ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix media redirect blocking access 

fixes RCX-2556
flag=rce_linked_file_urls

Test plan
- Ensure the authenticated_iframe_content
  feature flag shows is on
- Set up a video in a new quiz question
- Copy the quiz question to an item bank
- In a different course, add that item
  into a new quiz
- As a person who only has access to
  the second course, ensure they can
  access the video file

Change-Id: Ieb1dbee6d2ec52a6f6387a6e84011ec0b0867a84
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/360475
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Jorge Andres <jorge.andres@instructure.com>
Product-Review: Jorge Andres <jorge.andres@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Griffin Zody <griffin.zody@instructure.com>
This commit is contained in:
Mysti Lilla 2024-10-18 16:40:30 -06:00
parent 62cad59f92
commit 520670cac5
3 changed files with 49 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/media_objects_controller.rb
View File

@ -84,7 +84,7 @@ class MediaObjectsController < ApplicationController
protect_from_forgery only: %i[create_media_object media_object_redirect media_object_inline media_object_thumbnail], with: :exception
def services_jwt_auth_allowed
params[:action] == "iframe_media_player" && Account.site_admin.feature_enabled?(:rce_linked_file_urls)
%w[media_object_redirect iframe_media_player].include?(params[:action]) && Account.site_admin.feature_enabled?(:rce_linked_file_urls)
end
# @{not an}API Show Media Object Details

6
lib/api/v1/media_object.rb
View File

@ -45,7 +45,7 @@ module Api::V1::MediaObject
api_json(media_object, current_user, session, API_MEDIA_OBJECT_JSON_OPTS).tap do |json|
json["title"] = media_object.guaranteed_title
json["can_add_captions"] = attachment.grants_right?(current_user, session, :update)
json["media_sources"] = media_sources_json(media_object, attachment:, verifier:) unless exclude.include?("sources")
json["media_sources"] = media_sources_json(media_object, attachment:, verifier:, access_token:, instfs_id:) unless exclude.include?("sources")
json["embedded_iframe_url"] = media_attachment_iframe_url(attachment.id)
json["auto_caption_status"] = media_object.auto_caption_status
@ -59,11 +59,11 @@ module Api::V1::MediaObject
end
end
def media_sources_json(media_object, attachment: nil, verifier: nil)
def media_sources_json(media_object, attachment: nil, verifier: nil, access_token: nil, instfs_id: nil)
media_object.media_sources&.map do |mo|
if Account.site_admin.feature_enabled?(:authenticated_iframe_content)
mo[:url] = if attachment
media_attachment_redirect_url(attachment.id, bitrate: mo[:bitrate], verifier:)
media_attachment_redirect_url(attachment.id, bitrate: mo[:bitrate], verifier:, access_token:, instfs_id:)
else
media_object_redirect_url(media_object.media_id, bitrate: mo[:bitrate])
end

48
spec/controllers/media_objects_controller_spec.rb
View File

@ -1393,7 +1393,7 @@ describe MediaObjectsController do
@media_object = @course.media_objects.create! media_id: "0_deadbeef", user_entered_title: "blah.flv"
@attachment = @course.attachments.create! media_entry_id: "0_deadbeef", filename: "blah.flv", uploaded_data: StringIO.new("data")
allow_any_instance_of(MediaObject).to receive(:media_sources).and_return(
[{ url: "whatever man", bitrate: 12_345 }]
[{ url: "http://instfs.test/redirect_to_media", bitrate: 12_345 }]
)
end
@ -1403,8 +1403,8 @@ describe MediaObjectsController do
{
bitrate: 12_345,
label: "12 kbps",
src: "whatever man",
url: "whatever man"
src: "http://instfs.test/redirect_to_media",
url: "http://instfs.test/redirect_to_media"
}
]
)
@ -1453,6 +1453,48 @@ describe MediaObjectsController do
]
)
end
describe "with JWT access token" do
include_context "InstAccess setup"
before do
@media_object.attachment.update!(file_state: "hidden")
user_with_pseudonym
jwt_payload = {
resource: "/media_attachments_iframe/#{@media_object.attachment_id}?instfs_id=stuff",
aud: [@course.root_account.uuid],
sub: @user.uuid,
tenant_auth: { location: "location" },
iss: "instructure:inst_access",
exp: 1.hour.from_now.to_i,
iat: Time.now.to_i
}
@token_string = InstAccess::Token.send(:new, jwt_payload).to_unencrypted_token_string
allow(InstFS).to receive_messages(enabled?: true, app_host: "http://instfs.test")
stub_request(:get, "http://instfs.test/files/stuff/metadata").to_return(status: 200, body: { url: "http://instfs.test/stuff" }.to_json)
stub_request(:get, "http://instfs.test/redirect_to_media").to_return(status: 200)
end
it "allows access" do
expect(InstFS).to receive(:get_file_metadata).with(@media_object.attachment).and_return({ url: "http://instfs.test/stuff" })
get "media_object_redirect", params: { attachment_id: @media_object.attachment_id, access_token: @token_string, instfs_id: "stuff" }, format: "json"
expect(response).to be_redirect
end
it "returns the media_attachment redirect url as the source when attachment is present and attached verifier if passed" do
expect(controller.media_sources_json(@media_object, attachment: @attachment, access_token: @token_string, instfs_id: "stuff")).to eq(
[
{
bitrate: 12_345,
label: "12 kbps",
src: "http://test.host/media_attachments/#{@attachment.id}/redirect?access_token=#{@token_string}&bitrate=12345&instfs_id=stuff",
url: "http://test.host/media_attachments/#{@attachment.id}/redirect?access_token=#{@token_string}&bitrate=12345&instfs_id=stuff"
}
]
)
end
end
end
end