Merge branch 'main' into expand-profile-api-client

sra405 · web-flow · commit 98885af245a6 · 2024-07-11T16:21:12.000+01:00
diff --git a/app/graphql/types/query_type.rb b/app/graphql/types/query_type.rb
@@ -15,7 +15,7 @@ class QueryType < Types::BaseObject
                                              description: 'List of preferred project locales, defaults to ["en"]'
     end
 
-    field :projects, Types::ProjectType.connection_type, 'All viewable projects' do
+    field :projects, Types::ProjectType.connection_type, 'All viewable personal projects' do
       argument :user_id, String, required: false, description: 'Filter by user ID'
     end
 
@@ -26,7 +26,7 @@ def project(identifier:, preferred_locales: ['en'])
 
     def projects(user_id: nil)
       results = Project.accessible_by(context[:current_ability], :show).order(updated_at: :desc)
-      results = results.where(user_id:) if user_id
+      results = results.where(user_id:, school_id: nil, lesson_id: nil) if user_id
 
       results
     end
diff --git a/app/models/ability.rb b/app/models/ability.rb
@@ -50,6 +50,7 @@ def initialize(user)
   def define_school_owner_abilities(school:)
     can(%i[read update destroy], School, id: school.id)
     can(%i[read create update destroy], SchoolClass, school: { id: school.id })
+    can(%i[read], Project, school_id: school.id, lesson: { visibility: %w[teachers students] })
     can(%i[read create destroy], ClassMember, school_class: { school: { id: school.id } })
     can(%i[read create destroy], :school_owner)
     can(%i[read create destroy], :school_teacher)
@@ -64,6 +65,7 @@ def define_school_teacher_abilities(user:, school:)
     can(%i[read], School, id: school.id)
     can(%i[create], SchoolClass, school: { id: school.id })
     can(%i[read update destroy], SchoolClass, school: { id: school.id }, teacher_id: user.id)
+    can(%i[read], Project, school_id: school.id, lesson: { visibility: %w[teachers students] })
     can(%i[read create destroy], ClassMember, school_class: { school: { id: school.id }, teacher_id: user.id })
     can(%i[read], :school_owner)
     can(%i[read], :school_teacher)
diff --git a/db/schema.graphql b/db/schema.graphql
@@ -567,7 +567,7 @@ type Query {
   ): Project
 
   """
-  All viewable projects
+  All viewable personal projects
   """
   projects(
     """
diff --git a/spec/graphql/queries/projects_query_spec.rb b/spec/graphql/queries/projects_query_spec.rb
@@ -85,13 +85,14 @@
   context 'when fetching projects by user ID when logged in' do
     let(:query) { 'query ($userId: String) { projects(userId: $userId) { edges { node { id } } } }' }
     let(:current_user) { authenticated_user }
+    let(:teacher) { create(:teacher, school:) }
     let(:variables) { { userId: authenticated_user.id } }
     let(:project) { create(:project, user_id: authenticated_user.id) }
     let(:school) { create(:school) }
-    let(:owner) { create(:owner, school:) }
+    let(:lesson) { create(:lesson, user_id: teacher.id, school:) }
 
     before do
-      authenticated_in_hydra_as(owner)
+      authenticated_in_hydra_as(teacher)
     end
 
     it { expect(query).to be_a_valid_graphql_query }
@@ -103,6 +104,24 @@
       end
     end
 
+    context 'with an existing project owned by the user that belongs to a school' do
+      let(:project) { create(:project, user_id: teacher.id, school:) }
+
+      it 'returns an empty array' do
+        project
+        expect(result.dig('data', 'projects', 'edges')).to be_empty
+      end
+    end
+
+    context 'with an existing project owned by the user that belongs to a lesson' do
+      let(:project) { create(:project, user_id: teacher.id, lesson:) }
+
+      it 'returns an empty array' do
+        project
+        expect(result.dig('data', 'projects', 'edges')).to be_empty
+      end
+    end
+
     context 'with an existing unowned project' do
       let(:project) { create(:project, user_id: nil) }
 
diff --git a/spec/models/ability_spec.rb b/spec/models/ability_spec.rb
@@ -57,6 +57,33 @@
         it { is_expected.not_to be_able_to(:destroy, another_project) }
       end
     end
+
+    context 'when the project belongs to a school and the associated lesson is not private' do
+      let(:user) { build(:user) }
+      let(:school) { build(:school) }
+      let(:lesson) { build(:lesson, school:, visibility: 'teachers') }
+      let(:school_project) { build(:project, school:, lesson:) }
+
+      context 'when user is a school owner' do
+        before do
+          create(:owner_role, user_id: user.id, school:)
+        end
+
+        it { is_expected.to be_able_to(:read, school_project) }
+        it { is_expected.not_to be_able_to(:update, school_project) }
+        it { is_expected.not_to be_able_to(:destroy, school_project) }
+      end
+
+      context 'when user is a school teacher' do
+        before do
+          create(:teacher_role, user_id: user.id, school:)
+        end
+
+        it { is_expected.to be_able_to(:read, school_project) }
+        it { is_expected.not_to be_able_to(:update, school_project) }
+        it { is_expected.not_to be_able_to(:destroy, school_project) }
+      end
+    end
   end
 
   describe 'Component' do
