Grant access to single assignments based on course membership

LTI roles are course based but we were granting access to individual assignments based on the instructor having launched it in the past. Previous commits fixed this for queries spanning multiple elements but here we are fixing the permission check for individual assignments.
hypothesis · Aug 8, 2024 · cc6a420 · cc6a420
1 parent 03399e5
commit cc6a420
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 7 deletions.
diff --git a/lms/services/dashboard.py b/lms/services/dashboard.py
@@ -43,7 +43,8 @@ def get_request_assignment(self, request):
             # Organization admins have access to all the assignments in their organizations
             return assignment
 
-        if not self._assignment_service.is_member(assignment, request.user.h_userid):
+        # Access to the assignment is determined by access to its course.
+        if not self._course_service.is_member(assignment.course, request.user.h_userid):
             raise HTTPUnauthorized()
 
         return assignment

diff --git a/tests/unit/lms/services/dashboard_test.py b/tests/unit/lms/services/dashboard_test.py
@@ -18,9 +18,9 @@ def test_get_request_assignment_404(self, pyramid_request, assignment_service, s
         with pytest.raises(HTTPNotFound):
             svc.get_request_assignment(pyramid_request)
 
-    def test_get_request_assignment_403(self, pyramid_request, assignment_service, svc):
+    def test_get_request_assignment_403(self, pyramid_request, course_service, svc):
         pyramid_request.matchdict["assignment_id"] = sentinel.id
-        assignment_service.is_member.return_value = False
+        course_service.is_member.return_value = False
 
         with pytest.raises(HTTPUnauthorized):
             svc.get_request_assignment(pyramid_request)
@@ -34,14 +34,17 @@ def test_get_request_assignment_for_staff(
 
         assert svc.get_request_assignment(pyramid_request)
 
-    def test_get_request_assignment(self, pyramid_request, assignment_service, svc):
+    def test_get_request_assignment(
+        self, pyramid_request, course_service, svc, assignment_service
+    ):
         pyramid_request.matchdict["assignment_id"] = sentinel.id
-        assignment_service.is_member.return_value = True
+        course_service.is_member.return_value = True
 
         assert svc.get_request_assignment(pyramid_request)
 
-        assignment_service.is_member.assert_called_once_with(
-            assignment_service.get_by_id.return_value, pyramid_request.user.h_userid
+        course_service.is_member.assert_called_once_with(
+            assignment_service.get_by_id.return_value.course,
+            pyramid_request.user.h_userid,
         )
 
     def test_get_request_assignment_for_admin(