restrict "recent messages" on old roster user page to instructors

maneframe · maneframe · commit 2bdb4f2a01b4 · 2016-09-14T20:00:16.000Z
it's leaky and slow and old and hopefully won't be missed also don't do all the calculations when profiles is enabled test plan: * make sure Profiles are not enabled on the root account * create a course with a discussion topic * post to the topic as a student * as a different student, visit the poster's course roster user page (i.e. click on their name on the course roster) * the "Recent Messages" should not be shown there (and possibly leak hidden discussion posts _gasp_) closes #CNVS-24111 Change-Id: Ifd954f32478796bbcdebe075cea84cb95d03a368 Reviewed-on: https://gerrit.instructure.com/89563 Tested-by: Jenkins Reviewed-by: Jeremy Stanley <jeremy@instructure.com> QA-Review: Deepeeca Soundarrajan <dsoundarrajan@instructure.com> Product-Review: Chris Ward <cward@instructure.com>
diff --git a/app/controllers/context_controller.rb b/app/controllers/context_controller.rb
@@ -329,16 +329,7 @@ def roster_user
         return
       end
 
-      @topics = @context.discussion_topics.active.reject{|a| a.locked_for?(@current_user, :check_policies => true) }
-      @entries = []
-      @topics.each do |topic|
-        @entries << topic if topic.user_id == @user.id
-        @entries.concat topic.discussion_entries.active.where(user_id: @user)
-      end
-      @entries = @entries.sort_by {|e| e.created_at }
       @enrollments = @context.enrollments.for_user(@user) rescue []
-      @messages = @entries
-      @messages = @messages.select{|m| m.grants_right?(@current_user, session, :read) }.sort_by{|e| e.created_at }.reverse
 
       if @domain_root_account.enable_profiles?
         @user_data = profile_data(
@@ -350,6 +341,19 @@ def roster_user
         render :new_roster_user
         return false
       end
+
+      if @user.grants_right?(@current_user, session, :read_profile)
+        # self and instructors
+        @topics = @context.discussion_topics.active.reject{|a| a.locked_for?(@current_user, :check_policies => true) }
+        @messages = []
+        @topics.each do |topic|
+          @messages << topic if topic.user_id == @user.id
+        end
+        @messages += DiscussionEntry.active.where(:discussion_topic_id => @topics, :user_id => @user).to_a
+
+        @messages = @messages.select{|m| m.grants_right?(@current_user, session, :read) }.sort_by{|e| e.created_at }.reverse
+      end
+
       true
     end
   end
diff --git a/app/views/context/roster_user.html.erb b/app/views/context/roster_user.html.erb
@@ -176,12 +176,14 @@
   </div>
 <% end %>
 
+<% if @messages %>
 <h2><%= t('headings.recent_messages', %{Recent Messages}) %></h2>
 <%= t('no_messages', "No Messages") if @messages.empty? %>
 <% @messages[0,10].each do |message| %>
   <% if message.is_a?(DiscussionEntry) %>
     <%= render :partial => 'discussion_topics/entry', :object => message, :locals => {:out_of_context => true, :show_context => true, :assignment_visible_to_user => message.discussion_topic.visible_for?(@current_user)} %>
   <% end %>
 <% end %>
+<% end %>
 
 <% js_bundle 'legacy/context_roster_user' %>
diff --git a/spec/controllers/context_controller_spec.rb b/spec/controllers/context_controller_spec.rb
@@ -93,7 +93,7 @@
     end
 
     it "should assign variables" do
-      user_session(@student)
+      user_session(@teacher)
       @enrollment = @course.enroll_student(user(:active_all => true))
       @enrollment.accept!
       @student = @enrollment.user
@@ -103,7 +103,7 @@
       expect(assigns[:user]).not_to be_nil
       expect(assigns[:user]).to eql(@student)
       expect(assigns[:topics]).not_to be_nil
-      expect(assigns[:entries]).not_to be_nil
+      expect(assigns[:messages]).not_to be_nil
     end
 
     describe 'across shards' do
