test plan:
* invite a user an active course
* confirm that an invitation shows on their "/courses" page
* complete the course
* confirm that the invitation is no longer shown
(rather than remaining and then causing a page error on
attempted acceptance)
closes #CNVS-1736
Change-Id: I91f7d96188ec518eda2c50f9436d5a4fef5a423a
Reviewed-on: https://gerrit.instructure.com/47542
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Dan Minkevitch <dan@instructure.com>
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
this commit adds terms_of_use_url and privacy_policy_url helpers
that can be customized by plugins. it also provides controller
actions to redirect to these, so that custom URLs can be
computed on demand instead of on every page load
closes CNVS-17882
test plan:
- without any authentication, /terms_of_use and /privacy_policy
should redirect to the default documents on canvaslms.com
(custom documents based on geographic location and account
license type will come later.)
Change-Id: I72654168d244b5196f841e1a159c14c4c4b29cb3
Reviewed-on: https://gerrit.instructure.com/47331
Reviewed-by: James Williams <jamesw@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
fixes PLAT-787
test-plan
*register the lti2 tool with custom tool setting data set
*launch the lti2 tool
*the tool settings should have the custom tool setting data you set at the tool proxy level
Change-Id: Ia3b45b34f6f1a621993c4cab9fb7cb2625e438e7
Reviewed-on: https://gerrit.instructure.com/45117
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Brad Humphrey <brad@instructure.com>
Product-Review: Nathan Mills <nathanm@instructure.com>
QA-Review: Nathan Mills <nathanm@instructure.com>
also extends error page rendering a little
test plan:
* should be able to add hooks in a plugin initializer e.g.
LoginHooks.on_login do |request|
puts request.remote_ip
end
* this code should be run on any entry point in canvas,
such as login and registration
refs #CNVS-17881
Change-Id: If5fa572fcfb4676dd2a57c80ae1a72a48b406058
Reviewed-on: https://gerrit.instructure.com/47239
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Clare Strong <clare@instructure.com>
Submission of a quiz sometimes didn't produce associated events. This
prevents the intermittent failure to record those events.
Closes CNVS-17588
Test Plan:
- Take quizzes many times with as quick of submission as you can,
while modifying the answers, as only answer events were problematic.
- Confirm that all events are recorded in the submission log.
Change-Id: I46bcf21287d38886a21fe281d08d49ea83f047b1
Reviewed-on: https://gerrit.instructure.com/47009
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Brian Finney <bfinney@instructure.com>
QA-Review: Amber Taniuchi <amber@instructure.com>
Product-Review: Ryan Taylor <rtaylor@instructure.com>
test plan:
* enable file previews + canvadocs
* create a course with a public syllabus
* add a inline preview link to a canvadocable document
to the syllabus
* view the syllabus as a public user (not logged in)
* should still be able to open the preview without
triggering an authentication error
closes #CNVS-17959
Change-Id: Ia5edede4534aba0768744a6feb663cb6fb8e0ea4
Reviewed-on: https://gerrit.instructure.com/47122
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Clare Strong <clare@instructure.com>
test plan:
0. have a file in a course
1. link to the file in the rich content editor
2. upload a different file with the same name, and replace it
3. refresh the rich content and ensure the new file appears
fixes CNVS-17913
Change-Id: Iaab118fe13bb12a0115738a1876318bc90130989
Reviewed-on: https://gerrit.instructure.com/46932
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Clay Diffrient <cdiffrient@instructure.com>
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
fixes CNVS-17711
test plan:
- go to the assignment index page
- hit the "+" button for an assignment group
- choose discussion, and give it a date and non-standard time (not
12:00am)
- hit more options
- the date and time chosen should be maintained on the discussion create
page
Change-Id: I3059daec58261bbc9d7dcb787822097c8e327a47
Reviewed-on: https://gerrit.instructure.com/46590
Reviewed-by: Benjamin Porter <bporter@instructure.com>
QA-Review: Sean Lewis <slewis@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
test plan:
* enable page views
* create a course
* add an inlineable file (such as *.html)
* add a module item referencing the file
* as a course user, visit the module item (which
should display the file in an iframe)
* inspect the iframe element and note the address
* visit the address in a browser without the same
user session (e.g. in incognito mode)
(NOTE: this is to simulate prod behavior, where
it redirects to another domain where the user would not
normally be logged in)
* visit the course user access report
* should have logged access to the file
* add a previewable file to the course (such as an image)
* in new files, click on the file to show a preview
* should also have logged access to the file in the
user access report
closes #CNVS-17697
Change-Id: I0746a417be10ad3d446741d199e942b60490d766
Reviewed-on: https://gerrit.instructure.com/46613
Tested-by: Jenkins <jenkins@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Clare Strong <clare@instructure.com>
fixes: CNVS-17692
Adds a header to the response when logging in that tells if the referrer
is trusted or not. This is so admins can verify trusted referrers.
