When 'Assignment Enhancements — Student' is enabled, observers will now
be able to view the assignment page without error. The observers will
be sent to the 'old' assignments page.
closes EVAL-1383
flag=assignments_2_student
Test Plan:
1. Add at least one observer and one assignment to a published course.
2. Enable the Assignment Enhancements - Student feature option at the
account.
3. Act as the observer and view the assignment
4. Verify the 'assignment show' page is shown (with assignment title,
details, due date, etc.). Note that this is the "old" assignment
show page, and not an enhanced version of the page. This is
intentional.
Change-Id: I07ac9deab33a5a5e5378c9ac15c6e4df433d3932
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256464
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Adrian Packel <apackel@instructure.com>
Reviewed-by: Kai Bjorkman <kbjorkman@instructure.com>
QA-Review: Syed Hussain <shussain@instructure.com>
Product-Review: Syed Hussain <shussain@instructure.com>
when start/end dates are not completely specified in content imports,
canvas looks for the first and last event/due dates in the course to
help with the math. the problem is that it also uses these dates to
set the course start / conclude dates. if one of these dates is given
and the other is implied, the validation check in the migration code
is circumvented and the Course model validation fails instead, which
causes the migration to fail and some post-migration housekeeping
(such as cached due dates) does not run
I think it doesn't make sense to make the implicit start/end dates
explicit in the first place, so I prefer to take them out rather
than fix the validation.
test plan:
- have a course with no start/end dates and one assignment
with a due date
- create an empty course shell to copy into. enroll a
student in the course.
- perform a course copy, choose to shift dates, and leave
three dates blank, specifying only the new end date,
and give a date that is *earlier* than the assignment's
due date
- the migration should succeed
- speedgrader should be able to view the assignment in
the destination course
fixes LS-1670
Change-Id: Ic50004fb53f91cb2d048ab47bfbcafbb410cff59
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256404
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Robin Kuss <rkuss@instructure.com>
QA-Review: Robin Kuss <rkuss@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
closes FOO-1373
flag=none
TEST PLAN:
1) index quizzes on a public course with no user
and the course has engine_selected/user_id
in settings
2) no 500 happens on quiz_engine_selection helper
Change-Id: Idbe57981a285602b66f952c6611c12ea16119b18
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255658
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
Add a confirmation dialog when enabling "View Ungraded as 0" in
Gradebook if the current user has not previously enabled it for any
course.
closes EVAL-1352
flag=view_ungraded_as_zero
Test plan:
- Before testing, make sure you have a course with "view ungraded as
zero" set to OFF so you don't confuse yourself
- Open Gradebook and enable the "View Ungraded as Zero" menu option
- A confirmation dialog should appear
- Click "Cancel" and check that the option has not been enabled
- Select it again, and click "OK" this time
- It should be enabled, and the total grades in gradebook should
update appropriately
- Toggle it off and on again and check that you don't get the
confirmation dialog
- As the same teacher viewing a different course, enable the option and
check that the confirmation dialog is not shown
- Log in as a different teacher and check that you *do* get the
confirmation dialog the first time you enable the option
Addendum: to clear a previous acceptance of the modal for a given user,
you can run the following in a Rails console:
> data = CustomData.find_by(
user: <user>,
namespace: "com.instructure.canvas"
)
> data.delete_data("gradebook")
Change-Id: I89f50b77775362d63f5d3a8cda141eb472dec53b
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256086
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Syed Hussain <shussain@instructure.com>
Reviewed-by: Gary Mei <gmei@instructure.com>
QA-Review: Syed Hussain <shussain@instructure.com>
Product-Review: Syed Hussain <shussain@instructure.com>
closes OUT-4134
flag=improved_outcomes_management
Test plan:
- ensure you have several outcome groups
with outcomes, some of which are assessed
and some of which are not
- at canvas.docker/graphiql, query several
outcome groups (verify ids make sense):
query MyQuery {
group1: learningOutcomeGroup(id: "1") {
_id
outcomes {
nodes {
... on LearningOutcome {
id
assessed
title
}
}
}
}
group2: learningOutcomeGroup(id: "2") {
_id
outcomes {
nodes {
... on LearningOutcome {
id
assessed
title
}
}
}
}
}
- monitor the rails log to see SQL queries:
dc exec web tail -f log/development.log
- verify no n+1 queries in the log
- verify that the list of outcomes is correct and the
assessed attribute is correct
Change-Id: I2ee0b7ca1934154dc97441bda1176457e8d12dab
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255748
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Augusto Callejas <acallejas@instructure.com>
QA-Review: Pat Renner <prenner@instructure.com>
Product-Review: Michael Brewer-Davis <mbd@instructure.com>
closes LS-1481
flag=none
though since media objects are never deleted, maybe this is a waste!?!
