fixes#6347
* logs more information on ldap failures and passes it down to the browser in
the ajax response.
* fixes a crazy javascript bug where we were accidentally using a reserved
global var in webkit, 'status', which is a string, which interacted strangely
with our use of it as a boolean. this fixes the tester for firefox/ie
test plan:
(for #6347)
- use the tester in firefox and ie, it should work
(for error messages)
- one at a time, change the fields of a config, and run the tester
- you should get (slightly) more helpful error messages about what is failing,
based on status returned from the server.
Change-Id: Ic0837d7ff9f6283d615ddd4bbeef5a957dbd6553
Reviewed-on: https://gerrit.instructure.com/12880
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
fixes#9879
The profile nav link should only be shown when @domain_root_account has
profiles enabled.
Test plan:
* make sure caching is enabled
* go to to your user settings on an account with profiles enabled
- you should see a profile link in the sidebar
* switch to an account that doesn't have profiles
- you should no longer see the profile tab in the sidebar
Change-Id: If502829ef9d0bfa8117df82e241beb8cd61e03a9
Reviewed-on: https://gerrit.instructure.com/12935
Reviewed-by: Jon Jensen <jon@instructure.com>
Reviewed-by: Bryan Madsen <bryan@instructure.com>
Tested-by: Bryan Madsen <bryan@instructure.com>
do it all in a single update query - avoids extraneous touches as well
as several queries to load data that can be checked in the update
test plan:
* run grade publishing specs
* publish grades with async option
* import the results
Change-Id: I95a67cd1c4d7459cb0f28033421328da6de7113a
Reviewed-on: https://gerrit.instructure.com/12992
Reviewed-by: Brian Palmer <brianp@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
we use jslint just as a last resort effort to make
sure our javascript doesn't have syntax errors or
something. these changes will make the jenkins
output less verbose.
Change-Id: I937ad1bc6f6b142c4ba424f65e72e9806468638f
Reviewed-on: https://gerrit.instructure.com/12787
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Ryan Shaw <ryan@instructure.com>
when the profile links are rendered they are now
checked for a simple schema, the check is very
loose so people can add tel:// file:// etc.
if there is no schema, http:// gets added to it
Change-Id: I68ad3d83d459916a25941fbf7d2803a68c5bf40b
Reviewed-on: https://gerrit.instructure.com/12987
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
- moved generic "contact" method icon to "message"
- added a google docs logo
facebook used to be in the 0x0 position, making
any services without an icon default to the
facebook logo, now it defaults to the message
logo which is better until we have an icon for
everything
Change-Id: I05378295dcfc4f86ab865ada838c77e321414cc4
Reviewed-on: https://gerrit.instructure.com/12984
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
fixes#9890
Test plan:
* edit a user's profile
* delete the name
* you should see an error about the name
Change-Id: I05a3ad4ecd429c5e6563574e92571ae59100f0a6
Reviewed-on: https://gerrit.instructure.com/12942
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
fixes#9451
rack's request.scheme doesn't take x-forwarded-proto into account, so it
was returning http. Using request.protocol correctly handles ssl
termination, it just means we have to chop off the "://" part of the
protocol.
test plan: In an environment using ssl behind a load balancer, load the
avatar for a user that doesn't have one. verify that the gravatar
request redirects back to canvas using https, not http.
Change-Id: Ifb5f42e91379cfe591d29e07cd2ccf1f9d2b19fa
Reviewed-on: https://gerrit.instructure.com/12865
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
closes: #7172
test plan:
* open discussion topic index page:
- see how it looks in blank course
- full course
- try graded & unread filters (make sure you see things you expect to and not those you don't)
- do bulk actions by clicking checkbox for a few and hitting delete and lock buttons
- verify infinite scroll works
- verify that as a student you don't see posts that had delayed posting
- click "create new" button to make a new one, make sure it works
- do all the above in the announcement index page
* while viewing announcements index:
- verify teacher can create external feed on right
- no right side unless external feeds exist or they are teacher
- external feeds are listed
- only teacher can delete external feed
* while editing/creating new discussion/announcement
- verify that announcement cant be made into assignment
- for discussion topic, set as assignment and make sure the assignment settings set.
