New teacher cannot see students in school members (#439)

closes #438 --------- Co-authored-by: create-issue-branch[bot] <53036503+create-issue-branch[bot]@users.noreply.github.com> Co-authored-by: Dan Halson <[email protected]>
RaspberryPiFoundation · Sep 18, 2024 · 293c3c3 · 293c3c3
1 parent dee5721
commit 293c3c3
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 1 deletion.
diff --git a/app/controllers/api/school_members_controller.rb b/app/controllers/api/school_members_controller.rb
@@ -6,6 +6,8 @@ class SchoolMembersController < ApiController
     load_and_authorize_resource :school
     authorize_resource :school_member, class: false
 
+    before_action :create_safeguarding_flags
+
     def index
       result = SchoolMember::List.call(school: @school, token: current_user.token)
 
@@ -16,5 +18,32 @@ def index
         render json: { error: result[:error] }, status: :unprocessable_entity
       end
     end
+
+    private
+
+    def create_safeguarding_flags
+      create_teacher_safeguarding_flag
+      create_owner_safeguarding_flag
+    end
+
+    def create_teacher_safeguarding_flag
+      return unless current_user.school_teacher?(@school)
+
+      ProfileApiClient.create_safeguarding_flag(
+        token: current_user.token,
+        flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher],
+        email: current_user.email
+      )
+    end
+
+    def create_owner_safeguarding_flag
+      return unless current_user.school_owner?(@school)
+
+      ProfileApiClient.create_safeguarding_flag(
+        token: current_user.token,
+        flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner],
+        email: current_user.email
+      )
+    end
   end
 end
diff --git a/spec/features/school_member/listing_school_members_spec.rb b/spec/features/school_member/listing_school_members_spec.rb
@@ -16,8 +16,8 @@
       { id: student.id, name: student.name, username: student.username }
     end
     stub_profile_api_list_school_students(school:, student_attributes:)
-
     stub_user_info_api_for(teacher)
+    stub_profile_api_create_safeguarding_flag
   end
 
   it 'responds 200 OK' do
@@ -95,6 +95,16 @@
     expect(student_names).to eq(sorted_student_names)
   end
 
+  it 'creates the school owner safeguarding flag' do
+    get("/api/schools/#{school.id}/students", headers:)
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner], email: owner.email)
+  end
+
+  it 'does not create the school teacher safeguarding flag' do
+    get("/api/schools/#{school.id}/students", headers:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher], email: owner.email)
+  end
+
   it "responds with nil attributes for students if the user profile doesn't exist" do
     stub_user_info_api_for_unknown_users(user_id: students.first.id)
 
@@ -123,4 +133,20 @@
     get("/api/schools/#{school.id}/members", headers:)
     expect(response).to have_http_status(:forbidden)
   end
+
+  it 'does not create the school owner safeguarding flag when the user is a school teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    get("/api/schools/#{school.id}/students", headers:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner], email: owner.email)
+  end
+
+  it 'creates the school teacher safeguarding flag when the user is a school teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    get("/api/schools/#{school.id}/students", headers:)
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher], email: teacher.email)
+  end
 end