Change-Id: I2d08fcc7882fd3588ca1769419548ab731701495
Reviewed-on: https://gerrit.instructure.com/46408
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Nick Cloward <ncloward@instructure.com>
Reviewed-by: Jacob Fugal <jacob@instructure.com>
fixes PLAT-731
fixes PLAT-774
fixes PLAT-679
Test steps:
- Add, remove, navigate and show apps
- Ensure that when the App Center is disabled,
you are only able to access the configurations
Patchset notes:
33: removed ability to destroy cache via api, removed reviews
37: rebased
37: fixed js map bug
Change-Id: I397aeab58ff50a5a930b39228571a7088e5784ce
Reviewed-on: https://gerrit.instructure.com/43818
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Nathan Rogowski <nathan@instructure.com>
Reviewed-by: Dan Minkevitch <dan@instructure.com>
Reviewed-by: Brad Humphrey <brad@instructure.com>
Product-Review: Eric Berry <ericb@instructure.com>
refs: CNVS-16643
Adds a setting to root accounts for trusted referers. The field is
setup to allow a comma delimited list of hosts to trust for the account.
Test Plan:
- Edit and save the account trusted referers.
- Should show only for root accounts.
- Should format the referers according to the following rules when it
is saved.
- If the scheme is https and the port is provided it will strip
off the port.
- If the scheme is http and the port is provided it will strip
off the port.
- It will remove the path part of the url.
Change-Id: Ie916339162748cf88259ac566036fc5fa2f5d08e
Reviewed-on: https://gerrit.instructure.com/45779
Tested-by: Jenkins <jenkins@instructure.com>
Product-Review: Blake Simkins <bsimkins@instructure.com>
Reviewed-by: Jacob Fugal <jacob@instructure.com>
QA-Review: August Thornton <august@instructure.com>
test plan:
- the list of courses content migration / copy a canvas course
(both the left-side dropdown and the right-side autocomplete)
should be sorted by name
- the dropdown on the left side should appear only if the user
has <= 100 courses to choose from
refs CNVS-15247
Change-Id: I73397bc19ca421dcfeb076590f9a2762cad423ba
Reviewed-on: https://gerrit.instructure.com/45525
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
Product-Review: Cosme Salazar <cosme@instructure.com>
We had to manually add these two empty files to deprecated client app
folders in /client_apps/* as an indicator to a Rails initializer that
these client apps are now obsolete and need to removed BEFORE the JS
rake task runs. Otherwise, the rake task would fail trying to build
those client apps unless the initializer removed the folders.
Problem is, without this patch, anytime somebody runs `rake
canvas:compile_assets` or the JS rake tasks, their git HEAD will be
dirty with the now-removed .delete_me files. This patch removes the
files from the git history.
Closes CNVS-17516
TEST PLAN
---- ----
- run `bundle exec rake canvas:compile_assets`
+ verify it works
- run `git status` and make sure it does not list files in
`/client_apps/canvas_quiz_*/.delete_me/`
- browse the client_apps folder (`ls client_apps/*`) and verify
neither canvas_quiz_statistics nor canvas_quiz_inspector exist
Change-Id: I0ab23ff6200e2425e0b3e104b2cdfd08e6a11629
Reviewed-on: https://gerrit.instructure.com/45813
Reviewed-by: Simon Williams <simon@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Derek DeVries <ddevries@instructure.com>
Product-Review: Derek DeVries <ddevries@instructure.com>
Closes CNVS-17020
Adds a small app for browsing quiz submission events for a student's
submission. Re-architectures the previous canvas_quiz_statistics client
app to now host more than 1 app. Common code between the two apps is
factored out into /apps/common/{css,js,test}.
