restrict api discussion updates for group discussions

maneframe · maneframe · commit ad0289647e69 · 2017-02-09T14:30:03.000Z
test plan: * create a group set with a group * create a group discussion for the group set * in two separate tabs, open the discussion edit page for the root discussion topic (on the course) and the edit page for the group level discussion topic * make a change to the root topic (like "users must post before seeing replies" / require_initial_post) * without refreshing, save the group topic as well * view the the group topic in the API (/api/v1/groups/X/discussion_topics/Y) * the "require_initial_post" setting should be the same as the root closes #CNVS-34462 Change-Id: Id8629bc87b60ea8ea86c3148187890a985c0fc15 Reviewed-on: https://gerrit.instructure.com/101126 Reviewed-by: Jeremy Stanley <jeremy@instructure.com> QA-Review: Deepeeca Soundarrajan <dsoundarrajan@instructure.com> Tested-by: Jenkins Product-Review: James Williams <jamesw@instructure.com>
diff --git a/app/controllers/discussion_topics_controller.rb b/app/controllers/discussion_topics_controller.rb
@@ -900,13 +900,16 @@ def user_can_moderate
   end
 
   API_ALLOWED_TOPIC_FIELDS = %w(title message discussion_type delayed_post_at lock_at podcast_enabled
-                                podcast_has_student_posts require_initial_post is_announcement pinned
+                                podcast_has_student_posts require_initial_post pinned
                                 group_category_id allow_rating only_graders_can_rate sort_by_rating).freeze
 
+  API_ALLOWED_TOPIC_FIELDS_FOR_GROUP = %w(title message discussion_type podcast_enabled pinned
+                                allow_rating only_graders_can_rate sort_by_rating).freeze
+
+
   def process_discussion_topic(is_new = false)
     @errors = {}
-    discussion_topic_hash = params.permit(*API_ALLOWED_TOPIC_FIELDS)
-    model_type = value_to_boolean(discussion_topic_hash.delete(:is_announcement)) && @context.announcements.temp_record.grants_right?(@current_user, session, :create) ? :announcements : :discussion_topics
+    model_type = value_to_boolean(params[:is_announcement]) && @context.announcements.temp_record.grants_right?(@current_user, session, :create) ? :announcements : :discussion_topics
     if is_new
       @topic = @context.send(model_type).build
     else
@@ -915,6 +918,9 @@ def process_discussion_topic(is_new = false)
 
     return unless authorized_action(@topic, @current_user, (is_new ? :create : :update))
 
+    allowed_fields = @context.is_a?(Group) ? API_ALLOWED_TOPIC_FIELDS_FOR_GROUP : API_ALLOWED_TOPIC_FIELDS
+    discussion_topic_hash = params.permit(*allowed_fields)
+
     prior_version = @topic.generate_prior_version
     process_podcast_parameters(discussion_topic_hash)
 
diff --git a/spec/apis/v1/discussion_topics_api_spec.rb b/spec/apis/v1/discussion_topics_api_spec.rb
@@ -639,6 +639,20 @@ def blank_fallback
         expect(@topic).not_to be_locked
       end
 
+      it "should not update certain attributes for group discussions" do
+        group_category = @course.group_categories.create(:name => 'watup')
+        group = group_category.groups.create!(:name => "group1", :context => @course)
+        gtopic = create_topic(group, :title => "topic")
+
+        api_call(:put, "/api/v1/groups/#{group.id}/discussion_topics/#{gtopic.id}",
+          {:controller => "discussion_topics", :action => "update", :format => "json", :group_id => group.to_param, :topic_id => gtopic.to_param},
+          {:allow_rating => '1', :require_initial_post => '1'})
+
+        gtopic.reload
+        expect(gtopic.allow_rating).to be_truthy
+        expect(gtopic.require_initial_post).to_not be_truthy
+      end
+
       context "publishing" do
         it "should publish a draft state topic" do
           @topic.workflow_state = 'unpublished'
