closes GRADE-1936
test plan:
A. Setup
1. Allow the Post Polices feature for the account
2. Select or create a course
3. Ensure the course has at least one assignment
B. Verify without Feature
1. Ensure the Post Policies feature flag is not enabled for the course
2. Visit New Gradebook
3. Open the Assignment Column Header Options Menu
4. Verify "Mute/Unmute Assignment" is present
5. Verify "Post grades" is not present
C. Verify with Feature
1. Enable the Post Policies feature flag for the course
2. Visit New Gradebook
3. Open the Assignment Column Header Options Menu
4. Verify "Post grades" is present
5. Verify "Mute/Unmute Assignment" is not present
6. Click "Post grades"
7. Verify the "Post Grades" tray opens
8. Verify the tray shows the assignment name
9..Verify the tray can be closed and re-opened
Change-Id: Ia3b2a050a0ba53cc24f59c99d3ef6cac8dedd08f
Reviewed-on: https://gerrit.instructure.com/180615
Reviewed-by: Gary Mei <gmei@instructure.com>
Reviewed-by: Adrian Packel <apackel@instructure.com>
Tested-by: Jenkins
QA-Review: Jeremy Neander <jneander@instructure.com>
Product-Review: Jonathan Fenton <jfenton@instructure.com>
refs COMMS-1844
Test Plan:
- Click on comments on an A2 student view
- notice there is a loading indicator then
the comments load
Change-Id: I43ed778b826153b5cb4e58b9365a0016dec10897
Reviewed-on: https://gerrit.instructure.com/180618
Tested-by: Jenkins
Reviewed-by: Aaron Hsu <ahsu@instructure.com>
QA-Review: Landon Gilbert-Bland <lbland@instructure.com>
Product-Review: Steven Burnett <sburnett@instructure.com>
refs CORE-2286
test plan:
- test content insertion workflow with tools that launch from the rce
- include a test with deep linking
- include a test with tools that use selection and editor contents
Change-Id: I22c317f46cd9ae075b050b89474078bb6d4bc068
Reviewed-on: https://gerrit.instructure.com/180542
Tested-by: Jenkins
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Product-Review: Nathan Nuclear <nathan@instructure.com>
This expands the AnonymousOrModerationEvents to log autograded events
into account, such as LTI tools or old quizzes grading. The logging
callback in submission now detects an autograded event and logs it
properly. The SubmissionsController now shares these events as well as
tool and quiz names. You cannot create an anonymous quiz in canvas UI, so
we should only see this with LTI tools.
fixes GRADE-1912
test plan:
- Have a course with a teacher and a student
- Create an assignment
- In the rails console create a fake LTI tool like:
external_tool = Account.default.context_external_tools.create!(
name: "Example tool",
url: "http://www.example.com",
consumer_key: "12345",
shared_secret: "secret"
)
- In the rails console grade the assignment as the tool like:
assignment.grade_student(first_student, grader_id: -external_tool.id, score: 80)
- Access the audit log via an API call to:
/courses/<course_id>/assignments/<assignment id>/submissions/<submission_id>/audit_events
- Note that an external_tool array is returns with the tool id and
name, as well as a submission event with a nil user_id and a filled
external_tool id that matches the tool we created
Change-Id: I207255a74640b3efc798e111b587c9c58423566f
Reviewed-on: https://gerrit.instructure.com/177801
Tested-by: Jenkins
Reviewed-by: Cody Cutrer <cody@instructure.com>
Reviewed-by: Rob Orton <rob@instructure.com>
Reviewed-by: Adrian Packel <apackel@instructure.com>
Reviewed-by: Gary Mei <gmei@instructure.com>
Product-Review: Keith Garner <kgarner@instructure.com>
QA-Review: James Butters <jbutters@instructure.com>
Test Plan: qacr for syntax
Change-Id: I2fef04a26a26ee469ecbe356f60951efb67305f3
Reviewed-on: https://gerrit.instructure.com/180666
Tested-by: Jenkins
Reviewed-by: Jeremy Putnam <jeremyp@instructure.com>
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Product-Review: Jeremy Putnam <jeremyp@instructure.com>
fixes PLAT-4114
Test Plan:
- Create an unpublished assignment associated with a plagiarism
detection tool
- From the assignment index, publish the assignment
- Edit the assignment and verify the plagiarism tool is still
associated
Change-Id: Ib64a6cd91331427ab5d19e885cadf821e69a26f5
Reviewed-on: https://gerrit.instructure.com/180467
Tested-by: Jenkins
Reviewed-by: Nathan Mills <nathanm@instructure.com>
QA-Review: Nathan Mills <nathanm@instructure.com>
Product-Review: Jesse Poulos <jpoulos@instructure.com>
Closes: PLAT-4078
Test Plan:
- Verify live events Canvas writes to kinesis now contain the
"context_sis_source_id" value in the metadata section.
