refining permissions and validations

app/controllers/api/lessons_controller.rb

@@ -4,7 +4,7 @@ module Api
   class LessonsController < ApiController
     before_action :authorize_user, except: %i[index show]
     before_action :verify_school_class_belongs_to_school, only: :create
-    load_and_authorize_resource :lesson, except: [:create_from_project]
+    load_and_authorize_resource :lesson
 
     def index
       archive_scope = params[:include_archived] == 'true' ? Lesson : Lesson.unarchived
@@ -44,6 +44,12 @@ def create_copy
     def create_from_project
       remix_origin = request.origin || request.referer
 
+      # authorize the project if it exists
+      if lesson_params[:project_identifier].present?
+        project = Project.find_by(identifier: lesson_params[:project_identifier])
+        authorize! :update, project if project
+      end
+
       result = Lesson::CreateFromProject.call(lesson_params:, remix_origin:)
 
       if result.success?

app/models/ability.rb

@@ -67,7 +67,6 @@ def define_school_owner_abilities(school:)
     can(%i[read create destroy], :school_owner)
     can(%i[read create destroy], :school_teacher)
     can(%i[read create create_batch update destroy], :school_student)
-    can(%i[create_from_project], Lesson)
     can(%i[create create_copy], Lesson, school_id: school.id)
     can(%i[read update destroy], Lesson, school_id: school.id, visibility: %w[teachers students public])
   end
@@ -84,7 +83,9 @@ def define_school_teacher_abilities(user:, school:)
     can(%i[create update destroy], Lesson) do |lesson|
       school_teacher_can_manage_lesson?(user:, school:, lesson:)
     end
-    can(%i[create_from_project], Lesson)
+    can(%i[create_from_project], Lesson) do |lesson|
+      school_teacher_can_manage_lesson?(user:, school:, lesson:) && school_teacher_can_manage_project?(user:, school:, project: lesson.project)
+    end
     can(%i[read create_copy], Lesson, school_id: school.id, visibility: %w[teachers students])
     can(%i[create], Project) do |project|
       school_teacher_can_manage_project?(user:, school:, project:)

app/models/lesson.rb

@@ -17,6 +17,8 @@ class Lesson < ApplicationRecord
 
   validate :user_has_the_school_owner_or_school_teacher_role_for_the_school
   validate :user_is_the_school_teacher_for_the_school_class
+  validate :project_belongs_to_the_same_school
+  validate :project_belongs_to_the_same_user
 
   scope :archived, -> { where.not(archived_at: nil) }
   scope :unarchived, -> { where(archived_at: nil) }
@@ -74,4 +76,16 @@ def user_is_the_school_teacher_for_the_school_class
 
     errors.add(:user, "'#{user_id}' is not the 'school-teacher' for school_class '#{school_class.id}'")
   end
+
+  def project_belongs_to_the_same_school
+    return unless project && school && project.school_id != school.id
+
+    errors.add(:project, "must belong to the same school (#{school.id}) as the lesson (#{id})")
+  end
+
+  def project_belongs_to_the_same_user
+    return unless project && user_id && project.user_id != user_id
+
+    errors.add(:project, "must belong to the same user (#{user_id}) as the lesson (#{id})")
+  end
 end

lib/concepts/lesson/operations/create_from_project.rb

@@ -11,7 +11,7 @@ def call(lesson_params:, remix_origin:)
       rescue StandardError => e
         Sentry.capture_exception(e)
         errors = response[:lesson].errors.full_messages.join(',')
-        response[:error] = "Error creating remix of lesson: #{errors}"
+        response[:error] = "Error creating lesson from project: #{errors}"
         response
       end