ensure id is valid in grade summary page

cameronsutter · cameronsutter · commit 669ba4ffe91a · 2014-01-30T21:05:23.000Z
fixes CNVS-1869 test plan: - as a teacher, go to a student's grade summary page - in the url, replace the student's id with 'banana' or 'lqw' (e.g. /courses/1/grades/banana) - you should get a Page Not Found error page - navigate to /courses/:id/grades and the page should redirect you to gradebook Change-Id: Ic7d2b3de463615957a8d4178544ab19b7e651f60 Reviewed-on: https://gerrit.instructure.com/29215 Tested-by: Jenkins <jenkins@instructure.com> QA-Review: Caleb Guanzon <cguanzon@instructure.com> Reviewed-by: Simon Williams <simon@instructure.com> Product-Review: Simon Williams <simon@instructure.com>
diff --git a/app/controllers/rubric_assessments_controller.rb b/app/controllers/rubric_assessments_controller.rb
@@ -79,7 +79,7 @@ def update
     # only check if there's no @assessment object, since that's the only time
     # this param matters (assessing_user_id and arg find_asset_for_assessment)
     user_id = params[:rubric_assessment][:user_id]
-    if !@assessment && user_id !~ /\A\d+\Z/
+    if !@assessment && user_id !~ Api::ID_REGEX
       raise ActiveRecord::RecordNotFound
     end
 
diff --git a/app/controllers/rubrics_controller.rb b/app/controllers/rubrics_controller.rb
@@ -33,7 +33,7 @@ def index
 
   def show
     return unless authorized_action(@context, @current_user, :manage)
-    if (id = params[:id]) =~ /\A\d+\Z/
+    if (id = params[:id]) =~ Api::ID_REGEX
       js_env :ROOT_OUTCOME_GROUP => get_root_outcome
       @rubric_association = @context.rubric_associations.bookmarked.find_by_rubric_id(params[:id])
       raise ActiveRecord::RecordNotFound unless @rubric_association
diff --git a/app/presenters/grade_summary_presenter.rb b/app/presenters/grade_summary_presenter.rb
@@ -60,6 +60,7 @@ def selectable_courses
   def student_enrollment
     @student_enrollment ||= begin
       if @id_param # always use id if given
+        validate_id
         user_id = Shard.relative_id_for(@id_param, @context.shard)
         @context.all_student_enrollments.find_by_user_id(user_id)
       elsif observed_students.present? # otherwise try to find an observed student
@@ -70,6 +71,11 @@ def student_enrollment
     end
   end
 
+  def validate_id
+    raise ActiveRecord::RecordNotFound if ( !@id_param.is_a?(User) && (@id_param.to_s =~ Api::ID_REGEX).nil? )
+    true
+  end
+
   def student
     @student ||= (student_enrollment && student_enrollment.user)
   end
diff --git a/spec/controllers/gradebooks_controller_spec.rb b/spec/controllers/gradebooks_controller_spec.rb
@@ -62,7 +62,7 @@
       assert_unauthorized
     end
 
-    it" should allow access for a linked observer" do
+    it "should allow access for a linked observer" do
       course_with_student(:active_all => true)
       @student = @user
       user(:active_all => true)
@@ -331,6 +331,13 @@ def check_grades_page(due_at)
         check_grades_page(@due_at + 1.day)
       end
     end
+
+    it "should raise an exception on a non-integer :id" do
+      course_with_teacher_logged_in(:active_all => true)
+      expect {
+        get 'grade_summary', :course_id => @course.id, :id => "lqw"
+      }.to raise_error(ActiveRecord::RecordNotFound)
+    end
   end
 
   describe "GET 'show'" do
