Grant teachers access to project context on student remix projects

[DNR500]

Fixes the problem described in issue 1522

Summary

Teachers can already read student remixes for lessons they teach, but were denied access to GET /api/projects/:identifier/context on those remix URLs. This PR adds show_context to the existing teacher remix read rule so a teacher reopening a saved link to a student's project gets full lesson/class/school context after re-login.

Problem

When a teacher opens a saved link to a student's project (the remix identifier, e.g. /school/project/{student-remix-id}) in a new session:

• GET /api/projects/{id} succeeds (teacher can read the remix)
• GET /api/projects/{id}/context returns 403

Student remix rows have lesson_id: nil and point at the lesson template via remixed_from_id. The context endpoint resolves lesson and class from the parent project (context.json.jbuilder), but teachers only had read on remixes - not show_context.

Without context, editor-standalone cannot load the lesson, detect "teacher viewing student work", or enter view-only mode on a cold load.

Solution

Add show_context to the same rule teachers already use to read student remixes:

# app/models/ability.rb - define_school_teacher_abilities
can(%i[read show_context], Project, remixed_from_id: teacher_project_ids)

No change to the context response shape or jbuilder - context.json.jbuilder already resolves lesson_id and class_id from @project.parent&.lesson.

No new security boundary: teachers who can read a student remix (lesson owner or co-teacher of the class) can now load the context needed to display it. Teachers not in the class remain denied.

Changes

File	Change
app/models/ability.rb	Add show_context to teacher remix project rule
spec/models/ability_spec.rb	Assert show_context allowed for lesson owner and co-teacher; denied for teacher not in class
spec/requests/projects/show_context_spec.rb	Request spec: teacher GET …/context on student remix returns 200 with full JSON

Test plan

• bundle exec rspec spec/models/ability_spec.rb -e "remix of a teacher"
• bundle exec rspec spec/requests/projects/show_context_spec.rb
• Manual: log in as teacher, open a student's project, save the link, log out and back in, reopen the link
  • GET /api/projects/{student-remix-id}/context returns 200
  • Response includes school_id, lesson_id, class_id
  • Editor opens in view-only mode (requires editor-standalone with context consumer in place)

[Copilot]

Pull request overview

Extends the existing Cancancan authorization for school teachers so they can load project context (GET /api/projects/:identifier/context) for student remix projects they’re already allowed to read, fixing a 403 on cold loads after re-login.

Changes:

• Add show_context permission to the teacher “read student remix” rule in Ability.
• Expand Ability specs to cover show_context for remix access (allowed for lesson owner/co-teacher, denied otherwise).
• Add a request spec verifying teachers can successfully fetch context JSON for a student remix.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
app/models/ability.rb	Grants teachers show_context on student remixes derived from lesson projects they teach.
spec/models/ability_spec.rb	Adds assertions that show_context matches existing remix read authorization behavior.
spec/requests/projects/show_context_spec.rb	Verifies the /context endpoint returns 200 and expected context JSON for a teacher viewing a student remix.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[abcampo-iry]

I think this might apply.

[github-actions]

Test coverage

91.86% line coverage reported by SimpleCov.
Run: https://github.com/RaspberryPiFoundation/editor-api/actions/runs/28044848017

[abcampo-iry]

Looks good, please have a look at the comment