Only return administrating courses in LTI picker

app/controllers/lti_controller.rb

@@ -36,14 +36,19 @@
   end
 
   def content_selection
+    return head :unauthorized unless current_user&.a_course_admin?
+
     @supported = @lti_message.accept_types.include?(LTI::Messages::Types::DeepLinkingResponse::LtiResourceLink::TYPE)
-    @grouped_courses = policy_scope(Course.all).group_by(&:year)
+    @grouped_courses = current_user.administrating_courses.group_by(&:year)
     @multiple = @lti_message.accept_multiple
   end
 
   def series_and_activities
     # Eager load the activities
     @course = Course.includes(series: [:activities]).find_by(id: params[:id])
+
+    return head :unauthorized unless current_user&.admin_of?(@course)
+
     @series = policy_scope(@course.series)
     @multiple = ActiveModel::Type::Boolean.new.cast(params[:multiple])
   end

test/controllers/lti_controller_test.rb

@@ -18,10 +18,14 @@ def setup
   end
 
   test 'content selection shows courses' do
+    user = create :staff
     courses = create_list :course, 2
+    user.administrating_courses << courses
     payload = lti_payload('nonce', 'target', 'LtiDeepLinkingRequest')
     id_token = encode_jwt(payload)
 
+    sign_in user
+
     get content_selection_path, params: {
       id_token: id_token,
       provider_id: @provider.id
@@ -33,6 +37,41 @@ def setup
     end
   end
 
+  test 'content selection should not show courses that are not administrated by the user' do
+    user = create :staff
+    courses = create_list :course, 2
+    payload = lti_payload('nonce', 'target', 'LtiDeepLinkingRequest')
+    id_token = encode_jwt(payload)
+
+    sign_in user
+
+    get content_selection_path, params: {
+      id_token: id_token,
+      provider_id: @provider.id
+    }
+
+    assert_response :ok
+    courses.each do |course|
+      assert_select 'option', { text: course.name, count: 0 }
+    end
+  end
+
+  test 'content selection should return unauthorized if the user is not administrating any courses' do
+    user = create :student
+    create_list :course, 2
+    payload = lti_payload('nonce', 'target', 'LtiDeepLinkingRequest')
+    id_token = encode_jwt(payload)
+
+    sign_in user
+
+    get content_selection_path, params: {
+      id_token: id_token,
+      provider_id: @provider.id
+    }
+
+    assert_response :unauthorized
+  end
+
   test 'content selection payload is correct' do
     series = create :series, exercise_count: 1
     payload = lti_payload('nonce', 'target', 'LtiDeepLinkingRequest')