Also:
- a feature flag for quiz log auditing
- renamed previous QuizSubmissionEventsController to an Api one
- an API endpoint + controller action for retrieving/viewing events
- "canvas_quiz_statistics" merged with the new client app
"canvas_quizzes"
TEST PLAN
---- ----
Make sure you build the assets by running `bundle exec rake
canvas:compile_assets` before doing any of this.
Now:
- take a quiz as a student
- as a teacher, view the student's attempt
- click on the big "View Log" link
+ verify the page loads and you can browse around in it
We also need to test stats, because the commit affects it:
- turn on the new stats feature flag
- go to stats:
+ verify the page loads and looks OK
Try both pages another time with the ?optimized_js=1 parameter added to
the URL to make sure nothing went wrong when they were optimized.
Change-Id: I5a30cb0db05e80084d1ddd595b53f9aa3cf336eb
Reviewed-on: https://gerrit.instructure.com/44576
Reviewed-by: Derek DeVries <ddevries@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Trevor deHaan <tdehaan@instructure.com>
Product-Review: Ahmad Amireh <ahmad@instructure.com>
test plan:
* basic regression test on assignments, discussion topics
gradebook, and modules (mostly make sure the basic
index/show/edit views aren't broken)
closes #CNVS-15563
Change-Id: I3411bfb7645b3c4bf8a4663e3e052b4402f899ba
Reviewed-on: https://gerrit.instructure.com/43609
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
test plan:
* regression test wiki pages
closes CNVS-16203
Change-Id: Ic37c69c8696151dc99f1df6f3cc9b013835b12a4
Reviewed-on: https://gerrit.instructure.com/42552
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
QA-Review: James Williams <jamesw@instructure.com>
test plan:
In an environment with canvadocs enabled,
* upload a previewable document type to a wiki page via the
wiki sidebar
* save the page
* the document preview icon should appear next to the link
and clicking it should open a document preview
fixes CNVS-15939
Change-Id: I9a52c01bc128760885114e71271bc1c477853a56
Reviewed-on: https://gerrit.instructure.com/45377
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Dan Minkevitch <dan@instructure.com>
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
test plan:
* add an external tool (see the example xml file
referenced in the ticket) configured for the file_menu
* with new files enabled, the external tool should add
an item in the cog menu for files
* if the file's content-type is unrecognized by the tool
(i.e. not a standard document/image/video file), the
item should be disabled
* the external tool should also add an item to the
cog menu for file module items on the modules page
closes #CNVS-17005
Change-Id: I8a5497be2f784d5fc64969baf30e33ae53b5dc1a
Reviewed-on: https://gerrit.instructure.com/45203
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
fixes CNVS-17126
test plan:
- as a teacher
- create a quiz with a single group that pulls questions from a bank
- save the quiz
- go to permissions at /accounts/self/permissions
- change "Manage (add / edit / delete) assignments and quizzes"
- set to "Disabled" for teacher
- as a teacher visit the created quiz
- you should see "See Full Quiz" link in the sidebar
- visit this page
- it should show you the quiz in readonly mode without giving an error
- also check for regressions around quiz edit page with question banks
Change-Id: Ifa9ad9577407199b1c355e67faa37270f91adc0d
Reviewed-on: https://gerrit.instructure.com/45061
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Ahmad Amireh <ahmad@instructure.com>
QA-Review: Trevor deHaan <tdehaan@instructure.com>
Product-Review: Derek DeVries <ddevries@instructure.com>
fixes CNVS-15746
also removed some dead notification policy creation code
test plan:
* configure notification preferences through facebook
* it should work
Change-Id: Ide6e1d53767159b7946edcc23168f9683c04ee19
Reviewed-on: https://gerrit.instructure.com/44003
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jacob Fugal <jacob@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
test plan:
- in a course with New Files and Require Usage Rights features
enabled,
1. files should upload in unpublished state to the files page
2. files should upload in unpublished state via the wiki sidebar
3. files should not be publishable (via the new files page
or the files API) if usage rights are not assigned
closes CNVS-17123
Change-Id: I6c28e549dd5b155f9c85ec84de6f7b7dcb5bb6e6
Reviewed-on: https://gerrit.instructure.com/45024
Reviewed-by: Dan Minkevitch <dan@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
Product-Review: Dan Minkevitch <dan@instructure.com>
This adds some unit tests to the outcomes controller to test the create,
update, and destroy methods, which were previously not tested.
