From 518de4e7c442d8965932aba0a8987c2c302de57c Mon Sep 17 00:00:00 2001
From: fosterfarrell9 <28628554+fosterfarrell9@users.noreply.github.com>
Date: Tue, 9 Apr 2024 19:24:48 +0200
Subject: [PATCH] Only allow admins to change course editors (#610)

* whitelist editor_ids as parameter only for admins

* add helpdesk informing about inability to change editors

* remove unnecessry hash brackets

* fix typos

* put hash in one line

* remove obsolete parameter

* add helpdesk to cSpell
---
 .vscode/settings.json                 |  1 +
 app/controllers/courses_controller.rb | 13 ++++++-------
 app/views/courses/_basics.html.erb    |  3 +++
 config/locales/de.yml                 |  4 ++++
 config/locales/en.yml                 |  4 ++++
 5 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/.vscode/settings.json b/.vscode/settings.json
index 0932c405a..f336f558e 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -89,6 +89,7 @@
     //////////////////////////////////////
     "cSpell.words": [
         "commontator",
+        "helpdesk",
         "turbolinks"
     ]
 }
\ No newline at end of file
diff --git a/app/controllers/courses_controller.rb b/app/controllers/courses_controller.rb
index bfe9704a9..40b51e207 100644
--- a/app/controllers/courses_controller.rb
+++ b/app/controllers/courses_controller.rb
@@ -94,13 +94,12 @@ def set_course_admin
     end
 
     def course_params
-      params.require(:course).permit(:title, :short_title, :organizational,
-                                     :organizational_concept, :locale,
-                                     :term_independent, :image,
-                                     tag_ids: [],
-                                     preceding_course_ids: [],
-                                     editor_ids: [],
-                                     division_ids: [])
+      allowed_params = [:title, :short_title, :organizational,
+                        :organizational_concept, :locale,
+                        :term_independent, :image,
+                        { tag_ids: [], preceding_course_ids: [], division_ids: [] }]
+      allowed_params.push(editor_ids: []) if current_user.admin?
+      params.require(:course).permit(allowed_params)
     end
 
     def tag_params
diff --git a/app/views/courses/_basics.html.erb b/app/views/courses/_basics.html.erb
index f2bbc8bbc..298e7c283 100644
--- a/app/views/courses/_basics.html.erb
+++ b/app/views/courses/_basics.html.erb
@@ -70,6 +70,9 @@
     </div>
   <% else %>
     <%= t('basics.editors') %>
+    <%= helpdesk(t('admin.course.info.no_right_to_change_editors',
+                   project_email: mail_to(DefaultSetting::PROJECT_EMAIL)),
+                 true) %>
     <ul>
       <% course.editors.each do |e| %>
         <li>
diff --git a/config/locales/de.yml b/config/locales/de.yml
index 75f7e2cc6..ab65ef312 100644
--- a/config/locales/de.yml
+++ b/config/locales/de.yml
@@ -807,6 +807,10 @@ de:
           das Modul bearbeiten, insbesondere können sie Veranstaltungen innerhalb
           des Moduls anlegen. ModuleditorInnen erben die Bearbeitungsrechte für
           alle Veranstaltungen innerhalb des Moduls.
+        no_right_to_change_editors: >
+          ModuleditorInnen können nur von AdministratorInnen geändert werden.
+          Bitte wende Dich per Email an %{project_email}, wenn hier
+          eine Änderung vorgenommen werden soll.
         preceding_courses: >
           Hier kannst Du angeben, auf welchen Modulen das
           vorliegende Modul aufbaut.
diff --git a/config/locales/en.yml b/config/locales/en.yml
index b7a7ca624..a26f1bc6f 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -772,6 +772,10 @@ en:
           in particular they can create event series within the course. Every course
           editor inherits editing access for all event series belonging to the
           course.
+        no_right_to_change_editors: >
+          Course editors can only be changed by administrators.
+          Please contact %{project_email} by email if you want a change to be made
+          here.
         preceding_courses: >
           Here you can enter which courses this course builds upon.
           E.g., Linear Algebra 1 and Linear Algebra 2 might be preceding