With this change, when presented with a mediai viewer URL (a url that
looks like "/media_objects_iframe/media-id-here") it
1. finds the Attachment with the matching media_entry_id which it uses
to figure out the context
2. finds the MediaObject
3. validates the MediaObject
test plan:
- in the RCE, embed media
- in /course/:id/link_validator, click the validate links button
> expect it to say all's good
- in the RCE's html editor, change the media object's id in the
media player's iframe's src
- go back and run the link validator
> expect the URL to be reported as
"Non-existent content referenced in this resource
- in the RCE, using the Media Options tray, change the media
to "Display Text Link" and save
- rerun the validator
> expect the URL to be reported as non-existent
Change-Id: Ia9f43c5cf16fa489b1ad055cb31de025926ca31c
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256262
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Nate Armstrong <narmstrong@instructure.com>
QA-Review: Nate Armstrong <narmstrong@instructure.com>
Product-Review: Ed Schiebel <eschiebel@instructure.com>
Allows AssignmentGroupsController#index to accept the assignment_ids
param as a comma separated string. Also falls back to requesting
assignments without the assignment_ids param if including that param
would put us over the request URI limit.
closes EVAL-1338
flag=none
Test Plan:
1. In a course using Multiple Grading Periods with assignments due in
different grading periods, go to the Gradebook.
2. Select 'All Grading Periods' from the dropdown, and then refresh the
page. Verify all assignments + totals are shown, and then select an
individual grading period from the dropdown and verify the correct
assignments + totals are shown. Then select another individual
grading period from the dropdown and verify the correct assignments
+ totals are shown.
3. With an individual grading period selected in the dropdown, refresh
the page. In the browser console, find the assignment_groups API call
and verify the 'assignment_ids' param is being requested as a comma
separated string and not as an array (so the param should look like
'assignment_ids=1,2,3' instead of
'assignment_ids[]=1&assignment_ids[]=2&assignment_ids[]=3'). After
page refresh, verify the correct assignments + totals are shown, then
select another grading period from the dropdown and verify the
correct assignments + totals are shown, and finally select 'All
Grading Periods' from the dropdown and verify the correct assignments
+ totals are shown.
4. Now we want to simulate the max URI length being exceeded. Go to
the AssignmentGroupsLoader.js file and make the first line of the
_maxAssignmentCount method the following:
return 1
Then refresh the gradebook with an individual grading period
selected. In the browser console, find the assignment_groups API
call (there should only be one) and verify there is no
assignment_ids param being passed.
Change-Id: Ic951b391ce025852d5bb1d439136bc9616aff282
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255980
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Adrian Packel <apackel@instructure.com>
Reviewed-by: Syed Hussain <shussain@instructure.com>
QA-Review: Syed Hussain <shussain@instructure.com>
Product-Review: Syed Hussain <shussain@instructure.com>
closes INTEROP-6312
flag=none
test plan:
* Have an LTI 1.3 installed with the editor button enabled into the
related developer key;
* Have a Course recorded;
* When creating/editing an Assignment/Discussion/Pages/etc, into the RCE
add an integration with the LTI tool and check:
* A new LTI:ResourceLink was recorded to this Course;
* The URL link generate must have the resource_link_lookup_id
parameter;
Change-Id: I080ee4ebde49b5aa4301e4261cce94f5792cdc56
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256029
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Evan Battaglia <ebattaglia@instructure.com>
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Evan Battaglia <ebattaglia@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
this makes it match the sent scope logic in
api v1 conversations
flag=none
fixes VICE-1038
test plan:
- as a user, send a message to another user
- make a graphql query as that user for your
conversations with the sent scope
- verify that only and all messages you have
sent out shows
see the spec addition, it verifies the same thing
Change-Id: I9e43b4b166d86d65a4de9266f71ad8d3af657af0
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256249
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Matthew Lemon <mlemon@instructure.com>
QA-Review: Matthew Lemon <mlemon@instructure.com>
Product-Review: Matthew Lemon <mlemon@instructure.com>
also default to unspecified for new configs
test plan:
* set up a new SAML config against an ADFS server, specifying a metadata url
* the identifer format should stay as unspecified
* logins should work
Change-Id: I9cdf106aa3a708984a1eb3985b2520210ee6a606
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256225
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
flag=none
Test Plan:
New comments are clear and correct
Change-Id: Ib568a7767ddaf23552a3bdae09515849dc19a0f9
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256190
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Evan Battaglia <ebattaglia@instructure.com>
QA-Review: Evan Battaglia <ebattaglia@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
closes FOO-1438
flag=none
TEST PLAN:
1) break inst-fs so it returns 502s
2) try to submit a submission using inst-fs
3) you get a 502, but sentry doesn't get an error
Change-Id: I9a78cb9c9826ac6ae5dfa96a444bbf3937f5d78e
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256241