- cant change discussion -> announcement (& vise versa)
- type crazy & blank input, verify that it validates it for you
- title cant be longer than 254
- make sure these features work:
- podcast feed
- student posts in podcast feed
- delayed posting
- toggling threaded/unthreaded
- must post before seeing replies
- attach file, remove file attachment, upload new attachment should work
* make sure announcements/discussions look & behave right in other places they show up
(like course, user dashboard)
* if you can think of any other places where you can edit/create discussions/announcements, make
sure that still works
Change-Id: Ib0acaff8542bf09f99cd7aa99fb3ed16c999d224
Reviewed-on: https://gerrit.instructure.com/12655
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
fixes#9975
test plan:
- retrieve a folder using the API
- locked_for_user should be a single boolean value
Change-Id: I2bd6fcde8554be35ac497700c9e30a714fe96bed
Reviewed-on: https://gerrit.instructure.com/12975
Reviewed-by: Brian Palmer <brianp@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
fixes#9872
on the course settings page, the 'end this course' button should not
display for courses whose terms have already ended.
test plan:
* create a course inside of a term whose end_at date has already
passed;
* visit the course settings page and verify that the 'end this course'
button is not visible in the sidebar.
Change-Id: I8f8ddc1cd495a3488fda6989de28d45abd67b6cd
Reviewed-on: https://gerrit.instructure.com/12893
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
now cache permission lookups for anything that is_a_context?, except for
the User model (since that might result in a lot of writes to the cache
that seldom get read). this expands the cacheable list to [Course, Group,
Account]
test plan:
1. use course, group and account-related functionality in canvas
2. confirm that the those permissions are cached (rails log) and used
3. do something that sets :session_affects_permissions (e.g. get a
course invitation and go look at the course)
4. confirm that course, group and account permissions are no longer
cached, but work correctly
5. confirm that non-context permission checks work correctly and are not
cached (rails log)
Change-Id: I2aab74e225bb4da1a7f486512575c702415eb6fc
Reviewed-on: https://gerrit.instructure.com/12971
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
clean up grants_right? and grants_rights?, and add cache expiration so
that stale data eventually clears. the cache-related changed are:
1. we now cache "nobody" lookups for course permissions
2. course permission lookups are cached for no more than a day
additionally, there is a slight behavior fix for non-course grants_rights?
calls that care about the session. previously, the session argument to a
"given" block would be set to nil unless the :session_affects_permissions
flag was set. this was *not* the case for grants_right?. so that means
that grants_rights? calls for a non-context could be more restrictive than
the equivalent grants_right? one(s).
a code audit reveals there should be no places where this was actually
happenening today, so the fix shouldn't affect any current permissions
checks in canvas. rubric_assessment.rb would be susceptible, but the
corresponding controller code is unused. eportfolio.rb has some session-
based policy checks, but it was setting :session_affects_permissions.
test plan:
1. use course-related functionality in canvas
2. confirm that the course permissions are cached (rails log) and used
3. do something that sets :session_affects_permissions (e.g. get a
course invitation and go look at the course)
4. confirm that course permissions are no longer cached, but work
correctly
5. confirm that non-course permission checks work correctly and are not
cached (rails log)
Change-Id: Ie7f79054f48f6a9f168510349c3d1f1ef453deb4
Reviewed-on: https://gerrit.instructure.com/12933
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
test plan:
* log in checking "stay signed in"
* close the browser
* open the browser, go to profile
* it should say "For security purposes, please enter your password
to continue" in yellow
Change-Id: I6a0f03d5d40314b1422d881f15f7a9053afcfc16
Reviewed-on: https://gerrit.instructure.com/12970
Reviewed-by: Brian Palmer <brianp@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
functionally the same, but allows for higher level routing of CAS
requests apart from general login requests
test plan:
* login and log out with CAS configured
Change-Id: Id4a9633f2dd48e9d7fe0cf9d3ec917750eb8c8ce
Reviewed-on: https://gerrit.instructure.com/12961
Reviewed-by: Brian Palmer <brianp@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
also refactor the assignment description to an @object,
and reference it from all actions.
add some missing Assignment fields too
test plan:
- make sure the generated documentation for Assignments is good
(there is no behavior change)
Change-Id: I29815bb5dcd15ae14faac59f9941220415867ec4
Reviewed-on: https://gerrit.instructure.com/12867
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
disabling canvas auth also force-disables open registration, and
makes LDAP auth act like full delegated auth (CAS or SAML)
test plan:
* configure LDAP, CAS, or SAML. MAKE SURE YOU CAN LOG IN.