- Verify this value is not added if the context does not
have an sis_source_id column
Change-Id: I045d6295d0d5ea468fb657a3378a3613508d6a63
Reviewed-on: https://gerrit.instructure.com/180236
Tested-by: Jenkins
Reviewed-by: Nathan Mills <nathanm@instructure.com>
Product-Review: Nathan Mills <nathanm@instructure.com>
QA-Review: Nathan Mills <nathanm@instructure.com>
fixes GRADE-1991
Test plan:
- Grant a student multiple enrollments in a single course
- Take note of the enrollment IDs
- Set an override score for that student in the gradebook
(for "All Grading Periods"), or use the endpoint below
- In a Rails console, locate the scores for that student:
> Score.where(enrollment_id: <enrollment IDs>, course_score: true)
- Their override_score values should match the score you set
(Alternatively, you can set the score by opening the /graphiql endpoint
in your browser and running:
mutation {
setOverrideScore(input: {
enrollmentId: <enrollmentID>
overrideScore: <a score>}
) {
grades {
overrideScore
}
errors {
attribute
message
}
}
}
)
Change-Id: I80402733202e5772463b04a3cecb819f1ec0158d
Reviewed-on: https://gerrit.instructure.com/180250
Tested-by: Jenkins
Reviewed-by: Jeremy Neander <jneander@instructure.com>
Reviewed-by: Keith Garner <kgarner@instructure.com>
QA-Review: James Butters <jbutters@instructure.com>
Product-Review: Keith Garner <kgarner@instructure.com>
fixes COMMS-1852 SEC-2152
Test Plan
* The ticket https://instructure.atlassian.net/browse/SEC-2152
explains the steps better then i could here
* Some steps to consider is the ticket uses an external
request maker in order to accomplish the ediiting tasks
Change-Id: I5b12c557751494115a3198a24fcbc162c8a99277
Reviewed-on: https://gerrit.instructure.com/179711
Tested-by: Jenkins
Reviewed-by: Landon Gilbert-Bland <lbland@instructure.com>
QA-Review: Landon Gilbert-Bland <lbland@instructure.com>
Product-Review: Aaron Hsu <ahsu@instructure.com>
Allow an assignment to post/unpost an arbitrary set of submissions, and
use this workflow for muting/unmuting. When post policies are enabled,
determine an assignment's muted? status based on whether it has any
unposted submissions (and update it as submissions are posted/unposted).
When the user manually mutes/unmutes an assignment, adjust its post
policy accordingly.
