remove deprecated getPageContent scope

fixes ADV-170 flag=none Test plan: - PreReqs: - An LTI tool with the `lti.getPageContent` scope `https://canvas.instructure.com/lti/page_content/show` - Verify the `lti.getPageContent` postMessage works Change-Id: I2bcc36e63af5631a3a18b66d0e4501456943644c Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/352928 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Xander Moffatt <xmoffatt@instructure.com> QA-Review: Xander Moffatt <xmoffatt@instructure.com> Product-Review: Dustin Cowles <dustin.cowles@instructure.com>
2024-07-25 10:24:06 -07:00 · 2024-07-25 10:24:06 -07:00 · 0ffd006141
parent 47c1db548a
commit 0ffd006141
6 changed files with 6 additions and 26 deletions
--- a/app/models/developer_key.rb
+++ b/app/models/developer_key.rb
@ -657,10 +657,6 @@ class DeveloperKey < ActiveRecord::Base
  def validate_scopes!
    return true if scopes.empty?

-    scopes.map! do |scope|
-      (scope == TokenScopes::LTI_PAGE_CONTENT_SHOW_SCOPE_DEPRECATED) ? TokenScopes::LTI_PAGE_CONTENT_SHOW_SCOPE : scope
-    end
-
    invalid_scopes = scopes - TokenScopes.all_scopes
    return true if invalid_scopes.empty?

--- a/lib/token_scopes.rb
+++ b/lib/token_scopes.rb
@ -51,7 +51,6 @@ class TokenScopes
  LTI_SHOW_ACCOUNT_EXTERNAL_TOOLS_SCOPE = "https://canvas.instructure.com/lti/account_external_tools/scope/show"
  LTI_UPDATE_ACCOUNT_EXTERNAL_TOOLS_SCOPE = "https://canvas.instructure.com/lti/account_external_tools/scope/update"
  LTI_PAGE_CONTENT_SHOW_SCOPE = "https://canvas.instructure.com/lti/page_content/show"
-  LTI_PAGE_CONTENT_SHOW_SCOPE_DEPRECATED = "http://canvas.instructure.com/lti/page_content/show" # This is deprecated and will be removed in a future release
  LTI_REPLACE_EDITOR_CONTENT_SCOPE = "https://canvas.instructure.com/lti/replace_editor_contents"
  LTI_SCOPES = {
    LTI_AGS_LINE_ITEM_SCOPE => I18n.t("Can create and view assignment data in the gradebook associated with the tool."),
@ -67,8 +66,7 @@ class TokenScopes
  # These are scopes that are used to authorize postMessage calls
  # Any scopes here also need to be added to LTI_SCOPES or LTI_HIDDEN_SCOPES
  LTI_POSTMESSAGE_SCOPES = [
-    LTI_PAGE_CONTENT_SHOW_SCOPE,
-    LTI_PAGE_CONTENT_SHOW_SCOPE_DEPRECATED
+    LTI_PAGE_CONTENT_SHOW_SCOPE
  ].freeze
  LTI_AGS_SCOPES = [
    LTI_AGS_LINE_ITEM_SCOPE,
@ -78,7 +76,6 @@ class TokenScopes
    LTI_AGS_SHOW_PROGRESS_SCOPE
  ].freeze
  LTI_HIDDEN_SCOPES = {
-    LTI_PAGE_CONTENT_SHOW_SCOPE_DEPRECATED => I18n.t("Can view the content of a page it's launched from."),
    LTI_CREATE_ACCOUNT_EXTERNAL_TOOLS_SCOPE => I18n.t("Can create external tools."),
    LTI_DESTROY_ACCOUNT_EXTERNAL_TOOLS_SCOPE => I18n.t("Can destroy external tools."),
    LTI_LIST_ACCOUNT_EXTERNAL_TOOLS_SCOPE => I18n.t("Can list external tools."),
--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@ -1911,12 +1911,12 @@ RSpec.describe ApplicationController do

      context "when external tool has postMessage scopes" do
        it "adds tool scopes to the js_env" do
-          @tool.developer_key = DeveloperKey.create!(scopes: [TokenScopes::LTI_PAGE_CONTENT_SHOW_SCOPE])
+          @tool.developer_key = DeveloperKey.create!(scopes: TokenScopes::LTI_POSTMESSAGE_SCOPES)
          @tool.save!

          controller.external_tools_display_hashes(:account_navigation, @course)

-          expect(controller.js_env[:LTI_TOOL_SCOPES]).to eq("http://example.com" => [TokenScopes::LTI_PAGE_CONTENT_SHOW_SCOPE])
+          expect(controller.js_env[:LTI_TOOL_SCOPES]).to eq("http://example.com" => TokenScopes::LTI_POSTMESSAGE_SCOPES)
        end
      end

--- a/spec/models/developer_key_spec.rb
+++ b/spec/models/developer_key_spec.rb
@ -626,13 +626,6 @@ describe DeveloperKey do
      end.to raise_exception ActiveRecord::RecordInvalid
    end

-    it "renames scopes while validating" do
-      devkey = DeveloperKey.create!(scopes: [TokenScopes::LTI_PAGE_CONTENT_SHOW_SCOPE_DEPRECATED])
-      devkey.save!
-
-      expect(devkey.scopes).to eq [TokenScopes::LTI_PAGE_CONTENT_SHOW_SCOPE]
-    end
-
    it "rejects changes to routes.rb if it would break an existing scope" do
      stub_const("CanvasRails::Application", TokenScopesHelper::SpecHelper::MockCanvasRails::Application)
      all_routes = Set.new(TokenScopes.api_routes.pluck(:verb, :path))
--- a/ui/shared/lti/jquery/tests/messages.test.js
+++ b/ui/shared/lti/jquery/tests/messages.test.js
@ -165,7 +165,7 @@ describe('ltiMessageHander', () => {
    describe('when tool has only other scopes', () => {
      it('returns unauthorized error', async () => {
        const event = postMessageEvent({subject, origin})
-        ENV.LTI_TOOL_SCOPES = {origin: ['http://canvas.instructure.com/lti/something/else']}
+        ENV.LTI_TOOL_SCOPES = {origin: ['https://canvas.instructure.com/lti/something/else']}

        await ltiMessageHandler(event)
        expect(event.source.postMessage).toHaveBeenCalledWith(
@ -183,10 +183,7 @@ describe('ltiMessageHander', () => {
      it('processes message', async () => {
        const event = postMessageEvent({subject, origin})
        ENV.LTI_TOOL_SCOPES = {
-          origin: [
-            'http://canvas.instructure.com/lti/something/else',
-            'https://canvas.instructure.com/lti/page_content/show',
-          ],
+          origin: ['https://canvas.instructure.com/lti/page_content/show'],
        }

        await ltiMessageHandler(event)
--- a/ui/shared/lti/jquery/messages.ts
+++ b/ui/shared/lti/jquery/messages.ts
@ -62,10 +62,7 @@ const SUBJECT_ALLOW_LIST = [
 * If a subject is not listed here, it is assumed to be allowed for all tools.
 */
 const SCOPE_REQUIRED_SUBJECTS: {[key: string]: string[]} = {
-  'lti.getPageContent': [
-    'https://canvas.instructure.com/lti/page_content/show',
-    'http://canvas.instructure.com/lti/page_content/show',
-  ],
+  'lti.getPageContent': ['https://canvas.instructure.com/lti/page_content/show'],
 }

 type SubjectId = (typeof SUBJECT_ALLOW_LIST)[number]