fix up adding logins through the UI

api actions use params[:user][:id] and an Account @context, non-api
actions use params[:user_id] and and either params[:account_id] or the
@domain_root_account. correctly handle both paths.

while we're at it, when the API call was added, the json response
changed (lost the pseudonym[] wrapper) and the javascript broke. fix
that, and fix the html so the javascript can correctly populate the
template.

test-plan:
  - log in as a site admin
    - add a login to a user with a non-default account selected in the
      dropdown; the login should be created in the correct account
  - log in as a non-site admin account admin
    - add a login to a user (no account dropdown); the login should be
      created in the current domain root account
  - while adding accounts through the UI, observe proper addition of new
    login to the logins list
  - through the API, add a login to a user via a root account; should
    succeed
  - through the API, add a login to a user via a non-root account should
    fail with a 400 Bad Request
  - through the API, attempt to add a login without specifying any
    parameters; should return a 404, not a 500
  - through the API, attempt to list logins without specifying any
    parameters; should return a 404, not a 500

Change-Id: Ic28e73a992916b81a18b40244bbb6d919cccf858
Reviewed-on: https://gerrit.instructure.com/8269
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Zach Pendleton <zachp@instructure.com>

Author: lukfugl

app/controllers/pseudonyms_controller.rb

@@ -30,8 +30,8 @@ class PseudonymsController < ApplicationController
   #
   # @argument user[id] The ID of the user to search on.
   def index
-    @user = api_find(User, params[:user][:id])
-    return unless context_is_root_account?(@context) && authorized_action(@user, @current_user, :read)
+    return unless get_user && authorized_action(@user, @current_user, :read)
+    return unless context_is_root_account?
     @pseudonyms = Api.paginate(
       @user.pseudonyms.scoped(:conditions => { :account_id => @context.id }),
       self, api_v1_pseudonyms_path)
@@ -135,24 +135,26 @@ def new
   # @argument login[sis_user_id] SIS ID for the login. To set this parameter, the caller must be able to manage SIS permissions on the account.
   def create
     return unless get_user
+    return unless @user == @current_user || authorized_action(@user, @current_user, :manage_logins)
 
     if api_request?
-      params[:pseudonym] = params[:login]
-      params[:pseudonym][:password_confirmation] = params[:pseudonym][:password]
+      return unless context_is_root_account?
+      params[:pseudonym] = params[:login].merge(
+        :password_confirmation => params[:login][:password],
+        :account => @context
+      )
+    else
+      account_id = params[:pseudonym].delete(:account_id)
+      if current_user_is_site_admin?(:manage_user_logins)
+        params[:pseudonym][:account] = Account.root_accounts.find(account_id)
+      else
+        params[:pseudonym][:account] = @domain_root_account
+      end
     end
+
     if !params[:pseudonym][:password]
       @existing_pseudonym = @user.pseudonyms.active.select{|p| p.account == Account.default }.first
     end
-    account_id = api_request? ? params.delete(:account_id) : params[:pseudonym].delete(:account_id)
-
-    if current_user_is_site_admin?(:manage_user_logins)
-      params[:pseudonym][:account] = Account.root_accounts.find(account_id)
-    elsif @context.is_a?(Account) && @context.root_account?
-      params[:pseudonym][:account] = @context
-    else
-      render(:json => { 'message' => 'Must create login on a root account.' }.to_json, :status => :bad_request)
-      return
-    end
 
     sis_user_id = params[:pseudonym].delete(:sis_user_id)
     @pseudonym = @user.pseudonyms.build(params[:pseudonym])
@@ -189,10 +191,7 @@ def edit
 
   def get_user
     if params[:user_id] || api_request?
-      @user = api_request? ? api_find(User, params[:user][:id]) : User.find(params[:user_id])
-      if @user != @current_user && !authorized_action(@user, @current_user, :manage_logins)
-        return false
-      end
+      @user = api_request? ? api_find(User, params[:user] && params[:user][:id]) : User.find(params[:user_id])
     else
       @user = @current_user
     end
@@ -202,6 +201,7 @@ def get_user
 
   def update
     return unless get_user
+    return unless @user == @current_user || authorized_action(@user, @current_user, :manage_logins)
     @pseudonym = @user.pseudonyms.find(params[:id])
     params[:pseudonym].delete :account_id
     unless @pseudonym.account.grants_right?(@current_user, session, :manage_user_logins)
@@ -239,6 +239,7 @@ def update
 
   def destroy
     return unless get_user
+    return unless @user == @current_user || authorized_action(@user, @current_user, :manage_logins)
     @pseudonym = @user.pseudonyms.find(params[:id])
     if @user.pseudonyms.active.length < 2
       @pseudonym.errors.add_to_base(t('errors.login_required', "Users must have at least one login"))
@@ -253,8 +254,8 @@ def destroy
   end
 