closes GRADE-1875
Test plan:
- For a course with the the Post Policies feature flag enabled:
- Create some assignments to play around with
- Creating an anonymous or moderated assignment (or changing an
existing one) should automatically create an associated
PostPolicy object with post_manually set to true
- Otherwise, a PostPolicy should not automatically be created
- (To check this, you'll need to look at assignment.post_policy
in a console; it's not visible in the UI yet)
- Muting an assignment (from the UI or using mute!) should:
- Save a post_policy for the assignment with post_manually set to
true (if not already set)
- Set posted_at for all active submissions to nil
- Do the usual other stuff like hiding submission comments
- Have no effect if all submissions are already unposted
- Unmuting an assignment (from the UI or using unmute!) should:
- Save a post_policy for the assignment with post_manually set to
false (if not already set)
- Set posted_at for all active submissions to the current date
- Do the usual other stuff like showing submission comments
- Have no effect if all submissions are already posted
- In a Rails console, find an assignment/some submissions to test with
> assignment.post_submissions(submissions: submissions)
- This should post the given submissions (i.e., set posted_at,
show comments, etc.) but no others
> assignment.unpost_submissions(submissions: submissions)
- This should unpost only the given submissions
- Both methods should update the assignment's muted attribute
automatically:
- Muted should be set to true if any active submissions on the
assignment remain unposted, and false if all are posted
- Note: setting the posted_at time on an individual submission
will NOT auto-update the assignment's muted status (as of this
patchset)
- For a course with the the Post Policies feature flag *disabled*:
- Muting/unmuting an assignment should work as usual, and should
*not* attempt to create a post policy on the assignment
- It should, however, still set or unset the posted_at date on
all the assignment's submissions
- In a Rails console:
- The muted? attribute should behave like before (i.e., it should
not be dynamically updated if a subset of submissions is posted
or unposted)
Change-Id: I317dee609fe92cf2832d36bff54511abeb72137c
Reviewed-on: https://gerrit.instructure.com/179361
Reviewed-by: Gary Mei <gmei@instructure.com>
Reviewed-by: Jeremy Neander <jneander@instructure.com>
Tested-by: Jenkins
QA-Review: Gary Mei <gmei@instructure.com>
Product-Review: Keith Garner <kgarner@instructure.com>
refs QUIZ-5864
test plan:
- do a course copy
- find an assignment, set workflow_state to 'failed_to_duplicate'
in rails console
- expect Retry button is available in UI
- click Retry button and wait, the failed assignment can be duplicated
again
- regression on assignment copy, course copy
Change-Id: I1594a68cf15c4994cd916b25e100ed277cc6cdc1
Reviewed-on: https://gerrit.instructure.com/180012
Tested-by: Jenkins
Product-Review: Hannah Bottalla <hannah@instructure.com>
QA-Review: Robin Kuss <rkuss@instructure.com>
Reviewed-by: Stephen Kacsmark <skacsmark@instructure.com>
fixes COMMS-1843
Test Plan
* Create an assignment on a course.
* Have a student add a submission to the assignment
* Create some comments on the submisssion as both the student and the
teacher
* navigate to graphiql
* verify you can see the comments. Query will look something like
this:
query {
assignment(id: 5) {
submissionsConnection {
nodes {
commentsConnection {
nodes {
_id
comment
author {
avatarUrl
shortName
}
}
}
}
}
}
}
}
* Create a different assignment that has anomyous peer review enabled
* Create comments on that assignment as multiple students
* Run the above query again as one of the students. Verify the
`author` section is nil for comments that this student didn't leave
Change-Id: I5773cee6f6bfcbbd116b829d2181df40a826e075
Reviewed-on: https://gerrit.instructure.com/178948
Reviewed-by: Landon Gilbert-Bland <lbland@instructure.com>
Reviewed-by: Steven Burnett <sburnett@instructure.com>
Tested-by: Jenkins
QA-Review: Landon Gilbert-Bland <lbland@instructure.com>
QA-Review: Steven Burnett <sburnett@instructure.com>
Product-Review: Landon Gilbert-Bland <lbland@instructure.com>
refs: MBL-11907
Test Plan:
- Create an assignment and align a rubric
- toggle the "Remove points from rubric" setting
- view the assignment in the api
- the rubric_settings object in the response should
include the value of the hide_points field"
Change-Id: Iab2c7196f1134841cd89379347ee811a1944e584
Reviewed-on: https://gerrit.instructure.com/180241
Tested-by: Jenkins
Reviewed-by: Matthew Berns <mberns@instructure.com>
Reviewed-by: Nate Armstrong <narmstrong@instructure.com>
QA-Review: Nate Armstrong <narmstrong@instructure.com>
Product-Review: Matt Sessions <msessions@instructure.com>
closes GRADE-1928
Test Plan
- Navigate to `/graphiql` as a teacher.
- Run a mutation to create an assignment post policy:
mutation {
setAssignmentPostPolicy(input: {assignmentId: `assignment_id`, postManually: false}) {
postPolicy {
course {
_id
}
assignment {
_id
}
postManually
}
errors {
attribute
message
}
}
}
- Run the mutation, and verify that the response contains a
postPolicy object containing the course id, assignment id, and
whether it posts manually or not.