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Michael Ziwisky <mziwisky@instructure.com>
QA-Review: Michael Ziwisky <mziwisky@instructure.com>
Product-Review: Michael Ziwisky <mziwisky@instructure.com>
(safe because these descriptions are managed by instructure engineers
even though they come from the api)
fixes FOO-1415
Change-Id: I9135061653c4f44d001845e37190dd2001963c6a
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256178
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Michael Ziwisky <mziwisky@instructure.com>
QA-Review: Jacob Burroughs <jburroughs@instructure.com>
Product-Review: Jacob Burroughs <jburroughs@instructure.com>
closes FOO-1436
flag=none
TEST PLAN:
1) make a giant group with more memberships than your setting value
2) ask for the groups index with "include[]=users"
3) you only get the first N users in each group
4) you can still paginate through group memberships
from the memberships endpoint successfully
Change-Id: I211c48d7adcc444b9d9e05d22b38131add66be41
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256219
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Rob Orton <rob@instructure.com>
QA-Review: Ethan Vizitei <evizitei@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
fixes FOO-1349
flag=none
test plan:
- log in and visit /calendar#view_name=month&view_start=2020-12-13&__proto__%5Bdiv%5D%5B0%5D=1&__proto__%5Bdiv%5D%5B1%5D=<img/src/onerror%3dalert(document.domain)>&__proto__%5Bdiv%5D%5B2%5D=1
- you should not see an alert pop up
Change-Id: I3e13be0f25fde8826028422f7dc14a5a89f7491b
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256153
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
fixes LS-1742
flag = rce_enhancements
Test plan:
- Edit something in the new RCE
- Upload a video and add captions (or find an existing captioned
video somewhere)
- Play the video and ensure that captions appear at the bottom of
the player and are displayed with a sans-serif font
- View the video outside of the RCE and ensure that this is still
true
Change-Id: Ide57770c34abb84655ed2a2bfd55e38b37d42922
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256192
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Ed Schiebel <eschiebel@instructure.com>
QA-Review: Ed Schiebel <eschiebel@instructure.com>
Product-Review: Jeff Largent <jeff.largent@instructure.com>
closes LS-1733
flag=rce_pretty_html_editor
requires rce_enhancements to be on as well. I'm not sure the
new flag is necesary, and as of PS1, it doesn't fully hide the
new html editor functionality.
The INSTUI CodeEditor component uses CodeMirror v5, which sadly
is not accessible. https://github.com/codemirror/codemirror.next,
or https://codemirror.net/6/ for details on a future version.
For now, the RCE still provides access to the raw textarea if
KB access is needed by the user.
BONUS FEATURE! the html editors can now be viewed fullscreen
test plan:
- with the Pretty html editor feature flag off
- click the </> button
> expect the old boring html editor
- turn on Pretty HTML Editor feature flag
- click the </> button
> expect the deluxe new html editor
- click the "Raw HTML Editor" link
> expect the old boring editor
- click the "Pretty HTML Editor" link
> expect the pretty editor
- click the </>
> expect to be back in the rce
- shift-click the </>
> expect the old editor
- from anywhere, click the fullscreen button (except in safari
when in the old editor, safari won't fullscreen the textarea so
the button should be hidden)
> expect to be in fullscreen
- if you fullscreened the RCE, you can select "View > HTML Editor"
from the menubar
> expect to be in the html editor, fullscreened
- ESC
> expect to exit fullscreen
- edit your content anywhere
> expect the changed to be reflected everywhere else
- try it on a discussions or quizzes page with >1 RCE
> the editors and fullscreen should work as you expect
Change-Id: If5b17b2357a4ff5521f0cb9c42bd6a5a096f2436
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255928
Reviewed-by: Jeff Largent <jeff.largent@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Jeff Largent <jeff.largent@instructure.com>
Product-Review: Peyton Craighill <pcraighill@instructure.com>
fixes FOO-1408
this allows us to control which files i18nliner processes completely
through config and without having to modify hardcoded paths in source
file, which is something we need for FOO-1265
.i18nrc files can include other directories through the "include"
directive:
// file: canvas-lms/.i18nrc
{ "include": [ "public/javascripts/.i18nrc" ] }
// file: public/javascripts/.i18nrc
{ "files": [...] }
:: test plan
aside of Jenkins exercising the i18n tasks, I ran a diff by hand over
the set of files that i18nliner processses before and after the patch,
with the new code processing a few more files: some handlebars in the
analytics plugin and the 3 client_apps/canvas_quizzes source files
if you really want to, you can do the same or find another way to verify
the output
on master, edit canvas_i18nliner/js/main.js somewhere before the
exports:
Check.prototype.checkWrapper = f => console.warn(f)
run it:
./gems/canvas_i18nliner/bin/i18nliner check 2>
tmp/i18nliner-upstream-files.txt
cat tmp/i18nliner-upstream-files.txt | sort >
tmp/i18nliner-upstream.txt
now do similar on our branch (although we need to massage teh output
because the paths are absolute:)
./gems/canvas_i18nliner/bin/i18nliner check 2>
tmp/i18nliner-patched-files.txt
cat tmp/i18nliner-patched-files.txt | sort >
tmp/i18nliner-patched.txt
sed -i "s{$PWD/{{" tmp/i18nliner-patched.txt
now look for differences:
git diff --no-index \
tmp/i18nliner-upstream.txt \
tmp/i18nliner-patched.txt
Change-Id: Ic73cbc7261ab597deb567fc5d0af1e3014875da1
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255952