* go to account settings, and disable "Canvas Authentication"
* open registration should no longer show up on account settings
page (after saving)
* ensure you can no longer log in with your Canvas credentials, but
you can with LDAP, CAS, or SAML credentials.
* remove LDAP, CAS, or SAML from the account
* "Canvas Authentication" should no longer show up on the account
settings page, open registration should
* your Canvas credentials should start working again
* add LDAP, CAS, or SAML back
* "Canvas Authentication" should be back on in account settings
Change-Id: Ic7475623e5139bb545a87d8e5b1014dabaf4e854
Reviewed-on: https://gerrit.instructure.com/12850
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
test plan:
* enable optional MFA, and check the following:
* normal log in should not be affected
* you can enroll in MFA from your profile page
* you can re-enroll in MFA from your profile page
* you can disable MFA from your profile page
* MFA can be reset by an admin on your user page
* when enrolled, you are asked for verification code after
username/password when logging in
* you can't access any other part of the site directly until
until entering your verification code
* enable required MFA, and check the following
* when not enrolled in MFA, and you log in, you are forced to
enroll
* you cannot disable MFA from your profile page
* you can re-enroll in MFA from your profile page
* an admin (other than himself) can reset MFA from the user page
* for enrolling in MFA
* use Google Authenticator and scan the QR code; you should have
30-seconds or so of extra leeway to enter your code
* having no SMS communication channels on your profile, the
enrollment page should just have a form to add a new phone
* having one or more SMS communication channels on your profile,
the enrollment page should list them, or allow you to create
a new one (and switch back)
* having more than one SMS communication channel on your profile,
the enrollment page should remember which one you have selected
after you click "send"
* an unconfirmed SMS channel should go to confirmed when it's used
to enroll in MFA
* you should not be able to go directly to /login/otp to enroll
if you used "Remember me" token to log in
* MFA login flow
* if configured with SMS, it should send you an SMS after you
put in your username/password; you should have about 5 minutes
of leeway to put it in
* if you don't check "remember computer" checkbox, you should have
to enter a verification code each time you log in
* if you do check it, you shouldn't have to enter your code
anymore (for three days). it also shouldn't SMS you a
verification code each time you log in
* setting MFA to required for admins should make it required for
admins, optional for other users
* with MFA enabled, directly go to /login/otp after entering
username/password but before entering a verification code; it
should send you back to the main login page
* if you enrolled via SMS, you should not be able to remove that
SMS from your profile
* there should not be a reset MFA link on a user page if they
haven't enrolled
* test a login or required enrollment sequence with CAS and/or SAML
Change-Id: I692de7405bf7ca023183e717930ee940ccf0d5e6
Reviewed-on: https://gerrit.instructure.com/12700
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Brian Palmer <brianp@instructure.com>
minimum to not accidentally blow away more than 2 configs
test plan:
* in script/console, add more than 2 ldap configs to an account
* the UI should show them all, and they should be editable
* you should not be able to add more, or delete any individual
config
* normal editing of one or two configs should work just fine
Change-Id: I66b31f1b800b40aa490fd05b051bec23be9ef0bb
Reviewed-on: https://gerrit.instructure.com/12879
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Cody Cutrer <cody@instructure.com>
refs #8120
test plan
- be an admin in a course with at least one other user
- /users/1/admin_merge
- enter your own id into the text box -> should get an error about not
being able to merge an account with itself
- enter a user id that doesnt exist -> should get an error about not
being able to find the user
- enter text and punctuation -> should get an error about invalid text
being entered
Change-Id: Iaaef29ffb733edf4508b22ffbcc5030e05ffd245
Reviewed-on: https://gerrit.instructure.com/12793
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Brian Palmer <brianp@instructure.com>
make start tls the default if not otherwise specified in the API, and
the default for new integrations in the UI. still support booleans
in the API.
test plan:
* test non-tls, simple tls, and start tls LDAP servers
* ensure new LDAP settings default to start tls
Change-Id: I60b2f2d6cbdd32beff14d198c92efbfd6705b041
Reviewed-on: https://gerrit.instructure.com/12923
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Cody Cutrer <cody@instructure.com>
test plan:
* set up an LDAP search filter like
(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName={{login}}))
and ensure you don't get a page error trying to log in
Change-Id: I7b431783f646cbdaf2b1c78778a05224e9c88183
Reviewed-on: https://gerrit.instructure.com/12913
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Cody Cutrer <cody@instructure.com>
previously, descriptions longer than 177px in calendar2 events
were overflowing beyond the modal onto the page. this fix adds a
scrollbar for those descriptions.
test plan:
* create an assignment with a really long description and a due date
(so it shows up in calendar2);
* as a user in the same class as the assignment, visit the calendar2
page and click on the assignment;
* verify that the description is scrollable and does not overflow
beyond the modal.
