From 6fa4c65db25e32aca66f8a242ddfe5792e6c0588 Mon Sep 17 00:00:00 2001
From: abcampo-iry <261805581+abcampo-iry@users.noreply.github.com>
Date: Wed, 10 Jun 2026 09:43:46 +0200
Subject: [PATCH] update remixes controller

---
 .../api/projects/remixes_controller.rb        |  2 +
 spec/requests/projects/remix_spec.rb          | 43 +++++++++++++++++++
 2 files changed, 45 insertions(+)

diff --git a/app/controllers/api/projects/remixes_controller.rb b/app/controllers/api/projects/remixes_controller.rb
index 9c51e165e..a38928728 100644
--- a/app/controllers/api/projects/remixes_controller.rb
+++ b/app/controllers/api/projects/remixes_controller.rb
@@ -25,6 +25,8 @@ def show_identifier
       end
 
       def create
+        authorize! :show, project
+
         # Ensure we have a fallback value to prevent bad requests
         remix_origin = request.origin || request.referer
         result = Project::CreateRemix.call(params: remix_params,
diff --git a/spec/requests/projects/remix_spec.rb b/spec/requests/projects/remix_spec.rb
index 461c085ba..80bf8a177 100644
--- a/spec/requests/projects/remix_spec.rb
+++ b/spec/requests/projects/remix_spec.rb
@@ -168,6 +168,49 @@
         expect(response).to have_http_status(:not_found)
       end
 
+      context 'when the original project belongs to another user' do
+        let!(:original_project) { create(:project, user_id: create(:user).id) }
+
+        it 'returns forbidden without creating a remix' do
+          allow(Project::CreateRemix).to receive(:call).and_call_original
+
+          expect do
+            post("/api/projects/#{original_project.identifier}/remix", params: { project: project_params }, headers:)
+          end.not_to change(Project, :count)
+
+          expect(response).to have_http_status(:forbidden)
+          expect(Project::CreateRemix).not_to have_received(:call)
+        end
+      end
+
+      context 'when a student cannot view the teacher-only original project' do
+        let(:student) { create(:student, school:) }
+        let(:teacher) { create(:teacher, school:) }
+        let(:school_class) { create(:school_class, school:, teacher_ids: [teacher.id]) }
+        let(:lesson) { create(:lesson, school:, school_class:, user_id: teacher.id, visibility: 'teachers') }
+        let!(:original_project) do
+          lesson.project.tap do |project|
+            project.update!(school:, user_id: teacher.id, instructions: 'Teacher-only instructions')
+          end
+        end
+
+        before do
+          create(:class_student, school_class:, student_id: student.id)
+          authenticated_in_hydra_as(student)
+        end
+
+        it 'returns forbidden without creating a remix' do
+          allow(Project::CreateRemix).to receive(:call).and_call_original
+
+          expect do
+            post("/api/projects/#{original_project.identifier}/remix", params: { project: project_params }, headers:)
+          end.not_to change(Project, :count)
+
+          expect(response).to have_http_status(:forbidden)
+          expect(Project::CreateRemix).not_to have_received(:call)
+        end
+      end
+
       context 'when project cannot be saved' do
         before do
           authenticated_in_hydra_as(owner)