From c674b1c78a2fe24cbf1668ca4cc940d2ffac8ec7 Mon Sep 17 00:00:00 2001
From: jorg-vr <jorg.vr@live.be>
Date: Fri, 17 Nov 2023 14:15:40 +0100
Subject: [PATCH] Don't show annotations from other users to zeus

---
 app/policies/saved_annotation_policy.rb        |  4 +---
 .../saved_annotation_controller_test.rb        | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/app/policies/saved_annotation_policy.rb b/app/policies/saved_annotation_policy.rb
index 8587980152..9c1ed88e2f 100644
--- a/app/policies/saved_annotation_policy.rb
+++ b/app/policies/saved_annotation_policy.rb
@@ -1,9 +1,7 @@
 class SavedAnnotationPolicy < ApplicationPolicy
   class Scope < ApplicationPolicy::Scope
     def resolve
-      if user&.zeus?
-        scope.all
-      elsif user&.a_course_admin?
+      if user&.zeus? || user&.a_course_admin?
         scope.where(user_id: user.id)
       else
         scope.none
diff --git a/test/controllers/saved_annotation_controller_test.rb b/test/controllers/saved_annotation_controller_test.rb
index 7d40261cea..5132a21100 100644
--- a/test/controllers/saved_annotation_controller_test.rb
+++ b/test/controllers/saved_annotation_controller_test.rb
@@ -31,4 +31,22 @@ def setup
 
     assert_response :success
   end
+
+  test 'zeus should not have access to saved annotations of other users' do
+    sign_in users(:staff)
+    get saved_annotations_url, params: { format: :json }
+
+    assert_response :success
+    assert_equal 1, response.parsed_body.length
+
+    sign_in users(:zeus)
+    get saved_annotations_url, params: { format: :json }
+
+    assert_response :success
+    assert_equal 0, response.parsed_body.length
+
+    get saved_annotation_url(@instance), params: { format: :json }
+
+    assert_response :forbidden
+  end
 end