- Run a query to verify that the post policy was saved:
query {
assignment(id: `assignment_id`) {
postPolicy {
_id
postManually
assignment {
_id
}
course {
_id
}
}
}
}
- Create a post policy for another assignment.
- Run a mutation to create a course post policy:
mutation {
setCoursePostPolicy(input: {courseId: 1, postManually: true, overrideAssignmentPostPolicies: false}) {
postPolicy {
course {
_id
}
assignment {
_id
}
postManually
}
errors {
attribute
message
}
}
}
- Run a query to verify that all assignment post policies exist.
Only assignment post policies should be returned:
query {
course(id:1) {
assignmentPostPolicies {
nodes {
_id
postManually
course {
_id
}
assignment {
_id
}
}
}
}
}
- Run a query to verify that the course post policy exists:
query {
course(id:1) {
postPolicy {
_id
postManually
course {
_id
}
assignment {
_id
}
}
}
}
- Set overrideAssignmentPostPolicies to be true and create a course
post policy.
- Verify that only the course post policy exists, and all previous
assignment policies are destroyed.
- Verify that a user without :manage_grades permission, such as a
student, receives an error when they attempt to mutate a policy,
and receive null data when attempting to query a policy.
Change-Id: I94b19e73653e64ab05fcad1150c46a76ff0362e6
Reviewed-on: https://gerrit.instructure.com/179698
Tested-by: Jenkins
Reviewed-by: Cameron Matheson <cameron@instructure.com>
Reviewed-by: Adrian Packel <apackel@instructure.com>
QA-Review: Indira Pai <ipai@instructure.com>
Product-Review: Keith Garner <kgarner@instructure.com>
Test Plan:
This one is hard to test without trying it in beta, but
it could be done by setting up a second shard and account
locally:
1. Attempt to launch a tool in the non-primary shard of
Canvas.
2. Verify the domain in the lti message hint reflects
the domain of the non-primary shard
3. Verify the launch works in the following places:
- Module items
- Course navigation
- User navigation
Fixes PLAT-4187
Change-Id: Ic135d9a0748ce155f4136f7cc9d29ac439eeffcd
Reviewed-on: https://gerrit.instructure.com/180226
Reviewed-by: Nathan Mills <nathanm@instructure.com>
QA-Review: Nathan Mills <nathanm@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
Tested-by: Jenkins
closes: GRADE-1972
test plan:
- Given New Gradebook is ON
- Given Final Grade Override is Off
- Given the Gradebook page
- When the Gradebook Settings Modal is open
- Then the "Advanced" tab is not present
Change-Id: I5d16a5871f13618113ca55a81938157ecb9cdd17
Reviewed-on: https://gerrit.instructure.com/179632
Tested-by: Jenkins
Reviewed-by: Adrian Packel <apackel@instructure.com>
Reviewed-by: Gary Mei <gmei@instructure.com>
QA-Review: Indira Pai <ipai@instructure.com>
Product-Review: Keith Garner <kgarner@instructure.com>
Fixes COMMS-1854
Test Plan:
* Have a course with multiple students in it.
* Send a message from one student to another. In this message, click
the upload media button, go to the `Upload Media` tab, and select
and attach the video file. Once that's uploaded, send the message.
* Go to your sent folder, and notice that it says the filename for the
media file you sent.
* Go to the other students inbox, and make sure that it says the
filename for the media file you sent here as well.
Change-Id: Ie80cc4a191d67d0801e3aea7c876b597a8378eb5
Reviewed-on: https://gerrit.instructure.com/180096
Reviewed-by: Steven Burnett <sburnett@instructure.com>
QA-Review: Steven Burnett <sburnett@instructure.com>
Product-Review: Steven Burnett <sburnett@instructure.com>
Tested-by: Jenkins
closes GRADE-1648
Test Plan
- Create a Missing Policy for the course.
- Create an assignment due 1 minute from now.
- Load the Gradebook and verify that the submissions are not
considered missing.
- Wait for the due date to pass.
- Refresh the Gradebook until the cells indicate missing, and there
is the Missing score applied to those submissions.
- Do a GET request to this endpoint:
`api/v1/courses/:course_id/assignments/:assignment_id/submissions/:id`
- Verify that the graded_at is not nil, and is accurate to when the
submission had the missing policy applied to it.
