use category context for permission check

test plan - update a category from course you are enrolled in - in a second course that user is not member of, try update category - it should be unauthorized Fixes VICE-823 flag=none Change-Id: Ibc5eb382c3e42dfe89b9d830a3936ab7db8dcc53 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/248550 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Product-Review: Davis Hyer <dhyer@instructure.com> Reviewed-by: Davis Hyer <dhyer@instructure.com> QA-Review: Davis Hyer <dhyer@instructure.com>
AgileVentures · Oct 7, 2020 · f87bf63 · f87bf63
1 parent 2218a88
commit f87bf63
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/app/controllers/group_categories_controller.rb b/app/controllers/group_categories_controller.rb
@@ -91,7 +91,6 @@
 #     }
 #
 class GroupCategoriesController < ApplicationController
-  before_action :get_context
   before_action :require_context, :only => [:create, :index]
   before_action :get_category_context, :only => [:show, :update, :destroy, :groups, :users, :assign_unassigned_members, :import]
 
@@ -610,7 +609,7 @@ def get_category_context
     rescue ActiveRecord::RecordNotFound
       return render(:json => {'status' => 'not found'}, :status => :not_found) unless @group_category
     end
-    @context ||= @group_category.context
+    @context = @group_category.context
   end
 
   private

diff --git a/spec/apis/v1/group_categories_api_spec.rb b/spec/apis/v1/group_categories_api_spec.rb
@@ -167,6 +167,18 @@ def category_json(category, user=@user)
         expect(groups.count).to eq 3
       end
 
+      it "should not allow a teacher to update a category in other courses" do
+        og_course = @course
+        course = course_factory(:course_name => 'Math 101', :account => @account, :active_course => true)
+        category2 = GroupCategory.student_organized_for(course)
+        json = api_call(:put, "/api/v1/group_categories/#{category2.id}",
+                        @category_path_options.merge(action: 'update', group_category_id: category2.to_param),
+                        { name: @name, self_signup: 'enabled', 'create_group_count' => 3, course_id: og_course.id},
+                        {}, {expected_status: 401})
+        expect(json['status']).to eq 'unauthorized'
+        expect(category2.reload.name).to_not eq @name
+      end
+
       it "should allow a teacher to update a category and distribute students to new groups" do
         create_users_in_course(@course, 6)
         json = api_call :put, "/api/v1/group_categories/#{@category.id}",