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
closes LS-1701
flag=none
When loading the page from agenda view, there are a number of api
requests for calednar_events
- AgendView.coffee queries from the "target date" (the current day, or
the date you clicked on in the mini-calendar) to the same day in
the year 3000, but only retrieves the 1st page
- Calendar.js queries from the end of the previous month to the target
date and exhausts all pages
Trouble happens when the singlePage requests don't return all the
necessary data and the paginated requests don't overlap to pick
them up. Also, for some odd reason, if select only 1 course in the
calendar, you'll get >50 results in the first page (of 50?!?), so selecting
2 courses is necesary to see the bug in the example URL in the ticket.
(though this is not a bug in calendar, probably in pagination
using bookmarks)
To _really_ fix this, the AgendaView would have to query data something like
planner does, keep getting pages until some end date is fully satisfied,
but no more. That's beyond the scope of this ticket. This is probably
a rare case, so I've addressed it by bumping the per_page count for
AgendaView's singlePage requests to 100. This fixes the issue on the
calendar referenced in the ticket, and I bet it fixes it in general.
test plan:
- I haven't been able to recreate the problem locally yet.
Change-Id: I7454b6ab58ce369176e948b6a5ab33c08903347c
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255885
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Nate Armstrong <narmstrong@instructure.com>
QA-Review: Nate Armstrong <narmstrong@instructure.com>
Product-Review: Ed Schiebel <eschiebel@instructure.com>
This change allows courses that have ended (a.k.a. the course has an
end date in the past or the associated term has an end date in the
past) to be copied and sent via direct share. The main issue here is
that the copy and import trays were not including an additional query
param required to make conclucded courses show up.
fixes LS-1624
flag = direct_share
Test plan:
- Create a course with at least one assignment
- Create a second course with an end date in the past
- Ensure a teacher has an active enrollment in both courses
- In Course 1, select the "Copy To..." option for an assignment
- In the tray that appears, ensure that Course 2 appears in the
typeahead list
- Back in Course 1, select the "Send To..." option for an assignment
- Choose the current teacher as a recipient for the assignment
- Go to "Account" > "Shared Content" for the teacher
- Under the received content actions, choose "Import"
- On the tray that appears, ensure that Course 2 appears in the
typeahead list
- Update Course 2 to have an end date in the future, and update the
term associated with the course to have an end date in the past
- Ensure that both "Copy To..." and "Send To..." scenarios still
show Course 2 in their options
Change-Id: Ie7b6655f0b9926297248b093e9273b07d6e97c07
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255725
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Jackson Howe <jackson.howe@instructure.com>
QA-Review: Robin Kuss <rkuss@instructure.com>
Product-Review: Jeff Largent <jeff.largent@instructure.com>
refs VICE-1044
flag=react_inbox
test plan:
- create a conversation with messages between two users
- as a user not in the conversation
- navigate to /graphiql
- add a new mutation
- use the deleteConversationMessage to attempt to
delete a message from the conversation
- this should fail due to insufficient permissions
- as a user in the conversation
- navigate to /graphiql
- attempt to delete a message that doesn't exist
- this should fail to unfound ConversationMessage
- attempt to delete a message that does exist
- this should succeed
- try the above with multiple conversation ids at a time
- if any ids don't exist, it should error
- if any ids are tied to different Conversations, it should error
- it should otherwise succeed
qa risk: low
Change-Id: I0e9a5b73f4e4f16f1ae3da6e1c25053223a72a0b
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256116
Reviewed-by: Rob Orton <rob@instructure.com>
Reviewed-by: Matthew Lemon <mlemon@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Product-Review: Matthew Lemon <mlemon@instructure.com>
QA-Review: Rob Orton <rob@instructure.com>
flag=none
fixes VICE-1020
updatedAt exists in these but createdAt do not, so
createdAt is removed
TEST PLAN:
- perform a legacyNode query on User with user id
who has existing inbox conversations
- in graphiql, make sure that in conversationsConnection
and conversationParticipantsConnection, there is no createdAt field
but there is an updatedAt field
Change-Id: I7776bc7b3efd9fbf55878d71bdfec15989edb5dd
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256183
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Matthew Lemon <mlemon@instructure.com>
QA-Review: Matthew Lemon <mlemon@instructure.com>
Product-Review: Matthew Lemon <mlemon@instructure.com>
flag=none
fixes VICE-1021
TEST PLAN:
- visit /graphiql
- lgacy node, on User, use user id of your current user
- conversationsConnection all the way down to
conversationMessagesConnection
- expand nodes, notice you no longer see updatedAt
but still see createdAt
- add createdAt and Body and other fields
- make the query
- query successful if you have expected messages
Change-Id: I50039f9d1e08536450e63c53cafa3834afc4358a
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256182
Reviewed-by: Rob Orton <rob@instructure.com>
QA-Review: Rob Orton <rob@instructure.com>
Product-Review: Rob Orton <rob@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
I believe this was erroneously introduced with VICE-91.