Change-Id: Ia709a3d8420d70838a95c5f774a492c5088ae2be
Reviewed-on: https://gerrit.instructure.com/179344
Reviewed-by: Derek Bender <djbender@instructure.com>
Reviewed-by: Adrian Packel <apackel@instructure.com>
Tested-by: Jenkins
QA-Review: Indira Pai <ipai@instructure.com>
Product-Review: Keith Garner <kgarner@instructure.com>
fixes ADMIN-2336
test plan:
- create a page in a course that links to the following:
* a file that has been deleted
* a file with an invalid id
* a resource (file, assignment, etc.) that is unpublished
* a resource that is in a different course (most easily done
by changing the course id in the link in the html)
- as a student, click these links and ensure the pages you
see look like the mockups in ADMIN-2331.
- in all of these cases,
* there is a centered image
- this image is not read by screen readers,
since it is purely decorative
* there is not a red box
* there is not a link to contact support
- for the deleted file, you should see "Page Not Found" and
a note that the file has been deleted
- for other links to nonexistent items, you should just see
"Page Not Found"
- for unpublished items, you should see "Not Yet Available"
and a locked document picture
- for items in a different course (that the student is not
enrolled in), you should see "Access Denied" and a lock picture
- also test the new 400 and 500 error pages. the easiest way to
do this is with the /test_error endpoint:
- /test_error?status=400
- /test_error?status=500
- these show the broken rocket picture and still include
a support link
Change-Id: I9f20e742e690482887cf375c79e4060aff6d7146
Reviewed-on: https://gerrit.instructure.com/178581
Tested-by: Jenkins
Reviewed-by: Ed Schiebel <eschiebel@instructure.com>
Reviewed-by: Carl Kibler <ckibler@instructure.com>
QA-Review: Carl Kibler <ckibler@instructure.com>
Product-Review: Kyle Follett <kfollett@instructure.com>
test plan:
* use the tool config linked in the ticket
* it should not break the rce
closes #CORE-2411
Change-Id: Ia0e48ad9f87d84a7932e21b5f87a3f785f3197d6
Reviewed-on: https://gerrit.instructure.com/179425
Reviewed-by: Clay Diffrient <cdiffrient@instructure.com>
Tested-by: Jenkins
QA-Review: Tucker Mcknight <tmcknight@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
Fixes XSS vulnerability.
Fixes QO-472
Refs SEC-2153
Test plan:
- Login as teacher or admin
- Create a quiz
- Switch quiz instructions editor to raw html
- Add the following html:
<div id="quiz_details_wrapper" data-url="some-url"></div>
<p><a class="quiz_details_link">XSS</a></p>
- Save the quiz
- Click the "XSS" link
- Verify that no request is made to the url in the data attribute
- Repeat last 2 steps as student taking the quiz
Change-Id: I1849b0674bd8463eef587864c74dbe58db23ea7b
Reviewed-on: https://gerrit.instructure.com/179446
Tested-by: Jenkins
Reviewed-by: Michael Brewer-Davis <mbd@instructure.com>
QA-Review: Jonathan Holt <jholt@instructure.com>
Product-Review: Omar Khan <okhan@instructure.com>
Fixes COMMS-1846
Test Plan:
* Go to the calendar, click on a day to add an event, and click on the
"More Options" button.
* Switch to the html editor, and add the following:
<img class='equation_image'
data-mathml='<img src=x onerror=prompt(document.cookie); />'>
* Save the event. Go back to the calendar and click on the newly saved
event, and notice that you don't get XSS'd
* Create another event in the calendar, and this time add the
following via the html editor:
<img class="equation_image" title="(-\infty,\infty)"
src="/equation_images/(-%255Cinfty%252C%255Cinfty)"
alt="Infinities: (-\infty,\infty)"
data-equation-content="(-\infty,\infty)" />
* Save the event, and load it in the calendar. Notice that it still
properly displays this mathml image properly.
