Anonymize Submission json when anonymous_grading on

When the "Graders cannot view student names" option is enabled on an assignment, submitter information should not be available to graders in the API, as it is hidden from them in the UI. Test Plan: - Ensure the Anonymous Grading feature flag is enabled on the account - In a course with at least 1 teacher and 1 student - Create an assignment with the "Graders cannot view student names" option checked - Submit to the assignment as a student and leave a submission comment - As the teacher, make a GET request to api/v1/courses/<course_id>/assignments/<assignment_id>/submissions ?include[]=submission_comments&include[]=user - Verify that there is no information in the response that identifies the commenter fixes KNO-30 flag=none Change-Id: I712007f565979d206c88b88bcdd8f0d42625d260 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/229576 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Davis Hyer <dhyer@instructure.com> QA-Review: Davis Hyer <dhyer@instructure.com> Product-Review: Davis Hyer <dhyer@instructure.com>
2020-03-10 17:09:43 -06:00 · 2020-03-10 17:09:43 -06:00 · 79cba0a46c
parent 4ee6cfa0b0
commit 79cba0a46c
4 changed files with 40 additions and 4 deletions
--- a/app/models/submission.rb
+++ b/app/models/submission.rb
@ -548,6 +548,7 @@ class Submission < ActiveRecord::Base
  end

  def can_read_submission_user_name?(user, session)
+    return false if self.assignment.anonymize_students?
    !self.assignment.anonymous_peer_reviews? ||
        self.user_id == user.id ||
        self.assignment.context.grants_right?(user, session, :view_all_grades)
--- a/app/models/submission_comment.rb
+++ b/app/models/submission_comment.rb
@ -268,6 +268,7 @@ class SubmissionComment < ActiveRecord::Base

  def can_read_author?(user, session)
    RequestCache.cache('user_can_read_author', self, user, session) do
+      return false if self.submission.assignment.anonymize_students?
      (!self.anonymous? && !self.submission.assignment.anonymous_peer_reviews?) ||
          self.author == user ||
          self.submission.assignment.context.grants_right?(user, session, :view_all_grades) ||
--- a/lib/api/v1/submission.rb
+++ b/lib/api/v1/submission.rb
@ -95,14 +95,16 @@ module Api::V1::Submission
    end

    if includes.include?("html_url")
-      hash['html_url'] = course_assignment_submission_url(submission.context.id, assignment.id, submission.user.id)
+      hash['html_url'] = assignment.anonymize_students? ?
+        speed_grader_course_gradebook_url(assignment.context, assignment_id: assignment.id, anonymous_id: submission.anonymous_id) :
+        course_assignment_submission_url(submission.context.id, assignment.id, submission.user.id)
    end

-    if includes.include?("user")
+    if includes.include?("user") && submission.can_read_submission_user_name?(current_user, session)
      hash['user'] = user_json(submission.user, current_user, session, ['avatar_url'], submission.context, nil)
    end

-    if assignment && includes.include?('user_summary')
+    if assignment && includes.include?('user_summary') && submission.can_read_submission_user_name?(current_user, session)
      hash['user'] = user_display_json(submission.user, assignment.context)
    end

@ -161,7 +163,7 @@ module Api::V1::Submission
      hash['grade_matches_current_submission'] = hash['grade_matches_current_submission'] != false
    end

-    unless params[:exclude_response_fields] && params[:exclude_response_fields].include?('preview_url')
+    unless (params[:exclude_response_fields] && params[:exclude_response_fields].include?('preview_url')) || assignment.anonymize_students?
      preview_args = { 'preview' => '1' }
      preview_args['version'] = quiz_submission_version || attempt.quiz_submission_version || attempt.version_number
      hash['preview_url'] = course_assignment_submission_url(context, assignment, attempt[:user_id], preview_args)
--- a/spec/apis/v1/submissions_api_spec.rb
+++ b/spec/apis/v1/submissions_api_spec.rb
@ -785,6 +785,38 @@ describe 'Submissions API', type: :request do
    expect(comment_json['author']).to be_empty
  end

+  it 'does not return submitter info when anonymous grading is on' do
+    submitter = student_in_course({ :active_all => true }).user
+
+    assignment = assignment_model(course: @course)
+    assignment.update_attribute(:anonymous_grading, true)
+    expect(assignment.reload.anonymous_grading?).to be_truthy
+
+    submission = assignment.submit_homework(submitter, body: "Anon Submission")
+    submission_comment = submission.add_comment({
+      author: submitter,
+      comment: "Anon Comment"
+    })
+
+    @user = teacher_in_course({ :active_all => true }).user
+    url = "/api/v1/courses/#{@course.id}/assignments/#{assignment.id}/submissions"
+    json = api_call(:get, url, {
+      :controller => 'submissions_api',
+      :action => 'index',
+      :format => 'json',
+      :course_id => @course.to_param,
+      :assignment_id => assignment.to_param
+    }, {
+      :include => %w(user, submission_comments)
+    })
+
+    expect(json.first['user']).to be_nil
+    comment_json = json.first['submission_comments'].first
+    expect(comment_json['author_id']).to be_nil
+    expect(comment_json['author_name']).to match(/Anonymous/)
+    expect(comment_json['author']).to be_empty
+  end
+
  it "loads discussion entry data" do
    @student = user_factory(active_all: true)
    course_with_teacher(:active_all => true)