Fixes CNVS-17136
Test Plan:
None. This commit does not touch any application code, only
unit tests
Change-Id: I6f08d2eba4327e11d249679db7bdde082bfd20ed
Reviewed-on: https://gerrit.instructure.com/44958
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
test plan:
- have a file that is conditionally unlocked (either by date,
or by being part of a module that has unmet completion requirements)
- try to preview the file as a student, using New Files
- you should see a lock explanation instead of a canvasception 401
"Unauthorized" error page
refs CNVS-16943
Change-Id: I22a081a1946aa9a82dee3c8b287f5454c226c00b
Reviewed-on: https://gerrit.instructure.com/44943
Reviewed-by: Clay Diffrient <cdiffrient@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Caleb Guanzon <cguanzon@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
test plan:
* create a student user
* enable self-registration for observer accounts
on the root account
* use the form on the login screen to create a
parent (observer) account for the student
* should have sent an e-mail to confirm the account
with a link to register the account
* while logged in as the student, follow the
confirmation link
* should not recieve a prompt to "add this e-mail
address to your current account" (i.e. merge together)
closes #CNVS-15619
Change-Id: I24a8c339875abf416d0e7853944b7eeae64f78e3
Reviewed-on: https://gerrit.instructure.com/44756
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Matt Fairbourn <mfairbourn@instructure.com>
Product-Review: Cosme Salazar <cosme@instructure.com>
fixes PLAT-736
test plan:
install the lti2 test tool with all placements enabled
launch the tool from the different placements
every module item and assignment should have a uniq resource_link_id
course_nav and account_nav should have a uniq resource_link_id
Change-Id: Ifb65a27fa5b7758a27f20684a5af3f5c9bb03100
Reviewed-on: https://gerrit.instructure.com/44051
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Brad Humphrey <brad@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Nathan Mills <nathanm@instructure.com>
refs: CNVS-16627
First part is to add the framework for tracking external keys. This
commit handles the ability to add multiple types easily to the
external_integration_keys with custom rights per type of key.
Test Plan:
- Make sure the section for External Integration Keys does not display
when no types are set.
- Add a few custom types to the external integration keys with all
combinations of write and read rights.
- Make sure you can edit the appropriate keys inside the account
settings page and that they are persistent.
- Remove a value from a key and it should delete the appropriate
record.
- If the user does not have access to any keys the section should not
display.
Change-Id: I37d56c3ee1bf44876c220e9d5a1ae80a22ac1289
Reviewed-on: https://gerrit.instructure.com/44161
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Colleen Palmer <colleen@instructure.com>
fixes CNVS-14327
Followed the tutorial at: https://gollum.instructure.com/sorting. Used
the database level solution
Groups sort first by group category name and then by group name both on
the server side and the client side.
Updated app/coffeescripts/util/natcompare.coffee because when the tests in
public/javascripts/compiled/ember/student_groups/tests/controllers/student_groups_controller.spec.js
one fails because window.I18n.locale is not defined or is null. Hence I
added a default of 'en-US'.
Added spec for server side sorting check.
Test Plan:
* Create a group set and add groups named 1-9, 10, 110, 28 and whatever
other numbers you want
* Notice as a teacher that the groups are naturally ordered meaning that
10 and 110 don't come directly after 1 for example
* Next, login as a student and verify that groups are naturally ordered
* Then on the account level, enable the new student groups option
* As a student go back to the groups page and verify that the ordering
is natural on the new students group page
* Groups get pulled down from the server in groups of 50. I would
suggest creating two group sets with the names 1 and 2. Add a couple
groups to group set 1, then add 50+ groups to group set 2, and then
add a couple more groups to group set 1 but that would come after the
groups in group set 1. Then check to make sure that when the page
loads all of group set 1's groups appear at the top of the page in the
correct order.