We do not dangerously render the url field as html anywhere,
and so it should not be HTML sanitized, and is not a XSS vuln.
fixes DEMO-49
flag=assignments_2_student
test plan:
- with the FF enabled
- create an assignment which accepts URL submissions
- as a student submitting to the assignemnt, type or
paste a URL containing an ampersand (&)
- at no point should the student submission be altered
in any way
- verify that the user input to the url field cannot be
maliciously used for XSS
Change-Id: I9d08b04a2f2847d43556e234f991623fac0d0043
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/254838
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Mark McDermott <mmcdermott@instructure.com>
Product-Review: Jared Crystal <jcrystal@instructure.com>
Reviewed-by: Stephen Kacsmark <skacsmark@instructure.com>
fixes VICE-1031
flag=notification_update_account_ui
flag=allow_opt_out_of_inbox
TEST PLAN
- watch this demo video: https://share.getcloudapp.com/Wnul8B7n
- in the site admin level, enable notification_update_account_ui
- in the root account level, enable allow_opt_out_of_inbox
- as a user, visit your user settings page
- check Conversations Inbox Opt-out
- visit /profile/communication
- notice that you do not see the Convesations category
- now, go back to your user settings page,
opt back into Inbox
- revisit /profile/communication
- verify that you see the Conversations category
Change-Id: I40ada7d009efc0b3ed69416f755f5201442fc3f1
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256092
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Matthew Lemon <mlemon@instructure.com>
QA-Review: Matthew Lemon <mlemon@instructure.com>
Product-Review: Matthew Lemon <mlemon@instructure.com>
refs VICE-1044
flag=react_inbox
test plan:
- create a conversation with messages between two users
- as a user not in the conversation
- navigate to /graphiql
- add a new mutation
- use the deleteConversationMessage to attempt to
delete a message from the conversation
- this should fail due to insufficient permissions
- as a user in the conversation
- navigate to /graphiql
- attempt to delete a message that doesn't exist
- this should fail to unfound ConversationMessage
- attempt to delete a message that does exist
- this should succeed
- try the above with multiple conversation ids at a time
- successful ids should be handled
- problematic ids should indicate what was wrong
qa risk: low
Change-Id: Iedbfcd3a72484128d1bdd6b5f33297c9226b41ec
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256015
Reviewed-by: Matthew Lemon <mlemon@instructure.com>
QA-Review: Matthew Lemon <mlemon@instructure.com>
Product-Review: Matthew Lemon <mlemon@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
The blueprint button was being inserted after the buttons row
creation and the blueprint button wrapper element was not following
the inline-block style, making it appears in a different line/row.