Change-Id: I6522f4712b31a879473bc63066cbd4854731b3b9
Reviewed-on: https://gerrit.instructure.com/12954
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
fixes#9966
refs #9901
there was a bug where policies for non-default channels were being considered
when deciding whether a default policy needed to be created, to show on the
communication preferences page.
also prevent an exception from being thrown when a user has no communication
channels, and visits the notification preferences page. We still need some
better UI here explaining why you can't do anything on the page.
test plan:
(for #9966)
- create a new user with an email, and setup some notification preferences
- add a new email address and retire the first one
- go to the notification preferences page
- you should have default preferences for the (new) default channel
(for #9901)
- as a user with no communication channels
- go to the notification preferences page
- it should not break
Change-Id: Iecd544571d6fece2a23c24b547ae434e8b57daae
Reviewed-on: https://gerrit.instructure.com/12952
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
some malformed imports are missing an indent on response_label
tags. we should just ignore these instead of failing on import.
test plan:
* run specs
Change-Id: I82914f1ff279b921ae5668c38b80ac4616595a29
Reviewed-on: https://gerrit.instructure.com/12950
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
This ensures that conferences on different shards won't accidentaly
share a voice bridge.
test plan: ensure that voice chat in Big Blue Button conferences still
works as expected.
Change-Id: I3e995943a33a2b18e6574c8f60f094e53f5a2753
Reviewed-on: https://gerrit.instructure.com/12945
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
fixes#9942
notifications is an unsharded table, so we can't join it again notification
policies. switch to include to get expected behavior
test plan:
- on a non-default shard
- change all of your notification frequencies
- they should stay changed.
Change-Id: Ife74a2124567381e3d1898f1d34ca09904d7376d
Reviewed-on: https://gerrit.instructure.com/12937
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
This adds an alternative method for uploading files by giving Canvas a
public URL in the first step, rather than uploading the file data directly.
test plan:
- create a course file via the API upload mechanism
- make sure the return values are as documented
- make sure the file was correctly uploaded
- create a course file via the URL approach
- make sure the return values are as documented
- make sure the file status endpoint returns valid responses
- make sure the file was correctly stored in Canvas
- repeat that process with a file that has at least one redirect
- repeat that process but creating a homework submission file
- try to create a course file with a malformed URL
- confirm that the appropriate error message is returned
- try to create a course file with a relative URL
- confirm that the appropriate error message is returned
- try to create a course file with a URL that doesn't return 200
- confirm that the appropriate error message is returned
Change-Id: I2dcf711347ec4ef26d767ae1c1fa0bb056986651
Reviewed-on: https://gerrit.instructure.com/12143
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
fixes#9878
test plan:
1. go to any users profile page
2. notice under unregistered services
each buttons text align is left instead
of center
Change-Id: I27f93d3a17c832c16df9afea43cbcc6d9aadc48a
Reviewed-on: https://gerrit.instructure.com/12900
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Bryan Madsen <bryan@instructure.com>
when a new user signs up, we don't want the form to be reenabled during
the window between the ajax response and the redirect to the dashboard
test plan:
1. go to /register
2. submit the form with missing/invalid data
3. it should be disabled, and then reenabled with appropriate error boxes
4. submit the form with valid data
5. it should remain disabled until you are redirected to the dashboard
Change-Id: If6a65db71ecbbcabdb747214cee181e25a5cff52
Reviewed-on: https://gerrit.instructure.com/12922
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
fixes#9873
The previous method for making this happen was just setting scribd_doc
to nil on the attachment before serializing it (wut?), but
Attachment#scribd_doc is overridden to return the root_attachment's
scribd_doc if there isn't one on this attachment.
The new strategy is to just use our filter_attributes_for_user stuff to
remove the secret info if the user doesn't have permission.
test plan: Upload a pdf or something, set it as locked, link to it from
a wiki page. As a student in that course, you shouldn't be able to
preview the document in-line. Then copy the course. In the new course,
you also shouldn't be able to preview the document in-line.