Change-Id: Ie066abd3cef237fd8c8c0f73231cea0177756e21
Reviewed-on: https://gerrit.instructure.com/43565
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Braden Anderson <braden@instructure.com>
QA-Review: Steven Shepherd <sshepherd@instructure.com>
Product-Review: Janelle Seegmiller <jseegmiller@instructure.com>
test plan:
- add a tool with variable substitutions for $Canvas.module.id and $Canvas.moduleItem.id
- launch the tool as a module item
- it should substitute the values
Change-Id: I52540a33e4d0ada5a4d8434250e173ff1f9ffdef
Reviewed-on: https://gerrit.instructure.com/44484
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Nathan Mills <nathanm@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Nathan Mills <nathanm@instructure.com>
fixes PLAT-758
test-plan:
*do an lti2 launch
*it should include the roles and locale as params
Change-Id: I987b65b56eee503d5b142ee2a5197c8b36b14697
Reviewed-on: https://gerrit.instructure.com/44263
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Brad Humphrey <brad@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Nathan Mills <nathanm@instructure.com>
fixes: PLAT-763
test-plan:
*try to register an lti2 app as a student in a course
*it shouldn't allow you to register one
*try to register an lti2 app as a non-admin in an account
*it shouldn't allow you to register one
Change-Id: I093a138e54cd2d5e8f823fc68f7b76fb361af677
Reviewed-on: https://gerrit.instructure.com/44267
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Brad Humphrey <brad@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Nathan Mills <nathanm@instructure.com>
fixes CNVS-14254
test plan:
* log in to canvas with site admin credentials via CAS at a
non-site admin account
* you should see a notice about it
* log in to canvas at account A with credentials from account B
(due to a trust link)
* you should see a notice about it
Change-Id: Ie9cc3530c726aefac232f368d7b557eeb9d82528
Reviewed-on: https://gerrit.instructure.com/44101
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jacob Fugal <jacob@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Cosme Salazar <cosme@instructure.com>
fixes CNVS-16157
Currently if you try to go to a file link that doesn't exist, it will
just show you a page not found error. This leads people to contact
support. Now, you see an error message that tells students to contact
their instructure.
Test Case
As a teacher
Given you have exported a course, but only export a courses wiki pages into a canvas
package
And that course you exported has a link to a file in the wiki page
And you create a new blank courses
And import your export the exported course into the new blank course
Then when you navigate to the new courses wiki page
And click on a link in the wiki page
Then an unauthorized access page should appear
And that page should instruct students to contact their instructor
Change-Id: Ic926bb06c931fd61bc56bd42fe6d8b7edefeefae
Reviewed-on: https://gerrit.instructure.com/42475
Reviewed-by: Sterling Cobb <sterling@instructure.com>
Product-Review: Sterling Cobb <sterling@instructure.com>
QA-Review: Sterling Cobb <sterling@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Dan Minkevitch <dan@instructure.com>
Change-Id: I7cca4a22ef7dc310ba1b94fd81d67854a6fe1daf
Reviewed-on: https://gerrit.instructure.com/43833
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: James Williams <jamesw@instructure.com>
fixes CNVS-16048
test plan:
- do regression testing around publishing / unpublishing quizzes
- all publishing / unpublishing scenarios should work correctly
- make sure to check publishing on:
- quizzes#index
- quizzes#show
- from modules
- from module items
- make sure that warnings about unpublished quizzes work
- make sure that warnings about not being able to unpublish quizzes with
submissions work
- make sure that the module sequence footer still works on the quizzes page
- make sure we can still review published quizzes in speedgrader
Change-Id: I1112e3b28ed6388077bfc165056bb1ab0d84b3fd
Reviewed-on: https://gerrit.instructure.com/42258
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Trevor deHaan <tdehaan@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
fixes: CNVS-16383
Checks for a blank unknown_user_url along with a nil before defaulting
to the login_url for CAS authentication.
Test Plan:
- Setup CAS with a user that does not exist in Canvas.
- Make sure the unknown_user_url is an empty string for the
accounts authorization config.
- Attempt to login to the user with and it should show a Canvas login
page with an error that the user does not exist.
- Change the unknown_user_url to nil and it should behave the same as
if it was an empty string.