* Test the same calendar event with a screen reader, and notice that
it is still accessible
Change-Id: If0f1ac8ad93f04ececb7aa2f7ef221204b1ce14f
Reviewed-on: https://gerrit.instructure.com/179783
Tested-by: Jenkins
Reviewed-by: Steven Burnett <sburnett@instructure.com>
QA-Review: Landon Gilbert-Bland <lbland@instructure.com>
Product-Review: Steven Burnett <sburnett@instructure.com>
test plan:
* have a course with two groups and two users
in both groups
* /api/v1/search/recipients.json?context=group_X
(where X is the group id) should not return duplicates
closes #COMMS-1859
Change-Id: Ie3513a988195bb2e6f39bc164b52cb44737b9fbc
Reviewed-on: https://gerrit.instructure.com/179671
Tested-by: Jenkins
Reviewed-by: Landon Gilbert-Bland <lbland@instructure.com>
QA-Review: KC Naegle <knaegle@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
fixes COMMS-1857
Test Plan
1. Enable the permission "Course Calendar -
add/edit/delete events" for the student role
2. As the teacher, create an appointment group in your course
3. As a student, try to reserve a time slot, notice that the
"reserve" button and comment box are now rendered
Change-Id: I1f67b7ee30562ef7346e18c8c819a39f339f1f5f
Reviewed-on: https://gerrit.instructure.com/179586
Tested-by: Jenkins
QA-Review: Steven Burnett <sburnett@instructure.com>
Product-Review: Steven Burnett <sburnett@instructure.com>
Reviewed-by: Landon Gilbert-Bland <lbland@instructure.com>
Reviewed-by: James Williams <jamesw@instructure.com>
fixes OUT-2961
test plan:
- have at least 2 student in a course
- submit to several of the assignments in the course
- go to the students ePortfolio and confirm their submissions
appear on the "Welcome to Your ePortfolio" page
- make the ePortfolio public under 'ePortfolio' settings
- view the ePortfolio as another student, confirm that no
"Recent Submissions" list appears for the public portfolio
(only should appear when logged in as the user who owns the
portfolio)
Change-Id: I651db17382e151b44fd2b2d59a2ac5f26f28451f
Reviewed-on: https://gerrit.instructure.com/179302
Tested-by: Jenkins
Reviewed-by: Augusto Callejas <acallejas@instructure.com>
QA-Review: Brian Watson <bwatson@instructure.com>
Product-Review: Neil Gupta <ngupta@instructure.com>
test plan:
- in course content somewhere, create a payload like the one
in SEC-2166
- ensure the script does not run when you hover over it
fixes SEC-2166
fixes ADMIN-2376
Change-Id: I74063adbfc9c819955e2131cd3aa09489d49e16c
Reviewed-on: https://gerrit.instructure.com/179634
QA-Review: KC Naegle <knaegle@instructure.com>
Tested-by: Jenkins
Reviewed-by: Steven Burnett <sburnett@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
fixes OUT-2970
Test Plan:
- test the old way of graded rubrics make sure they still load
- Login as user, which can create discussion topic.
- Create topic with following content:
<div class="rubric_dialog_trigger" data-focus-returns-to="<img src=x onerror=prompt(document.cookie); />">TEST</div>.
- After saving you will redirected to page, which trigger prompt with your cookies.
Change-Id: I2a7a9bfb0c7157e2d18df4113549c621f70f8ee8
Reviewed-on: https://gerrit.instructure.com/179682
Reviewed-by: Neil Gupta <ngupta@instructure.com>
Tested-by: Jenkins
QA-Review: Matthew Berns <mberns@instructure.com>
Product-Review: Steven Burnett <sburnett@instructure.com>
test plan:
* create a blueprint course with
two assignments associated with the same rubric
* sync to an associated course
* edit the rubric from the assignments page for
one assignment, creating a new copied rubric
* re-sync
* it should have synced the copied rubric to
the associated course's assignment
closes #ADMIN-2358
Change-Id: Ie803f83a768bd2b3c990b94e5a14c51e35fc6b0a
Reviewed-on: https://gerrit.instructure.com/178479
Tested-by: Jenkins
Product-Review: James Williams <jamesw@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
fixes COMMS-1848 OUT-2968
Test Plan:
- Login as user, which can create discussion topics.
- Create discussion topic with following content: <a class="btn btn-primary rubric_dialog_trigger" data-url="https://test.ddv.in.ua/Instructure.php?">XSS</a>
- Save.