   protected
-  def context_is_root_account?(context)
-    if context.root_account?
+  def context_is_root_account?
+    if @context.root_account?
       true
     else
       render(:json => { 'message' => 'Action must be called on a root account.' }.to_json, :status => :bad_request)

app/views/users/_logins.html.erb

@@ -23,32 +23,30 @@
             <%= link_to(pseudonym ? pseudonym.account.name : nbsp, account_url(pseudonym ? pseudonym.account_id : "{{ account_id }}"), :class => 'account_name') %>
           </td>
           <td class='details'>
-            <% if pseudonym %>
-              <table>
-                <tr>
-                  <th><%= before_label('last_request', 'Last request') %></th>
-                  <td><%= datetime_string(pseudonym.last_request_at) || t('never', "never") %></td>
-                </tr>
-                <tr class='login_details' style="<%= hidden if pseudonyms.length > 1 %>">
-                  <th><%= before_label('current_login', 'Current login') %></th>
-                  <td><%= datetime_string(pseudonym.current_login_at) || t('never', "never") %></td>
-                </tr>
-                <tr class='login_details' style="<%= hidden if pseudonyms.length > 1 %>">
-                  <th><%= before_label('current_ip', 'Current login IP') %></th>
-                  <td><%= pseudonym.current_login_ip || t('none', "none") %></td>
-                </tr>
-                <tr class='login_details' style="<%= hidden if pseudonyms.length > 1 %>">
-                  <th><%= before_label('last_login', 'Last login') %></th>
-                  <td><%= datetime_string(pseudonym.last_login_at) || t('never', "never") %></td>
-                </tr>
-                <tr class='login_details' style="<%= hidden if pseudonyms.length > 1 %>">
-                  <th><%= before_label('last_ip', 'Last login IP') %></th>
-                  <td><%= pseudonym.last_login_ip || t('none', "none") %></td>
-                </tr>
-              </table>
-              <% if pseudonyms.length > 1 %>
-                <a href="#" class="login_details_link"><%= t('more', 'more...') %></a>
-              <% end %>
+            <table>
+              <tr>
+                <th><%= before_label('last_request', 'Last request') %></th>
+                <td><%= datetime_string(pseudonym.try(:last_request_at)) || t('never', "never") %></td>
+              </tr>
+              <tr class='login_details' style="<%= hidden if pseudonyms.length > 1 || !pseudonym %>">
+                <th><%= before_label('current_login', 'Current login') %></th>
+                <td><%= datetime_string(pseudonym.try(:current_login_at)) || t('never', "never") %></td>
+              </tr>
+              <tr class='login_details' style="<%= hidden if pseudonyms.length > 1 || !pseudonym %>">
+                <th><%= before_label('current_ip', 'Current login IP') %></th>
+                <td><%= pseudonym.try(:current_login_ip) || t('none', "none") %></td>
+              </tr>
+              <tr class='login_details' style="<%= hidden if pseudonyms.length > 1 || !pseudonym %>">
+                <th><%= before_label('last_login', 'Last login') %></th>
+                <td><%= datetime_string(pseudonym.try(:last_login_at)) || t('never', "never") %></td>
+              </tr>
+              <tr class='login_details' style="<%= hidden if pseudonyms.length > 1 || !pseudonym %>">
+                <th><%= before_label('last_ip', 'Last login IP') %></th>
+                <td><%= pseudonym.try(:last_login_ip) || t('none', "none") %></td>
+              </tr>
+            </table>
+            <% if pseudonyms.length > 1 || !pseudonym %>
+              <a href="#" class="login_details_link"><%= t('more', 'more...') %></a>
             <% end %>
           </td>
           <% if !pseudonym || can_do(pseudonym.account, @current_user, :manage_user_logins) %>
@@ -90,6 +88,10 @@
               <span id="passwordable_account_ids" style="display: none;"><%= Account.root_accounts.select{|a| a.settings && a.settings[:admins_can_change_passwords]}.map(&:id).join(',') %></span>
             </td>
         </tr>
+      <% else %>
+        <tr style="display: none;">
+          <td class="default_account_name"><%= @domain_root_account.name %></td>
+        </tr>
       <% end %>
       <tr class="password">
         <td><%= f.blabel :password, :en => "Password" %></td>

