From 4b724fe823dc339d14163df769f2b9b22f654a7d Mon Sep 17 00:00:00 2001 From: jorg-vr Date: Wed, 27 Mar 2024 14:42:20 +0100 Subject: [PATCH 1/2] Add tests --- .../controllers/activities_controller_test.rb | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/test/controllers/activities_controller_test.rb b/test/controllers/activities_controller_test.rb index cfeac3bfb4..490f8fe61a 100644 --- a/test/controllers/activities_controller_test.rb +++ b/test/controllers/activities_controller_test.rb @@ -823,6 +823,40 @@ def create_exercises_return_valid assert exercise.reload.draft assert_equal 'new name', exercise.name_en end + + test 'should not show activity if not in series' do + right_course = create :course + right_series = create :series, course: right_course + right_exercise = create :exercise + right_series.exercises << right_exercise + + get course_series_activity_url(right_course, right_series, right_exercise) + + assert_response :success + + wrong_series = create :series, course: right_course + + get course_series_activity_url(right_course, wrong_series, right_exercise) + + assert_redirected_to root_url + end + + test 'should not show activity if series not in course' do + right_course = create :course + right_series = create :series, course: right_course + right_exercise = create :exercise + right_series.exercises << right_exercise + + get course_series_activity_url(right_course, right_series, right_exercise) + + assert_response :success + + wrong_course = create :course + + get course_series_activity_url(wrong_course, right_series, right_exercise) + + assert_redirected_to root_url + end end class ExerciseErrorMailerTest < ActionDispatch::IntegrationTest From c77aa30e9f93a73e202dce00dc074deca6386213 Mon Sep 17 00:00:00 2001 From: jorg-vr Date: Wed, 27 Mar 2024 14:50:33 +0100 Subject: [PATCH 2/2] Redirect if activity not in series --- app/controllers/activities_controller.rb | 3 +++ test/controllers/activities_controller_test.rb | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/app/controllers/activities_controller.rb b/app/controllers/activities_controller.rb index d6f81f8d8d..c55b68f742 100644 --- a/app/controllers/activities_controller.rb +++ b/app/controllers/activities_controller.rb @@ -114,6 +114,9 @@ def show raise Pundit::NotAuthorizedError, 'Not allowed' unless @activity.accessible?(current_user, @course) @series = Series.find_by(id: params[:series_id]) + # Double check if activity still exists within this series, redirect to course activity if it does not + redirect_to helpers.activity_scoped_path(activity: @activity, course: @course) if @series&.activities&.exclude?(@activity) + @not_registered = @course && !current_user&.member_of?(@course) flash.now[:alert] = I18n.t('activities.show.not_a_member') if @not_registered @current_membership = CourseMembership.where(course: @course, user: current_user).first if @lti_launch && @not_registered diff --git a/test/controllers/activities_controller_test.rb b/test/controllers/activities_controller_test.rb index 490f8fe61a..da467bd029 100644 --- a/test/controllers/activities_controller_test.rb +++ b/test/controllers/activities_controller_test.rb @@ -838,7 +838,7 @@ def create_exercises_return_valid get course_series_activity_url(right_course, wrong_series, right_exercise) - assert_redirected_to root_url + assert_redirected_to course_activity_url(right_course, right_exercise) end test 'should not show activity if series not in course' do