RaspberryPiFoundation · DNR500 · Jun 29, 2026 · Jun 23, 2026 · Jun 29, 2026 · Jun 29, 2026
diff --git a/app/models/ability.rb b/app/models/ability.rb
@@ -98,9 +98,9 @@ def define_school_teacher_abilities(user:, school:)
         school_class_id: ClassTeacher.where(teacher_id: user.id).select(:school_class_id)
       )
     ).pluck(:id)
-    can(%i[read], Project, remixed_from_id: teacher_project_ids)
-    can(%i[show_status unsubmit return complete], SchoolProject, project: { remixed_from_id: teacher_project_ids })
-    can(%i[read create destroy], Feedback, school_project: { project: { remixed_from_id: teacher_project_ids } })
+    can(%i[read show_context], Project, school_id: school.id, remixed_from_id: teacher_project_ids)
+    can(%i[show_status unsubmit return complete], SchoolProject, project: { school_id: school.id, remixed_from_id: teacher_project_ids })
+    can(%i[read create destroy], Feedback, school_project: { project: { school_id: school.id, remixed_from_id: teacher_project_ids } })
     can(%i[exchange_code], :google_auth)
   end
 

diff --git a/spec/models/ability_spec.rb b/spec/models/ability_spec.rb
@@ -338,6 +338,7 @@
         let(:user) { create(:teacher, school:) }
 
         it { is_expected.not_to be_able_to(:read, remixed_project) }
+        it { is_expected.not_to be_able_to(:show_context, remixed_project) }
         it { is_expected.not_to be_able_to(:create, feedback) }
         it { is_expected.not_to be_able_to(:read, feedback) }
         it { is_expected.not_to be_able_to(:set_read, feedback) }
@@ -356,6 +357,7 @@
         let(:user) { teacher }
 
         it { is_expected.to be_able_to(:read, remixed_project) }
+        it { is_expected.to be_able_to(:show_context, remixed_project) }
         it { is_expected.to be_able_to(:create, feedback) }
         it { is_expected.to be_able_to(:read, feedback) }
         it { is_expected.not_to be_able_to(:set_read, feedback) }
@@ -370,6 +372,19 @@
         it { is_expected.to be_able_to(:complete, remixed_project.school_project) }
       end
 
+      context 'when remix school_id does not match the parent lesson project school' do
+        let(:user) { teacher }
+        let!(:cross_school_remix) do
+          other_school = create(:school)
+          other_student = create(:student, school: other_school)
+          create(:project, school: other_school, user_id: other_student.id, remixed_from_id: original_project.id)
+        end
+
+        it { is_expected.not_to be_able_to(:read, cross_school_remix) }
+        it { is_expected.not_to be_able_to(:show_context, cross_school_remix) }
+        it { is_expected.not_to be_able_to(:return, cross_school_remix.school_project) }
+      end
+
       context 'when user is another teacher of the class' do
         let(:user) { another_teacher }
 
@@ -382,6 +397,7 @@
         it { is_expected.to be_able_to(:update, original_project) }
 
         it { is_expected.to be_able_to(:read, remixed_project) }
+        it { is_expected.to be_able_to(:show_context, remixed_project) }
         it { is_expected.not_to be_able_to(:create, remixed_project) }
         it { is_expected.not_to be_able_to(:update, remixed_project) }
         it { is_expected.not_to be_able_to(:destroy, remixed_project) }

diff --git a/spec/requests/projects/show_context_spec.rb b/spec/requests/projects/show_context_spec.rb
@@ -75,6 +75,37 @@
       end
     end
 
+    context 'when loading a student remix context for a lesson the teacher teaches' do
+      let(:student) { create(:student, school:) }
+      let!(:project) { create(:project, :with_instructions, school:, lesson:, user_id: teacher.id, locale: nil) }
+      let!(:student_remix) { create(:project, school:, user_id: student.id, remixed_from_id: project.id, locale: nil) }
+      let(:expected_context_json) do
+        {
+          identifier: student_remix.identifier,
+          project_type: project.project_type,
+          school_id: school.id,
+          lesson_id: lesson.id,
+          class_id: school_class.id
+        }.to_json
+      end
+
+      before do
+        create(:class_student, school_class:, student_id: student.id)
+      end
+
+      it 'returns success response' do
+        get("/api/projects/#{student_remix.identifier}/context", headers:)
+
+        expect(response).to have_http_status(:ok)
+      end
+
+      it 'returns the remix project context json' do
+        get("/api/projects/#{student_remix.identifier}/context", headers:)
+
+        expect(response.body).to eq(expected_context_json)
+      end
+    end
+
     context 'when loading another user\'s project context' do
       let!(:another_project) { create(:project, user_id: SecureRandom.uuid, locale: nil) }
       let(:another_project_json) do