Skip to content

Restrict teacher ability so that they can only access their own class projects#900

Merged
cocomarine merged 2 commits into
mainfrom
526-retrict-teachers-project-access
Jun 30, 2026
Merged

Restrict teacher ability so that they can only access their own class projects#900
cocomarine merged 2 commits into
mainfrom
526-retrict-teachers-project-access

Conversation

@cocomarine

@cocomarine cocomarine commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Status

What's changed?

  • Fixed a bug where teachers could access projects in school classes they don't belong to by adding class membership check to the project rule in school teacher abilities.

@cla-bot cla-bot Bot added the cla-signed label Jun 29, 2026
@github-actions

github-actions Bot commented Jun 29, 2026
edited
Loading

Copy link
Copy Markdown

Test coverage

92.04% line coverage reported by SimpleCov.
Run: https://github.com/RaspberryPiFoundation/editor-api/actions/runs/28385120645

@cocomarine cocomarine marked this pull request as ready for review June 29, 2026 13:55
Copilot AI review requested due to automatic review settings June 29, 2026 13:55
@raspberrypiherokubot raspberrypiherokubot temporarily deployed to editor-api-p-526-retric-is6eod June 29, 2026 13:57 Inactive
Copilot AI reviewed Jun 29, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens CanCanCan authorization for school teachers so they can only access (read/update/show_context) lesson projects that belong to school classes they teach, preventing cross-class project access within the same school.

Changes:

  • Restrict define_school_teacher_abilities project access to lessons whose school_class includes the current teacher.
  • Update ability specs to assert that a teacher in the same school (but not in the class) cannot access another teacher’s class project.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
spec/models/ability_spec.rb Updates expectations to ensure non-class teachers in the same school cannot read/show_context/update class lesson projects.
app/models/ability.rb Adds a school class membership constraint to teacher permissions for lesson projects visible to teachers/students.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cocomarine cocomarine temporarily deployed to editor-api-p-526-retric-is6eod June 29, 2026 15:55 Inactive
zetter-rpf
zetter-rpf approved these changes Jun 30, 2026
View reviewed changes

@zetter-rpf zetter-rpf left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice one

@cocomarine cocomarine merged commit 961e2a5 into main Jun 30, 2026
6 checks passed
@cocomarine cocomarine deleted the 526-retrict-teachers-project-access branch June 30, 2026 09:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@zetter-rpf zetter-rpf zetter-rpf approved these changes

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cocomarine @zetter-rpf @raspberrypiherokubot