- Change the unknown_user_url to a custom url and it should redirect
to that page instead of showing the Canvas login page with an error.
Change-Id: Ib97fa022ddc0bc4c4882bf5375f73de89dd94596
Reviewed-on: https://gerrit.instructure.com/43975
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Nick Cloward <ncloward@instructure.com>
test plan:
* create a discussion topic with html code in it,
for example:
this is <s>broken</s>
* delete the discussion topic using the gear menu.
* the name you see in the popup message informing you that the
topic has been deleted should appear exactly as you typed it;
in the example above, you should see "<s>broken</s>" literally,
and not the word "broken" with a line through it.
* the screenreader flash message should also be sanitized.
fixes CNVS-16635
fixes CNVS-16653
fixes CNVS-16674
fixes CNVS-16683
Change-Id: I90938ffe8e142027df855078e08ea16eb513255c
Reviewed-on: https://gerrit.instructure.com/43869
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Clay Diffrient <cdiffrient@instructure.com>
QA-Review: Steven Shepherd <sshepherd@instructure.com>
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
Product-Review: Matt Fairbourn <mfairbourn@instructure.com>
fixes CNVS-1552
any time the UI/API tries to "delete" a user, it should only be trying
to remove it from some root account (the @domain_root_account if not
otherwise specified). if that root account was the last root account the
user was associated with, then the remnants of the user are fully
deleted, but only then. leave User#destroy as a short-cut to delete the
user from all their accounts at once, but should not be invoked directly
from any UI/API actions.
test-plan:
PERMISSIONS
being able to remove a user from an account entails being able to:
- DELETE http://accounts-domain/users/:user
- DELETE /accounts/:account/users/:user
both should fail or succeed together
* given
- Sally who's an admin with the :manage_user_logins
permission on one account (Account1) and a student on another
account (Account2)
- Bob who's a student on both accounts
- Alice who's an admin on Account1 with greater permissions than
Sally
* Sally should:
- see "Delete My Account" on her Account1 profile
- not see "Delete My Account" on her Account2 profile
- not see "Delete My Account" on Bob's Account1 profile
- not see "Delete My Account" on Alice's Account1 profile
- see "Delete from Account1" at /users/:sally
- see "Delete from Account1" at /users/:bob
- not see "Delete from Account2" at /users/:sally
- not see "Delete from Account2" at /users/:bob
- not see "Delete from Account1" at /users/:alice
- be able to remove herself from Account1
- be able to remove Bob from Account1
- not be able to remove herself from Account2
- not be able to remove Bob from Account2
- not be able to remove Alice from Account1
* given Sally's Account1 pseudonym has a SIS ID but her Account2
pseudonym doesn't, Sally should:
- no longer see "Delete My Account" on her Account1 profile
- no longer see "Delete from Account1" at /users/:sally
- still see "Delete from Account1" at /users/:bob
- no longer be able to remove herself from Account1
- still be able to remove Bob from Account1
EFFECTS
* as Sally, remove Bob from Account1 via
DELETE http://account1-domain/users/:bob
- Bob's pseudonyms, enrollments, etc. in Account1 should be removed
- Bob's pseudonyms, enrollments, etc. in Account2 should be untouched
* repeat using DELETE /accounts/:account1/users/:bob, with the same
expectations
Change-Id: Ib7612f95d1c7e4cca36d8486950565ec096b4ab1
Reviewed-on: https://gerrit.instructure.com/41591
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
Product-Review: Jacob Fugal <jacob@instructure.com>
fixes: CNVS-16363
Adds a method to saml_logout which allows Canvas to accept an IDP
initiated SAML logout redirect.
Test Plan:
Setup:
- SAML server with IDP initiated logouts.
- SAML account in Canvas using the SAML server.
* It would be good to test with multiple SAML providers including:
https://www.feide.no/sites/feide.no/files/documents/Feide_integration_guide.pdf
Tests:
- Log in as a user within the SAML account.
- Logout the user from the SAML Server.
- The user should be logged out of Canvas and redirected back with
a SAMLResponse in the query string.