- Click on the button notice no alert
Change-Id: I2f483a16630fc57426ec347f0ee5daffc938744d
Reviewed-on: https://gerrit.instructure.com/179487
Tested-by: Jenkins
Reviewed-by: Neil Gupta <ngupta@instructure.com>
QA-Review: Aaron Hsu <ahsu@instructure.com>
Product-Review: Steven Burnett <sburnett@instructure.com>
test plan:
- create an ePortfolio
- add an HTML section
- put a <script> in there, e.g. <script>alert('!')</script>
- click "Preview" and ensure that script didn't run
- save the page and ensure the script doesn't run
- ensure the steps in SEC-2145 are no longer reproducible
(in particular, clicking "PREVIEW!" should do nothing)
fixes OUT-2954
Change-Id: If2b60689bd9e254df01754d106fff4bfc0603882
Reviewed-on: https://gerrit.instructure.com/179087
Tested-by: Jenkins
Reviewed-by: Steven Burnett <sburnett@instructure.com>
QA-Review: Anju Reddy <areddy@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
closes: GRADE-1965
test plan:
- This feature cannot be reversed
- New Gradebook cannot be disabled if final grade override is either
allowed or on
Change-Id: I398b6e0a370d2ab507cad088a7947d35be989037
Reviewed-on: https://gerrit.instructure.com/179263
Reviewed-by: Keith Garner <kgarner@instructure.com>
Reviewed-by: Gary Mei <gmei@instructure.com>
Tested-by: Jenkins
QA-Review: James Butters <jbutters@instructure.com>
Product-Review: Keith Garner <kgarner@instructure.com>
closes GRADE-1076
Test plan:
- Specs pass
- Audit trail feature flag should not be present in the list
- Create an auditable assignment
- Generate some audit events by assigning grades or w/e
- If a moderated assignment, publish grades
- Unmute the assignment
- As a user with permission to view the audit trail, open SpeedGrader
- The audit trail should be visible and work as before
- As a user without permission, open SpeedGrader
- The audit trail should not be visible
Change-Id: I28c13accaa04d1b8c70760b432e133beeb128f65
Reviewed-on: https://gerrit.instructure.com/178844
Tested-by: Jenkins
Reviewed-by: Gary Mei <gmei@instructure.com>
Reviewed-by: Keith Garner <kgarner@instructure.com>
QA-Review: Adrian Packel <apackel@instructure.com>
Product-Review: Keith Garner <kgarner@instructure.com>
there's no API endpoint for user profile title and bio to be
updated, so just let them come in through the user update
test plan:
* enable Profiles on the root account
* refer to the Users API documentation for
"Edit a user" to set a user's bio and title
through the API
closes #CORE-2403
Change-Id: I6bdd9189653215f1cdab54f499db10574e102706
Reviewed-on: https://gerrit.instructure.com/179340
Tested-by: Jenkins
Reviewed-by: Rob Orton <rob@instructure.com>
QA-Review: Rob Orton <rob@instructure.com>
Product-Review: Rob Orton <rob@instructure.com>
fixes CNVS-45018
Test plan:
- Create a pass/fail assignment
- Open the assignment as a student
- You should not get an error
Change-Id: Icac1ee7acb7b03700190f612ed642793a292cfda
Reviewed-on: https://gerrit.instructure.com/179464
Reviewed-by: Keith Garner <kgarner@instructure.com>
QA-Review: Adrian Packel <apackel@instructure.com>
Product-Review: Keith Garner <kgarner@instructure.com>
Tested-by: Jenkins
Closes PLAT-4071
Test Plan:
Verify a <record>_created event is sent after a
content migration completes for each record that
was created during the migration.
Verify a <record>_updated event is sent after a
content migration completes for each record that
was updated during the migration
Change-Id: I4f6c32a2cbd51b5b64ee3b919e34c260405ce556
Reviewed-on: https://gerrit.instructure.com/178680
Tested-by: Jenkins
Reviewed-by: Nathan Mills <nathanm@instructure.com>
QA-Review: Nathan Mills <nathanm@instructure.com>
Product-Review: Jesse Poulos <jpoulos@instructure.com>
James Williams