From f3cf6ac9c9e6d020df5b77df0dcf7d75be8fc7be Mon Sep 17 00:00:00 2001 From: Charlotte Van Petegem Date: Wed, 29 Jun 2022 16:35:32 +0200 Subject: [PATCH 1/3] Merge pull request #3753 from dodona-edu/fix/dont-show-hidden-to-unsubscribed Don't allow users who are not subscribed to a course to see hidden series --- app/policies/series_policy.rb | 2 +- test/controllers/series_controller_test.rb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/app/policies/series_policy.rb b/app/policies/series_policy.rb index 5be34ce748..71bbb2d4a9 100644 --- a/app/policies/series_policy.rb +++ b/app/policies/series_policy.rb @@ -21,7 +21,7 @@ def index? def show? return true if course_admin? return false if record.closed? - return false if record.hidden? && user.nil? + return false if record.hidden? && !user&.subscribed_courses&.include?(record.course) course = record.course course.visible_for_all? || diff --git a/test/controllers/series_controller_test.rb b/test/controllers/series_controller_test.rb index b23b80dac9..b6a666e9f7 100644 --- a/test/controllers/series_controller_test.rb +++ b/test/controllers/series_controller_test.rb @@ -280,10 +280,10 @@ def assert_show_and_overview(authorized, token: nil) assert_show_and_overview false end - test 'student should see hidden series with token' do + test 'unsubscribed student should not see hidden series, even with token' do sign_in @student @series.update(visibility: :hidden) - assert_show_and_overview true, token: @series.access_token + assert_show_and_overview false, token: @series.access_token end test 'student should not see hidden series with wrong token' do From 5b10439b25ab75f6d1e3a48caebdaea85059fa9f Mon Sep 17 00:00:00 2001 From: Charlotte Van Petegem Date: Wed, 29 Jun 2022 16:35:48 +0200 Subject: [PATCH 2/3] Merge pull request #3754 from dodona-edu/fix/no-link-if-not-accessible Never link to activity when viewing inside course and not accessible --- app/views/activities/_series_activities_table.html.erb | 2 -- 1 file changed, 2 deletions(-) diff --git a/app/views/activities/_series_activities_table.html.erb b/app/views/activities/_series_activities_table.html.erb index a10fa607ca..a4c1032196 100644 --- a/app/views/activities/_series_activities_table.html.erb +++ b/app/views/activities/_series_activities_table.html.erb @@ -52,8 +52,6 @@ <% if activity.accessible?(current_user, @course) %> <%= link_to activity.name, get_activity_path.call(activity) %> - <% elsif activity.access_public? %> - <%= link_to activity.name, activity_path(activity) %> <% else %> <%= activity.name %> <% if current_user&.course_admin?(@course) && current_user&.repository_admin?(activity.repository) %> From fd57d33e733eff511b46ce47374c83a2fc125bbb Mon Sep 17 00:00:00 2001 From: Charlotte Van Petegem Date: Wed, 29 Jun 2022 16:38:25 +0200 Subject: [PATCH 3/3] Bump version --- config/initializers/00_version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/initializers/00_version.rb b/config/initializers/00_version.rb index 017cee787a..5d3ff12fe6 100644 --- a/config/initializers/00_version.rb +++ b/config/initializers/00_version.rb @@ -3,7 +3,7 @@ class Application module Version MAJOR = 5 MINOR = 5 - PATCH = 7 + PATCH = 8 STRING = [MAJOR, MINOR, PATCH].compact.join('.') end