Ensure safeguarding flags before Profile student calls

[abcampo-iry]

Status

• Closes https://github.com/RaspberryPiFoundation/digital-editor-issues/issues/1475

What's changed?

This change ensures safeguarding flags are created before editor-api calls Profile’s protected school-student endpoints.

Instead of relying on individual controllers to create the flags, flag creation now happens at the SchoolStudent / Profile API boundary. This covers controller and non-controller callers, including class member listing, project student-name lookups, SSO student imports, batch student creation jobs, and student removal.

The duplicated safeguarding flag logic has been removed from SchoolStudentsController and SchoolMembersController, and a new SafeguardingFlagService centralizes owner/teacher flag creation.

Member listing now also propagates SchoolStudent::List failures instead of treating failed student lookups as empty lists. This prevents school/class member endpoints from returning successful but incomplete responses when safeguarding flag creation or Profile API calls fail.

Steps to perform after deploying to production

If the production environment requires any extra work after this PR has been deployed detail it here. This could be running a Rake task, a migration, or upgrading a Gem. That kind of thing.

[github-actions]

Test coverage

91.65% line coverage reported by SimpleCov.
Run: https://github.com/RaspberryPiFoundation/editor-api/actions/runs/27421441456

[Copilot]

Pull request overview

This PR centralizes safeguarding flag creation so it occurs consistently before editor-api calls Profile’s protected school-student endpoints, covering controller and non-controller callers.

Changes:

• Introduces SafeguardingFlagService to create owner/teacher safeguarding flags in one place.
• Moves safeguarding flag creation to the SchoolStudent/Profile API boundary (concepts/jobs/services) and removes duplicated controller logic.
• Updates/extends specs to stub or assert safeguarding flag behavior in affected flows.

Reviewed changes

Copilot reviewed 30 out of 30 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
spec/services/student_removal_service_spec.rb	Stubs safeguarding flag creation to match updated service behavior.
spec/services/safeguarding_flag_service_spec.rb	Adds unit coverage for new safeguarding flag service behaviors.
spec/requests/projects/show_spec.rb	Stubs safeguarding flag creation for request path that now triggers it.
spec/requests/projects/remix_spec.rb	Stubs safeguarding flag creation for request path that now triggers it.
spec/models/project_spec.rb	Stubs safeguarding flag creation for model flows calling student listing.
spec/jobs/create_students_job_spec.rb	Stubs safeguarding flag creation for job path.
spec/features/school_student/deleting_a_school_student_spec.rb	Adjusts delete specs to use real student IDs for calls that now trigger safeguarding flags.
spec/features/school_class/importing_a_school_class_spec.rb	Stubs safeguarding flag creation for import flow.
spec/features/class_member/listing_class_members_spec.rb	Stubs safeguarding flag creation for member listing flow.
spec/features/class_member/creating_a_class_member_spec.rb	Adds safeguarding stub and fixes owner setup in feature spec.
spec/features/class_member/creating_a_batch_of_class_members_spec.rb	Stubs safeguarding flag creation for batch creation flow.
spec/concepts/school_student/validate_batch_spec.rb	Stubs safeguarding flag creation for validate batch concept.
spec/concepts/school_student/update_spec.rb	Stubs safeguarding flag creation for update concept.
spec/concepts/school_student/list_spec.rb	Stubs + asserts safeguarding call occurs before listing students.
spec/concepts/school_student/delete_spec.rb	Stubs safeguarding flag creation for delete concept.
spec/concepts/school_student/create_spec.rb	Stubs safeguarding flag creation for create concept.
spec/concepts/school_student/create_batch_sso_spec.rb	Stubs + asserts safeguarding call occurs before SSO batch creation.
spec/concepts/school_member/list_spec.rb	Stubs safeguarding flag creation due to downstream student listing changes.
spec/concepts/class_member/list_spec.rb	Stubs safeguarding flag creation due to downstream student listing changes.
lib/concepts/school_student/validate_batch.rb	Ensures safeguarding flag before Profile validate call.
lib/concepts/school_student/update.rb	Ensures safeguarding flag before Profile school-student lookup/update path.
lib/concepts/school_student/list.rb	Ensures safeguarding flag before Profile list call.
lib/concepts/school_student/delete.rb	Ensures safeguarding flag before Profile delete call.
lib/concepts/school_student/create.rb	Ensures safeguarding flag before Profile create call.
lib/concepts/school_student/create_batch_sso.rb	Ensures safeguarding flag before Profile SSO batch create call; adjusts method signature to accept current_user.
app/services/student_removal_service.rb	Ensures safeguarding flag before Profile delete call during removals.
app/services/safeguarding_flag_service.rb	Adds new centralized service for safeguarding flag creation.
app/jobs/create_students_job.rb	Ensures safeguarding flag before Profile batch create call in background job.
app/controllers/api/school_students_controller.rb	Removes duplicated controller-level safeguarding flag creation.
app/controllers/api/school_members_controller.rb	Removes duplicated controller-level safeguarding flag creation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 31 out of 31 changed files in this pull request and generated 1 comment.