feat: download staff notes csv

app/api/units_api.rb

@@ -565,4 +565,19 @@ class UnitsApi < Grape::API
     job = setup_job(job_id)
     present job, with: Entities::SidekiqJobEntity
   end
+
+  desc 'Download CSV of staff notes'
+  get '/csv/units/:id/staff_notes' do
+    unit = Unit.find(params[:id])
+    unless authorise? current_user, unit, :get_staff_notes
+      error!({ error: "Not authorised to download CSV of marking session summary in #{unit.code}" }, 403)
+    end
+
+    content_type 'application/octet-stream'
+    header['Content-Disposition'] = "attachment; filename=#{unit.code}-#{unit.id}-StaffNotes.csv"
+    header['Access-Control-Expose-Headers'] = 'Content-Disposition'
+    env['api.format'] = :binary
+
+    unit.staff_notes_csv
+  end
 end

app/models/unit.rb

@@ -36,6 +36,7 @@ def self.permissions
       :download_jplag_report,
       :get_marking_sessions,
       :get_tutor_times,
+      :get_staff_notes
     ]
 
     # What can convenors do with units?
@@ -64,7 +65,8 @@ def self.permissions
       :get_tutor_times,
       :get_tutor_times_summary,
       :get_marking_sessions,
-      :upload_grades_csv
+      :upload_grades_csv,
+      :get_staff_notes
     ]
 
     # What can admin do with units?
@@ -88,7 +90,8 @@ def self.permissions
       :get_feedback_chips,
       :grant_spec_con,
       :download_jplag_report,
-      :get_marking_sessions
+      :get_marking_sessions,
+      :get_staff_notes
     ]
 
     # What can auditors do with units?
@@ -1832,6 +1835,36 @@ def task_completion_csv
     end
   end
 
+  def staff_notes_csv
+    CSV.generate() do |csv|
+      # Add headers
+      csv << ([
+        'Student Username',
+        'Project ID',
+        'Student Name',
+        'Staff Note',
+        'Created',
+        'Author Name',
+        'Author Username',
+      ])
+
+      StaffNote.joins(project: :unit)
+        .where(units: { id: id })
+        .order('projects.id', 'created_at')
+        .each do |row|
+          csv << [
+            row.project.student.username,
+            row.project.id.to_s,
+            row.project.student.name,
+            row.note,
+            row.created_at.localtime,
+            row.user.name,
+            row.user.username,
+          ]
+        end
+    end
+  end
+
   def get_portfolio_zip_filename(current_user)
     filename = FileHelper.sanitized_filename("portfolios-#{code}-#{current_user.username}")
     "#{FileHelper.tmp_file(filename)}.zip"

test/api/staff_notes_api_test.rb

@@ -19,7 +19,10 @@ def test_tutor_can_get_staff_notes
     student_project = unit.enrol_student(student, nil)
 
     tutor = FactoryBot.create(:user, :tutor)
+    convenor = FactoryBot.create(:user, :convenor)
+
     unit.employ_staff(tutor, Role.tutor)
+    unit.employ_staff(convenor, Role.convenor)
 
     staff_note = StaffNote.create!({
                                      note: "Test note!",
@@ -38,6 +41,14 @@ def test_tutor_can_get_staff_notes
     assert_equal staff_note.id, json.first['id']
     assert_equal staff_note.note, json.first['note']
     assert_equal tutor.id, json.first['user_id']
+
+    get "/api/csv/units/#{unit.id}/staff_notes"
+    assert_equal 200, last_response.status
+
+    add_auth_header_for(user: convenor)
+
+    get "/api/csv/units/#{unit.id}/staff_notes"
+    assert_equal 200, last_response.status
   end
 
   def test_tutor_can_create_staff_notes
@@ -142,21 +153,29 @@ def test_student_cant_get_staff_notes
 
     get "/api/projects/#{student_project.id}/staff_notes"
     assert_equal 403, last_response.status
+
+    get "/api/csv/units/#{unit.id}/staff_notes"
+    assert_equal 403, last_response.status
   end
 
   def test_tutor_not_in_unit_cannot_access_staff_notes
     # Tutor is not employed into any unit, so they shouldn't have access reading staff notes of any project
     tutor = FactoryBot.create(:user, :tutor)
 
+    project = Project.first
+
     StaffNote.create!({
                         note: "Test note",
-                        project: Project.first,
+                        project: project,
                         user: tutor
                       })
 
     add_auth_header_for(user: tutor)
 
-    get "/api/projects/#{Project.first.id}/staff_notes"
+    get "/api/projects/#{project.id}/staff_notes"
+    assert_equal 403, last_response.status
+
+    get "/api/csv/units/#{project.unit.id}/staff_notes"
     assert_equal 403, last_response.status
   end