remove buggy whitelisting

fixes CNVS-23945 Test plan: * teachers can annotate student submissions * students can see teacher annotatoins * teachers can see student annotations Change-Id: I2f85edd5b6100107c5a636de004561111a5430a3 Reviewed-on: https://gerrit.instructure.com/64965 Tested-by: Jenkins Reviewed-by: Jeremy Stanley <jeremy@instructure.com> QA-Review: Robert Lamb <rlamb@instructure.com> Product-Review: Ethan Vizitei <evizitei@instructure.com>
2015-10-10 16:07:00 -06:00 · 2015-10-10 16:07:00 -06:00 · c3a05c03e4
parent 2376ccbbd4
commit c3a05c03e4
3 changed files with 3 additions and 21 deletions
--- a/app/helpers/attachment_helper.rb
+++ b/app/helpers/attachment_helper.rb
@ -38,7 +38,9 @@ module AttachmentHelper
    if attachment.pending_upload? || attachment.processing?
      attrs[:attachment_preview_processing] = true
    end
-    attrs.inject("") { |s,(attr,val)| s << "data-#{attr}=#{val} " }
+    attrs.map { |attr,val|
+      %|data-#{attr}="#{ERB::Util.html_escape(val)}"|
+    }.join(" ").html_safe
  end

  def media_preview_attributes(attachment, attrs={})
--- a/app/models/crocodoc_document.rb
+++ b/app/models/crocodoc_document.rb
@ -114,18 +114,6 @@ class CrocodocDocument < ActiveRecord::Base
      opts[:filter] = 'none'
    end

-    if whitelist
-      opts[:filter] = case opts[:filter]
-                        when "all"
-                          whitelist.join(",")
-                        when "none"
-                          "none"
-                        else
-                          ids = whitelist.map(&:to_i) & [opts[:filter].to_i]
-                          ids.any? && ids.join(",") || "none"
-                      end
-    end
-
    opts
  end

--- a/spec/models/crocodoc_document_spec.rb
+++ b/spec/models/crocodoc_document_spec.rb
@ -55,14 +55,6 @@ describe 'CrocodocDocument' do
      })
    end

-    it "should only include ids specified in the whitelist" do
-      expect(@crocodoc.permissions_for_user(@teacher, [@teacher.crocodoc_id!, @submitter.crocodoc_id!])).to eq({
-        :filter => "#{@teacher.crocodoc_id!},#{@submitter.crocodoc_id!}",
-        :admin => true,
-        :editable => true,
-      })
-    end
-
    context "submitter permissions" do
      it "should see everything (unless the assignment is muted)" do
        expect(@crocodoc.permissions_for_user(@submitter)).to eq({