Change-Id: I381189cee6759b178fccec4bef9be31b4a81448d
Reviewed-on: https://gerrit.instructure.com/43227
Reviewed-by: Paul Hinze <paulh@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Nick Cloward <ncloward@instructure.com>
fixes CNVS-16481
A user must have permission to update a pseudonym in order to delete it.
In addition, a user cannot delete a system-created pseudonym unless they
can also change its SIS ID.
test-plan:
being able to delete a pseudonym entails being able to DELETE
/users/:user/pseudonyms/:id
* given
- Sally who's an admin with the :manage_user_logins
permission on one account (Account1) and a student on another
account (Account2)
- Bob who's a student on both accounts
- Alice who's an admin on Account1 with greater permissions than
Sally
* Sally should:
- be able to delete her Account1 pseudonym
- be able to delete Bob's Account1 pseudonym
- not be able to delete her Account2 pseudonym
- not be able to delete Bob's Account2 pseudonym
- not be able to delete Alice's Account1 pseudonym
* given pseudonyms have SIS ids are set and Sally doesn't have the
:manage_sis permission on Account1, Sally should:
- no longer be able to delete her Account1 pseudonym
- no longer be able to delete Bob's Account1 pseudonym
Change-Id: Iad54c6ceb5efcbd32ca1ba3fd011ebe0aa699c94
Reviewed-on: https://gerrit.instructure.com/42776
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Reviewed-by: Rob Orton <rob@instructure.com>
Product-Review: Jacob Fugal <jacob@instructure.com>
fixes CNVS-16480
A user has permission to merge any user for which he can manage at least
one pseudonym (doesn't need permission to manage all pseudonyms). To
merge two users, the acting user must have permission to merge each of
them.
test-plan:
being able to merge two users entails being able to:
- GET /users/:user1/admin_merge?pending_user_id=:user2
- GET /users/:user1/admin_merge?new_user_id=:user2
- POST /users/:user1/merge?new_user_id=:user2
- PUT /api/v1/users/:user1/merge_into/:user2
they should either all succeed or all fail
* given
- Sally who's an admin with the :manage_user_logins
permission on one account (Account1) and a student on another
account (Account2)
- Sally2 who's a student in Account1, admin in Account2
- Bob who's a student on both accounts
- Bob2 who's a student in Account1, admin in Account2
- Alice who's an admin on Account1 with greater permissions than
Sally
* Sally should:
- not see "Merge with Another User" link at /users/:alice
- see "Merge with Another User" link at /users/:sally
- see "Merge with Another User" link at /users/:sally2
- see "Merge with Another User" link at /users/:bob
- see "Merge with Another User" link at /users/:bob2
- not be able to merge herself with Alice
- be able to merge herself with Sally2
- be able to merge Bob with Bob2
* Bob should:
- not see "Merge with Another User" link at /users/:bob
- not be able to merge himself with Bob2
Change-Id: I840077e80fbdb35ea5b9ef6c80d6af8e41e90ce9
Reviewed-on: https://gerrit.instructure.com/42775
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Reviewed-by: Rob Orton <rob@instructure.com>
Product-Review: Jacob Fugal <jacob@instructure.com>
fixes CNVS-16477
The :update permission allows a user to update the pseudonym. Specific
portions of the pseudonym may be controlled by more specific permissions
(see below). To update a user's pseudonym requires :manage_user_logins
permissions on the pseudonym's account. A non-admin can only update
their password (see below) on their own pseudonym, which is separate
from this permission.
The :change_password permission allows a user to update a pseudonym's
password. An admin updating another user's pseudonym can only update the
non-managed password if the account allows admins to change passwords
(:admins_can_change_passwords setting). A user (admin or not) can always
update their own non-managed password. Managed passwords can never be
updated through Canvas.