fixes LS-1712
flag=none
Test Plan:
- Create a new course and make it a blueprint
- Create a Quiz, Discussion or an Assignment in the Blueprint Course
- View the created object and notice the buttons are all messed up
- The buttons should be in a single row
Change-Id: I934de2ec4d24143b47943b41767a32a20440d085
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256020
Reviewed-by: Jeff Largent <jeff.largent@instructure.com>
QA-Review: Jeff Largent <jeff.largent@instructure.com>
Product-Review: Jonathan Guardado <jonathan.guardado@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
fixes VICE-870, VICE-872, VICE-1032
flag=react_inbox
test plan:
- create a conversation between two users
- as a user not in the conversation
- navigate to /graphiql
- add a new mutation
- use the updateConversationParticipant to attempt
to update the conversation for that user
- this should fail due to insufficient permissions
- as a user in the conversation
- navigate to /graphiql
- attempt to update a conversation that doesn't exist
- this should fail to find the Conversation
- attempt to update the conversation (allowed attributes
are starred, workflow_state, and subscribed)
- the db record should be updated to reflect the changes
- the response should reflect the db changes
- NOTE: subscribed will only work for a group conversation
and the starred attribute is returned as the 'label' as
that is where the attribute is actually stored
qa risk: low
Change-Id: I77fe4916aab2e7eb8f139bfd2913f78ce9ae4422
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255844
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Matthew Lemon <mlemon@instructure.com>
QA-Review: Matthew Lemon <mlemon@instructure.com>
Product-Review: Matthew Lemon <mlemon@instructure.com>
fixes LS-1691
flag=none
test plan:
- Create and publish a graded discussio with a due date
- Unpublish the discussion
- Hit `/api/v1/planner/items?filter=new_activity` as a student
- The unpublished discussion should not be included in the response
Change-Id: Iee09f495c221e51afd30be348e55ad132f809f12
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255842
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Product-Review: Nate Armstrong <narmstrong@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Jackson Howe <jackson.howe@instructure.com>
test plan
- have a future course
- export course from group_categories page
- it should work
fixes VICE-1039
flag=none
Change-Id: I5edf01c7dd0723f24314e1ac3fd522c3dbb7b751
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256002
Reviewed-by: Caleb Guanzon <cguanzon@instructure.com>
QA-Review: Caleb Guanzon <cguanzon@instructure.com>
Product-Review: Caleb Guanzon <cguanzon@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
fixes EVAL-1321
Teachers not in a course could get details about a rubric by passing in
a course_id of a course they were enrolled in while also passing in a
rubric_id attached to a different course.
Test Plan
- Have two courses.
- Enroll a teacher in Course 1.
- Create a rubric in Course 1 and a rubric in Course 2.
- Get the rubric ids from the rails console.
- As the teacher, attempt to access the rubric in Course 1. It should
work.
`http://canvas.docker/api/v1/courses/1/rubrics/#{rubric1.id}`
- As the teacher, attempt to access the rubric in Course 2 while still
using the Course 1 id. It should not work.
`http://canvas.docker/api/v1/courses/1/rubrics/#{rubric2.id}`
Change-Id: I4886cba7462665694c20f9a2b3e54ecc5854d79d
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255200
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Spencer Olson <solson@instructure.com>
Reviewed-by: Adrian Packel <apackel@instructure.com>
QA-Review: Gary Mei <gmei@instructure.com>
Product-Review: Syed Hussain <shussain@instructure.com>
In the Gradebook, only indicate that hidden assignments are included in
a student's total if said hidden assignments are actually visible in the
current view.
fixes EVAL-1350
flag=none
Test plan:
- Have a course with some students and assignments, and a configuration
involving grading periods (or assignment groups or modules) such that
you can hide some assignments in the Gradebook using filters
- For a given student, have at least one assignment in a "hidden" state
(i.e., graded but not posted)
- By applying and unapplying filters in the gradebook, check that the
"grisly slashed eye" icon in the student's total column (and the
accompanying tooltip indicating "this grade differs from the student's
view because some grades are not yet posted") is only shown when the
set of currently shown assignments includes at least one such hidden
assignment for that student
Change-Id: Icd6277304883fc132491f1e2f1a6ba59ad6c49f5
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255609
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Spencer Olson <solson@instructure.com>
Reviewed-by: Syed Hussain <shussain@instructure.com>
QA-Review: Kai Bjorkman <kbjorkman@instructure.com>
QA-Review: Syed Hussain <shussain@instructure.com>
Product-Review: Syed Hussain <shussain@instructure.com>
For postMessage issue, see b3e640ac52 for
earlier, partial fix. Documentation (e.g.
https://github.com/bracken/lti_messaging#ltiscreenreaderalert) confirms
`body` should be a string.
flag=none
closes INTEROP-6416
Test plan:
- For postMessage issue: see ticket for repro steps. Check that it can
be repro'd before this fix but not after.
- In repro steps, open dev tools on the Canvas page, open the Elements
tab, and observe that the "flash_screenreader_holder" div is being
updated every second with the JSON of the body.
- Modify the repro HTML file to send a string for body and observe that
that makes the "flash_screenreader_holder" div contain just the string
(with no extra quotes).
- For deep linking issue: modify the LTI 1.3 test tool so
(app/controllers/deep_linking_controller.rb:20) so that it returns
hashes like this for "message" and "error_message":
{html: '<img src=x onerror=alert(123)'}
- Use the LTI tool return data via deep linking (e.g. adding a
module item, embedding a link in the RCE)
- Before this change that should cause an alert; after this change the
HTML (escaped) should be shown in the flash message.
- Test the content-item code path with an LTI 1.1 tool. I modified
the lti_tool_provider_example code (form in content_item_form.js.jsx).
It seems like something is already turning a hash parameter into a
string though, so it seems like the changes to
external_tool_controller are not necessary, but they don't hurt.
