refs CNVS-13987
what was called CanvasUuid was *not* generating UUIDs. it was generating
slugs. by default, its generate method only creates 4 character slugs.
these should obviously not be used as UUIDs. the misnomer already caused
a bug in EventStream where it used these slugs as UUIDs, causing
collisions. to fix:
(1) rename canvas_uuid gem to canvas_slug, and rename it's primary
class CanvasUuid to CanvasSlug
(2) create new canvas_uuid gem, with class CanvasUUID, extracted from
lib/uuid_singleton for actual UUID generation
(3) fix event stream use CanvasUUID, rather than following the rename
of CanvasUuid to CanvasSlug
test-plan:
- have cassandra set up for audit logs
- create an audit log entry (e.g. change a grade)
- look at the generated audit log entry's id field; it should be a UUID
value, not a 4 character slug
Change-Id: I19758fff4433cd6cb2e21219217dced19ee05c5a
Reviewed-on: https://gerrit.instructure.com/37506
Reviewed-by: Rob Orton <rob@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: August Thornton <august@instructure.com>
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Product-Review: Brian Palmer <brianp@instructure.com>
test plan:
- have a course with a public syllabus
- link to two files in the syllabus body:
- a locked file
- an unlocked file
- access the course syllabus without logging in
- the unlocked file link should work
- the locked file link should not
fixes CNVS-11569
Change-Id: I75d25a46c7e4fac43c7f187a4aba166be85d1010
Reviewed-on: https://gerrit.instructure.com/31270
Reviewed-by: Bracken Mosbacker <bracken@instructure.com>
Product-Review: Bracken Mosbacker <bracken@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Nathan Rogowski <nathan@instructure.com>
test plan:
- with draft state enabled
* create a wiki page
- use the sidebar to add a link to another wiki page
* save the page
* edit the page
- html view should show the href as ../pages/.. not ../wiki/..
- copy the link, changing the href to be ../wiki/..
* save the page
* copy the course
* navigate to the copied wiki page
- both links should point to the page in the new course
fixes CNVS-11443
Change-Id: Ib7f8b175ac6d894a9bfa651f8536b7cd48b60aac
Reviewed-on: https://gerrit.instructure.com/30780
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Matt Fairbourn <mfairbourn@instructure.com>
fixes CNVS-10679
this commit refactors quiz into a quizzes namespace. it contains various
shims to facilitate the data migration of polymorphic relationships
('Quiz' -> 'Quizzes::Quiz'). JIRA contains several tickets linked to
the above tickets in regards to removing these shims after the data
migration, as well as the strategies on reverting the shims once the
data migration is complete.
Change-Id: I30c566d60a87af6ee83e9d0041fdcb909ead6a89
Reviewed-on: https://gerrit.instructure.com/28573
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Derek DeVries <ddevries@instructure.com>
QA-Review: Myller de Araujo <myller@instructure.com>
Product-Review: Josh Simpson <jsimpson@instructure.com>
fixes a problem where internal links to wiki pages that
had titles that started with numbers would cause the
regular expressions to break
(also fixes a couple random typos and such)
test plan:
* create a wiki page with a title that starts with a
numeric character
* create a link to that wiki page (such as on another
wiki page)
* copy the course
* the copied course should have a correct link
fixes #CNVS-4158
Change-Id: I8c6a26feb4766e078f06656e7e26f381ae5934d5
Reviewed-on: https://gerrit.instructure.com/18064
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Adam Phillipps <adam@instructure.com>
fixes#9345fixes#10702
test plan:
(for #9345)
* create a course with a file and an assignment
* put a link to the file in the assignment description
* make the link text also be the link to the file
you should have something like this:
<a href="/courses/XXX/files/YYY/download?wrap=1">/courses/XXX/files/YYY/download?wrap=1</a>
* export the course. the assignment export should succeed (no errors in the summary)
* import the export, and the assignment should be there
(for #10702)
* create a course with two assignments, each in separate assignment groups, and a file
* put a link to the file in the syllabus description, using the link itself as the
link text, as above
* export/import, and verify the assignment groups don't disappear
Change-Id: Icb0a8727a5d7f703bdf7646d98b72b2877246576
Reviewed-on: https://gerrit.instructure.com/13863
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Bracken Mosbacker <bracken@instructure.com>
old UserContent.css_size was really weird about what it would accept and
when it would return a String vs. a Float. the times it returned a
Float, it would make api_user_content explode. fix that and add some
specs. the vulnerable code was exercised, among other places, in the
assignment json, which impacts gradebooks and other UI features.
fixes#9881
test-plan:
- create an assignment in a course
- in the assignment description, include the html
<object width='100%' />
- try and view the gradebook for the course
- it should not have an ajax request error
Change-Id: I02e824414013347730185fbf7f7fb94a951f3e77
Reviewed-on: https://gerrit.instructure.com/12895
Reviewed-by: Jacob Fugal <jacob@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
This modifies the API to return information on the required user_content
params for api responses. The javascript then processes the api response
fields and replaces the user content with iframe posts to safefiles,
same as we do server-side in erb currently for user_content in non-api
responses. This is done before the html is inserted on the page.
The current implementation requires the api to respond with these extra
data attributes all the time, not just for in-app requests. This isn't
ideal, but other api users will safely ignore those extra data
attributes.
test plan: in a discussion, post a reply that contains an object or
embed tag. reload the page and verify that the flash or java or whatever
still appears. inspect the html, and check that it is contained inside
an iframe pointing to the safefiles domain, rather than embedded
directly on the main canvas domain.
Change-Id: I5f1c5f4f267f654ec339ee422f0743f33ee2564f
Reviewed-on: https://gerrit.instructure.com/12111
Reviewed-by: Simon Williams <simon@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
test plan:
* create a course with a module that has an external tool link in it;
* link to the external tool from a wiki page (you'll need to do this
manually by copying the link from the modules page and taking the
path);
* create a new course and copy the first course's content into it;
* verify that the link exists in the wiki page and properly links to
the external tool.
Change-Id: Ia7a3169ba1deb9e42955b658a3bf26203d311e5d
Reviewed-on: https://gerrit.instructure.com/10997
Reviewed-by: Bracken Mosbacker <bracken@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
Basic LTI links before could only be added as items in context
modules. This extends that functionality to also support inserting
Basic LTI links into rich content fields. There is no UI provided
for inserting these links, that comes in another commit.
test plan:
- create an external tool in a course with a specific url
- manually create a URL to
/courses/:id/external_tools/retrieve?url=<url>
- the tool should be loaded at the given url
Change-Id: I658b838b8c9a2a6826cf803fd41cb9924fb287ef
Reviewed-on: https://gerrit.instructure.com/5428
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Bracken Mosbacker <bracken@instructure.com>
One in course copy, and one in common cartridge export.
refs #5739
Change-Id: I4ba016f643a22f0cf3f6dbbe6b00dcd7d228a10a
Reviewed-on: https://gerrit.instructure.com/5979
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Bracken Mosbacker <bracken@instructure.com>
user_content will now work for any arbitrary RTE field, no matter if it
came from a column, a string nested three levels deep in a serialized
column, whatever.
let's call this technique "controlled XSS injection"
Change-Id: I56eed1f9b546ac7849dc60faa0f2b3801231131e
Reviewed-on: https://gerrit.instructure.com/3704
Reviewed-by: Brian Palmer <brianp@instructure.com>
Tested-by: Hudson <hudson@instructure.com>
Jacob Fugal