The :manage_sis permission allows a user to update a pseudonym's SIS id
(sis_user_id attribute). It is simply inherited from the pseudonym's
account.
test-plan:
* given
- Sally who's an admin with the :manage_user_logins
permission on one account (Account1) and a student on another
account (Account2)
- Bob who's a student on both accounts
- Alice who's an admin on Account1 with greater permissions than
Sally
UNIQUE IDS:
being able to update a unique ID entails being able to PUT to
/users/:target_user/pseudonyms/:target_pseudonym?
pseudonym[unique_id]=new_unique_id
* Sally should:
- be able to update her Account1 unique ID
- be able to update Bob's Account1 unique ID
- not be able to update her Account2 unique ID
- not be able to update Bob's Account2 unique ID
- not be able to update Alice's Account1 unique ID
PASSWORDS:
being able to update a password entails being able to PUT to
/users/:target_user/pseudonyms/:target_pseudonym?
pseudonym[password]=new_password&
pseudonym[password_confirmation]=new_password
* given both accounts allow admins changing passwords, Sally should:
- be able to update her Account1 password
- be able to update her Account2 password
- be able to update Bob's Account1 password
- not be able to update Bob's Account2 password
- not be able to update Alice's Account1 password
* given both accounts have managed passwords (pseudonyms have SIS ids
set and accounts have non-password authentication), and still allow
admins changing passwords, Sally should:
- no longer be able to update her Account1 password
- no longer be able to update her Account2 password
- no longer be able to update Bob's Account1 password
* given Account1 disallows admins changing passwords, Sally should:
- still be able to update her Account1 password
- no longer be able to update Bob's Account1 password
SIS IDS:
being able to update an SIS ID entails being able to PUT to
/users/:target_user/pseudonyms/:target_pseudonym?
pseudonym[sis_user_id]=new_sis_user_id
* given Sally doesn't have the :manage_sis permission on Account1,
Sally should:
- not be able to update her Account1 SIS ID
- not be able to update her Account2 SIS ID
- not be able to update Bob's Account1 SIS ID
- not be able to update Bob's Account2 SIS ID
- not be able to update Alice's Account1 SIS ID
* given Sally has the :manage_sis permission on Account1, Sally
should:
- be able to update her Account1 SIS ID
- be able to update Bob's Account1 SIS ID
- still not be able to update her Account2 SIS ID
- still not be able to update Bob's Account2 SIS ID
- still not be able to update Alice's Account1 SIS ID
Change-Id: I9b08ed67db8e2c664c057bb9259a8b18999b0863
Reviewed-on: https://gerrit.instructure.com/42772
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Reviewed-by: Rob Orton <rob@instructure.com>
Product-Review: Jacob Fugal <jacob@instructure.com>
refactor everything that used to use strings for roles
to use actual role_ids
the apis should be backwards compatible so we don't need
to update (most of) the UI's right away in this commit
test plan:
* regression tests for permissions, role overrides,
alerts (for account roles), enrolling users,
adding account admins, etc.
refs #CNVS-15481
Change-Id: Id57fd3104c5c518b6fbf180609950dcddcdd474d
Reviewed-on: https://gerrit.instructure.com/41208
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Steven Shepherd <sshepherd@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
closes CNVS-16086
Test plan:
* do something to make api calls to crocodoc time out
* try to preview a crocodoc document
* you should see an error that suggests you try again later
* repeat for canvadocs
Change-Id: I26619cbbe95940cf51027fb8ea50a7c727722c83
Reviewed-on: https://gerrit.instructure.com/42389
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Amber Taniuchi <amber@instructure.com>
Product-Review: Cameron Matheson <cameron@instructure.com>
Reviewed-by: Josh Simpson <jsimpson@instructure.com>
test plan:
- create two courses, A and B
- crosslist the default section of course A to course B
- enroll a user into course B
- as the user, go to course A ("/courses/{course A's id}")
- you should be redirected to course B
- delete the user's enrollment to course B
- as the user, go to course A
- you should not be redirected. (you may get a permission-denied
error if the user doesn't have permission to read course A.)
fixes CNVS-16290
Change-Id: I1e154748039c7a2ba893f69530841b544dbb8d8a
Reviewed-on: https://gerrit.instructure.com/43088
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
Product-Review: Matt Fairbourn <mfairbourn@instructure.com>
test plan:
* create a calendar event for a private course with a link
to an unlocked attachment
* sync the calendar with an external source
* the exported calendar event should not add a verifier to
the link (and thus allow someone to bypass authentication)
* repeat for a public course
* should add a verifier this time
closes #CNVS-15352
Change-Id: I743e73dc852c204cdf68c0b8b9e3fc2d402ad855
Reviewed-on: https://gerrit.instructure.com/43288
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
James Williams