Change-Id: I4a23b4c4173db0fec2ec745001da5d8c6d54997c
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255758
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Tucker Mcknight <tmcknight@instructure.com>
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
Reviewed-by: Mysti Lilla <mysti@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
closes FOO-1393
flag=none
TEST PLAN:
1) send notification to student observer
in twitter template with name setting enabled
2) notification rendering does not error out
Change-Id: I62fe3b8b12d5e1a2aeede4f00ab0421c02f51e1c
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255814
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
closes FOO-1383
flag=none
TEST PLAN:
1) try to use a seach_type of "nonsense"
2) you get a 400, not a 500
Change-Id: I901ded4c2cbc1106f322ca9ee8bbe389131162b2
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255697
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
closes FOO-1388
flag=none
TEST PLAN:
1) make google drive fail with timeouts
2) try to list docs on assignments_controller
3) do not get a 500, just fail to load them.
Change-Id: I7a70f643e3745a796b3a41baf8d832c275aebc83
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255718
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
Test plan:
- In siteadmin, try toggling a feature flag. A dialog should be displayed
Change-Id: I6d6367679d01a9f7fab65a42adac1cc584678e8c
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255743
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Ahmad Amireh <ahmad@instructure.com>
Reviewed-by: Ed Schiebel <eschiebel@instructure.com>
QA-Review: Ahmad Amireh <ahmad@instructure.com>
Product-Review: Ahmad Amireh <ahmad@instructure.com>
added manage outcome split page to display when outcome groups
are associated with an Account/Course. Refactored to move panel
to Management folder under outcomes and renamed js file
to “index.js”. This includes a spinner that will show when
loading the outcome groups. Includes gql queries to pull Account
and Course rootOutcomeGroup and child_groups_count.
These queries will be modified in OUT-4022 and OUT-3989.
Updated test for ManagementHeader due to act() warning.
closes OUT-4100
flag=improved_outcomes_management
test plan:
- Make sure you have an Account/Course with & without outcome
groups associated.
- Go to Account > Settings > Feature Options
- Enable Improved Outcomes Management FF
- With Improved Outcomes Management FF Enabled
- In graphql/types/learning_outcome_type, change
"child_groups_count" to return 1
- Note: this is required to test this functionality
until OUT-4022 is complete
- Go to Account > Outcomes
- If outcomes are associated with the Account, you should
see the new split page.
- Go to Course > Outcomes
- If outcomes are associated with the Course, you should
see the new split page.
- Modify child_groups_count above to return 0
- Visit Account > Outcomes and Course > Outcomes
and verify you see the No Outcomes Page.
- Disable Improved Outcomes Management FF
- Verify the following:
- Go to Account > Outcomes
- You should see previous Outcomes manager
- Go to Course > Outcomes
- You should see previous Outcomes manager
Change-Id: I3ee40ab2a646fd7e0508c9347addf1ed0b6e0e4e
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/254736
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Michael Brewer-Davis <mbd@instructure.com>
QA-Review: Michael Brewer-Davis <mbd@instructure.com>
Product-Review: Michael Brewer-Davis <mbd@instructure.com>
adding delegation method allows the FilesController to find
the correct context for the associated report file
report # Attachment
report.context # QuizStatistics
report.context.context # Course
adding the manage_files policy allows the Attachment
policy to read appropriate permissions for deleting
files
refs OUT-3971
flag=none
Test plan:
- create (old) quiz with questions
- take the quiz as a student
- generate an access token at canvas.docker/profile
- add to your environment for curl fun!
export TOKEN=<string from ui>
- generate a report (change course id and quiz id
as appropriate)
curl http://canvas.docker/api/v1/courses/17/quizzes/7/reports \
-H "Authorization: Bearer $TOKEN" \
-X POST \
-d "quiz_report[report_type]=student_analysis"
- wait a sec for everything to generate (is your jobs container running?)
- retrieve the report info
curl "http://canvas.docker/api/v1/courses/17/quizzes/7/reports/4?include[]=file" \
-H "Authorization: Bearer $TOKEN"
- find the .file.id attribute of the json
- view the file (updating id & appending the authorization...)
