollment to a concluded course.'
       end
 
+      it "should not enroll a user lacking a pseudonym on the course's account" do
+        foreign_user = user
+        api_call_as_user @admin, :post, @path, @path_options, { :enrollment => { :user_id => foreign_user.id } }, {},
+                 { expected_status: 404 }
+      end
+
       context "custom course-level roles" do
         before :each do
           @course_role = @course.root_account.roles.build(:name => 'newrole')
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
@@ -1449,6 +1449,34 @@ def search_messageable_users(viewing_user, *args)
     end
   end
 
+  describe "can_be_enrolled_in_course?" do
+    before do
+      course active_all: true
+    end
+
+    it "should allow a user with a pseudonym in the course's root account" do
+      user_with_pseudonym account: @course.root_account, active_all: true
+      @user.can_be_enrolled_in_course?(@course).should be_true
+    end
+
+    it "should allow a temporary user with an existing enrollment but no pseudonym" do
+      @user = User.create! { |u| u.workflow_state = 'creation_pending' }
+      @course.enroll_student(@user)
+      @user.can_be_enrolled_in_course?(@course).should be_true
+    end
+
+    it "should not allow a registered user with an existing enrollment but no pseudonym" do
+      user active_all: true
+      @course.enroll_student(@user)
+      @user.can_be_enrolled_in_course?(@course).should be_false
+    end
+
+    it "should not allow a user with neither an enrollment nor a pseudonym" do
+      user active_all: true
+      @user.can_be_enrolled_in_course?(@course).should be_false
+    end
+  end
+
   describe "email_channel" do
     it "should not return retired channels" do
       u = User.create!
diff --git a/spec/selenium/people_settings_spec.rb b/spec/selenium/people_settings_spec.rb
@@ -90,7 +90,7 @@ def remove_user(user, role = nil)
     end
 
     def add_user_to_second_section(role_name=nil)
-      student_in_course(:role_name => role_name)
+      student_in_course(:user => user_with_pseudonym, :role_name => role_name)
       section_name = 'Another Section'
       add_section(section_name)
       # open tab
@@ -150,7 +150,7 @@ def use_edit_sections_dialog(user, role = nil)
 
     it "should deal with observers linked to multiple students" do
       students = []
-      obs = user_model(:name => "The Observer")
+      obs = user_with_pseudonym(:name => "The Observer")
       2.times do |i|
         student_in_course(:name => "Student #{i}")
         students << @student
@@ -211,7 +211,7 @@ def use_edit_sections_dialog(user, role = nil)
         send "custom_#{et}_role", "custom"
         send "course_with_#{et}", :course => @course, :active_all => true, :custom_role => 'custom'
         user_session @user
-        student_in_course :course => @course, :role_name => 'custom stu'
+        student_in_course :user => user_with_pseudonym, :course => @course, :role_name => 'custom stu'
 
         go_to_people_page
 
@@ -232,7 +232,7 @@ def use_edit_sections_dialog(user, role = nil)
     context "multiple enrollments" do
       it "should link an observer enrollment when other enrollment types exist" do
         course_with_student :course => @course, :active_all => true, :name => 'teh student'
-        course_with_ta :course => @course, :active_all => true
+        course_with_ta :user => user_with_pseudonym, :course => @course, :active_all => true
         course_with_observer :course => @course, :active_all => true, :user => @ta
 
         go_to_people_page