config/routes.rb

@@ -494,7 +494,7 @@ def add_conferences(context)
       association.invite_assessor "invite", :controller => "rubric_assessments", :action => "invite"
       association.resources :rubric_assessments, :as => 'assessments'
     end
-    user.resources :pseudonyms
+    user.resources :pseudonyms, :except => %w(index)
     user.resources :question_banks, :only => [:index]
     user.assignments_needing_grading 'assignments_needing_grading', :controller => 'users', :action => 'assignments_needing_grading'
     user.assignments_needing_submitting 'assignments_needing_submitting', :controller => 'users', :action => 'assignments_needing_submitting'

public/javascripts/user_logins.js

@@ -48,13 +48,13 @@ $(document).ready(function() {
       } else {
         var $login = $("#login_information .login.blank").clone(true);
         $("#login_information .add_holder").before($login.show());
-        data.pseudonym.account_name = $(this).data('account_name') || $(this).find(".default_account_name").text();
+        data.account_name = $(this).data('account_name') || $(this).find(".default_account_name").text();
       }
       $login.fillTemplateData({
-        data: data.pseudonym,
+        data: data,
         hrefValues: ['id', 'account_id']
       });
-      if($.inArray(data.pseudonym.account_id.toString(), passwordable_account_ids) != -1) {
+      if($.inArray(data.account_id.toString(), passwordable_account_ids) != -1) {
         $login.find(".links").addClass('passwordable');
       }
       $("#login_information .login .delete_pseudonym_link").show();

spec/apis/v1/pseudonyms_api_spec.rb

@@ -87,6 +87,7 @@
       @path = "/api/v1/accounts/#{@account.id}/logins"
       @path_options = { :controller => 'pseudonyms', :action => 'create', :format => 'json', :account_id => @account.id.to_param }
     end
+
     context "an authorized user" do
       it "should create a new pseudonym" do
         json = api_call(:post, @path, @path_options, {
@@ -105,6 +106,22 @@
           'user_id'     => @student.id
         }
       end
+
+      it "should return 400 if account_id is not a root account" do
+        @subaccount = Account.create!(:parent_account => @account)
+        @path = "/api/v1/accounts/#{@subaccount.id}/logins"
+        @path_options = { :controller => 'pseudonyms', :action => 'create', :format => 'json', :account_id => @subaccount.id.to_param }
+        raw_api_call(:post, @path, @path_options, {
+          :user  => { :id => @student.id },
+          :login => {
+            :password => 'abc123',
+            :sis_user_id => '12345',
+            :unique_id => 'duplicate@example.com'
+          }
+        })
+        response.code.should eql '400'
+      end
+
       it "should return 400 on duplicate pseudonyms" do
         @student.pseudonyms.create(:unique_id => 'duplicate@example.com')
         raw_api_call(:post, @path, @path_options, {

spec/controllers/pseudonyms_controller_spec.rb

@@ -179,15 +179,43 @@
   end
 
   describe "create" do
-    before :each do
-      user_with_pseudonym(:active_all => true)
-      Account.site_admin.add_user(@user)
-      user_session(@user, @pseudonym)
+    # these specs only test the non-api version of the calls
+    context "with site admin permissions" do
+      before :each do
+        user_with_pseudonym(:active_all => true)
+        Account.site_admin.add_user(@user)
+        user_session(@user, @pseudonym)
+      end
+
+      it "should use the account id from params" do
+        post 'create', :format => 'json', :user_id => @user.id, :pseudonym => { :account_id => Account.site_admin.id, :unique_id => 'unique1' }
+        response.should be_success
+      end
     end
 
-    it "should work with a user as context and account in params" do
-      post 'create', :format => 'json', :user_id => @user.id, :pseudonym => { :account_id => Account.site_admin.id, :unique_id => 'unique1' }
-      response.should be_success
+    context "without site admin permissions" do
+      before :each do
+        @account = Account.create!
+        user_with_pseudonym(:active_all => true, :account => @account)
+        LoadAccount.stubs(:default_domain_root_account).returns(@account)
+        @account.add_user(@user)
+        user_session(@user, @pseudonym)
+      end
+
+      it "should ignore use the domain_root_account" do
+        post 'create', :format => 'json', :user_id => @user.id, :pseudonym => { :unique_id => 'unique1' }
+        response.should be_success
+        @user.pseudonyms.size.should == 2
+        (@user.pseudonyms - [@pseudonym]).last.account.should == @account
+      end
+
+      it "should ignore account id in params and use the domain_root_account" do
+        @account2 = Account.create!
+        post 'create', :format => 'json', :user_id => @user.id, :pseudonym => { :account_id => @account2.id, :unique_id => 'unique1' }
+        response.should be_success
+        @user.pseudonyms.size.should == 2
+        (@user.pseudonyms - [@pseudonym]).last.account.should == @account
+      end
     end
   end