Change-Id: I66dc3a55a4e0371337846eb82179e6638a7d3852
Reviewed-on: https://gerrit.instructure.com/12921
Reviewed-by: Brian Palmer <brianp@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
fixes#8221
test plan: no user visible changes in behavior, so this is a regression
test. repeat this test plan once for s3 files and once for local
files:
* verify file uploads on /courses/X/files and /dashboard/files
* upload to other folders
* upload multiple files
* zip uploads
* weird characters in filenames, duplicate filenames
* verify other places we upload files like content imports and sis
imports
Change-Id: I01b7805eb947097b250bf9be944a9347ecc4ff5e
test plan:
1. go to the style guide or some place that uses the ui-icon-info class
2. it should have the blue info icon
Change-Id: I3c16e7add2d444982fc010f1dbc833a7f6749db4
Reviewed-on: https://gerrit.instructure.com/12912
Reviewed-by: Ryan Shaw <ryan@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
when users sign up via open registration, they can use canvas before
confirming their email address (and setting a password). since we show
a "Configure Communication Preferences" button, it makes sense to let them
actually do it (instead of getting a big scary warning). notifications
won't actually be sent until the communication channel gets confirmed, so
we warn them about that.
test plan:
1. sign up as a teacher via /register
2. when you get to the dashboard, click the "Configure Communication
Preferences" button
3. you should see notification preferences
4. you should be able to update them
5. you should see a reminder to confirm your email
6. the "re-send email" link in the reminder should work
Change-Id: I585a69b8667ef82eb2e4c3005179bc14377e467b
Reviewed-on: https://gerrit.instructure.com/12911
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Ryan Shaw <ryan@instructure.com>
fixes#9816
test plan: create a question bank, add a couple questions, and delete at
least one question. copy the course, verify that the new course doesn't
have the deleted question in the bank, but has the others.
Change-Id: Icdbe4cf4a8a98d04aa755e1f89b0f87538b08023
Reviewed-on: https://gerrit.instructure.com/12908
Reviewed-by: Simon Williams <simon@instructure.com>
Reviewed-by: Bracken Mosbacker <bracken@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
fixes regression in gradebook around default turnitin icon (and brings gb2
in line)
test plan:
1. set up turnitin on an account and assignment
2. submit homework as a student
3. as a teacher, check gradebook and gradebook2
4. you should see a gray turnitin icon (until the turnitin report gets
generated)
Change-Id: I3ac470c7e669f6933ece611595cef5673a847c7c
Reviewed-on: https://gerrit.instructure.com/12882
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
store whether the new user is a teacher/student/observer (if specified)
test plan:
1. sign up as a teacher/student/observer
2. it should work
3. the user record should have the correct initial_enrollment_type
Change-Id: I6200d677f2da946b05d6f90c89617b3476ed390b
Reviewed-on: https://gerrit.instructure.com/12873
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
ensure legacy API route is still available (and added spec). minor doc
tweaks/fixes
test plan:
1. find conversation recipients through the web UI
2. find recipients by hitting the following URLs directly:
* /api/v1/search/recipients
* /api/v1/conversations/find_recipients
3. find recipients using the iPad app
4. it should all work
Change-Id: Ic283b3f5bacb22aba7b077e300d96c07565b8cd0
Reviewed-on: https://gerrit.instructure.com/12887
Reviewed-by: Jon Jensen <jon@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
return students and teachers/TAs 50 users at a time, and
display them in an infinitely scrolling div. also update
the styling of the scrolling divs to better reflect that they
are scrollable to users w/o permanent scrollbars (e.g. OS X).
test plan:
* create a course with over 50 student or teacher/ta
enrollments;
* view the course people page and verify that student
and teacher enrollments load as expected;
* scroll the field with the most enrollments and verify
that when the bottom is reached more enrollments load;
* verify that when all enrollments have loaded, the div
no longer attempts to load new enrollments;
* create a new course section and add enrollments to it;
* as a user with permissions limited to section, verify
that only enrollments in the allowed section are
displayed.
Change-Id: I2e6485a2edf950acf58f5ccbc75c2965297aed04
Reviewed-on: https://gerrit.instructure.com/12680
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Zach Pendleton <zachp@instructure.com>
Simon Williams