Skip to content

Commit 25f2dfb

Browse files
fspeirsfspeirs
committed
Update CanCanCan to only allow access to un-deleted classes
This commit changes the access rules in CanCanCan to prevent any user (student, teacher or owner) from accessing deleted classes.
1 parent da514ca commit 25f2dfb

1 file changed

Lines changed: 3 additions & 3 deletions

File tree

app/models/ability.rb

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@ def define_authenticated_non_student_abilities(user)
6262
def define_school_owner_abilities(school:)
6363
can(%i[read update destroy], School, id: school.id)
6464
can(%i[read], :school_member)
65-
can(%i[read create import update destroy], SchoolClass, school: { id: school.id })
65+
can(%i[read create import update destroy], SchoolClass, school: { id: school.id }, deleted: false)
6666
can(%i[read show_context], Project, school_id: school.id, lesson: { visibility: %w[teachers students] })
6767
can(%i[read create create_batch destroy], ClassStudent, school_class: { school: { id: school.id } })
6868
can(%i[read create destroy], :school_owner)
@@ -78,7 +78,7 @@ def define_school_teacher_abilities(user:, school:)
7878
can(%i[read], School, id: school.id)
7979
can(%i[read], :school_member)
8080
can(%i[create import], SchoolClass, school: { id: school.id })
81-
can(%i[read update destroy], SchoolClass, school: { id: school.id }, teachers: { teacher_id: user.id })
81+
can(%i[read update destroy], SchoolClass, school: { id: school.id }, teachers: { teacher_id: user.id }, deleted: false)
8282
can(%i[read create create_batch destroy], ClassStudent, school_class: { school: { id: school.id }, teachers: { teacher_id: user.id } })
8383
can(%i[read], :school_owner)
8484
can(%i[read], :school_teacher)
@@ -112,7 +112,7 @@ def define_school_student_abilities(user:, school:)
112112
).select(:id)
113113
).pluck(:id)
114114
can(%i[read], School, id: school.id)
115-
can(%i[read], SchoolClass, school: { id: school.id }, students: { student_id: user.id })
115+
can(%i[read], SchoolClass, school: { id: school.id }, students: { student_id: user.id }, deleted: false)
116116
# Ensure no access to ClassMember resources, relationships otherwise allow access in some circumstances.
117117
can(%i[read], Lesson, school_id: school.id, visibility: 'students', school_class: { students: { student_id: user.id } })
118118
can(%i[read create update], Project, school_id: school.id, user_id: user.id, lesson_id: nil, remixed_from_id: visible_lesson_project_ids)

0 commit comments

Comments
 (0)