Fix IDOR user test

app/api/users_api.rb

@@ -21,7 +21,8 @@ class UsersApi < Grape::API
   desc 'Get user'
   get '/users/:id', requirements: { id: /[0-9]*/ } do
     user = User.find(params[:id])
-    unless (user.id == current_user.id) || (authorise? current_user, User, :admin_users)
+    # Users may only access their own data unless they are teaching staff
+    unless user.id == current_user.id || Role.teaching_staff_ids.include?(current_user.role_id)
       error!({ error: "Cannot find User with id #{params[:id]}" }, 403)
     end
 

test/api/users_test.rb

@@ -65,18 +65,29 @@ def test_get_a_users_details
     # Add username and auth_token to Header
     add_auth_header_for(user: User.first)
 
-    # perform the GET 
+    # perform the GET
     get "/api/users/#{expected_user.id}"
     returned_user = last_response_body
 
     # Check if the call succeeds
     assert_equal 200, last_response.status
-    
+
     # Check the returned details match as expected
     response_keys = %w(first_name last_name email student_id nickname receive_task_notifications receive_portfolio_notifications receive_feedback_notifications opt_in_to_research has_run_first_time_setup)
     assert_json_matches_model(expected_user, returned_user, response_keys)
   end
-
+
+  def test_student_cannot_access_other_user
+    student = create(:user, :student)
+    other_student = create(:user, :student)
+
+    add_auth_header_for(user: student)
+
+    get "/api/users/#{other_student.id}"
+
+    assert_equal 403, last_response.status
+  end
+
   def test_get_convenors
 
     # Add username and auth_token to Header