curl http://canvas.docker/api/v1/files/14
- attempt to reset the file link verifier
curl http://canvas.docker/api/v1/files/14/reset_verifier -X POST
- attempt to delete the file
curl http://canvas.docker/api/v1/files/14 -X DELETE
Change-Id: I830d67a148429092627902358ba5d8f8e3836c1d
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255281
Reviewed-by: Pat Renner <prenner@instructure.com>
Reviewed-by: Han Yan <hyan@instructure.com>
Reviewed-by: Augusto Callejas <acallejas@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Brian Watson <bwatson@instructure.com>
Product-Review: Michael Brewer-Davis <mbd@instructure.com>
closes OUT-4115
flag=none
test-plan:
- with high contrast off, verify there are no differences when
visiting the course pages tab
- enable high contrast via account in global sidebar
- visit pages and verify the color contrast on odd
rows matches wcag AAA standard (4.5+)
Change-Id: I9196dce2f360809a19fbbf476ffb2026773f263a
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255688
Reviewed-by: Brian Watson <bwatson@instructure.com>
Reviewed-by: Michael Brewer-Davis <mbd@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Brian Watson <bwatson@instructure.com>
Product-Review: Jody Sailor
closes FOO-1387
flag=none
TEST PLAN:
1) try to launch LTI content in a place it doesn't go
2) get a standard LTI error response, rather
than a 500
Change-Id: Id600715e1e4ebd05e1b5d3364f05da2a068ed711
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255711
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
closes FOO-1384
flag=none
TEST PLAN:
1) fail to login with google drive, with no existing session
2) you get redirected to root_url, not a 500
Change-Id: I5d8e3a06696dc733badc1fa57440f3b86b82200f
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255704
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
Refs FOO-171
After some discussion with Product, it was decided to
redo the way that the "manage admin users" permission
gets broken up into granulars and groups.
Test plan:
* You now have four group permissions for managing all
non-student enrollments (Teacher, TA, Designer,
course Observer)
* You agree that the text on the permisisons page for
these is self-explanatory and correct.
Change-Id: I7765e2256a5a207014a6cf83b3902f9b2543985d
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255397
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Charley Kline <ckline@instructure.com>
Product-Review: Charley Kline <ckline@instructure.com>
fixes VICE-1005
flag=react_inbox
Test Plan:
- Have an existing conversation between several users
- Login as one of those users and navigate to /graphiql
- Run the following mutation:
```
mutation MyMutation {
__typename
addConversationMessage(
input: {
conversationId: <conversation_id>,
body: "This is a test",
recipients: [<recipient_id>]
}
) {
conversationMessage {
_id
attachmentsConnection {
nodes {
displayName
}
}
author {
name
}
body
conversationId
mediaComment {
_id
title
}
}
messageQueued
errors {
attribute
message
}
}
}
```
- The mutation should add a message to the conversation
Change-Id: Iba5a8901408d8d6acc80d629f2a89298c39fc4ac
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/254849
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Caleb Guanzon <cguanzon@instructure.com>
QA-Review: Caleb Guanzon <cguanzon@instructure.com>
Product-Review: Caleb Guanzon <cguanzon@instructure.com>
closes LS-1609
flag=rce_enhancements
Had to nohiost tinymce so it remains w/in canvas-rce
where RCEWrapper.js can require tinymce's stylesheets, but it
still needs to be a dev dep. of canvas-lms because there are
specs that import tinuymce.
Moved the matchMedia jsdon polyfill into jest-setup where it can be
used by everyone. Need it there since the new tinymce calls it.
test plan:
- specs pass
- the RCE still works and looks the same
Sorry, I don't know what else to say
Change-Id: I8c956664176b7c25995a55e0c6fea4dafad3970f
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255604
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Nate Armstrong <narmstrong@instructure.com>
QA-Review: Nate Armstrong <narmstrong@instructure.com>
Product-Review: Ed Schiebel <eschiebel@instructure.com>
there are race conditions that allow multiple modules
to be added in the same position. this may cause modules
to be duplicated or go missing during pagination, since
the ordering isn't total. this condition is more likely
to occur when modules are added in concurrent API calls.
fixing the race condition would be difficult, but we can
at least mitigate its effect by adding a tiebreaker to
the scope order to ensure consistent results.
test plan:
- modify course module positions in the Rails console
to cause multiple modules to have the same position
- modules with the same position should be returned in
id order by the course modules index API
fixes MBL-14953
refs LS-1625
Change-Id: I76dd585c870d5790567261dca203b37ebf665df1
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/255635
Reviewed-by: Ed Schiebel <eschiebel@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Robin Kuss <rkuss@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
fixes VICE-871
flag=react_inbox
test plan:
- create a conversation with messages between two users
- as a user not in the conversation
- navigate to /graphiql
- add a new mutation
- use the deleteConversation to attempt to delete
all messages from the conversation
- this should fail due to insufficient permissions
- as a user in the conversation
- navigate to /graphiql
- attempt to delete a conversation that doesn't exist
- this should fail to unfound Conversation
- attempt to delete a conversation that does exist
- this should succeed
qa risk: low
Change-Id: Iea7a02fa9e22e0ebd122dd4bab6e52f91bc3004d
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/254756
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Caleb Guanzon <cguanzon@instructure.com>
QA-Review: Caleb Guanzon <cguanzon@instructure.com>
Product-Review: Caleb Guanzon <cguanzon@instructure.com>
Spencer Olson