We want to be able to change or delete enrollments on the course settings page,
even if there are multiple enrollments for a single student. This commit adds
this ability, and adds tests to ensure that multiple enrollments are coalesed
under a single user.
test-plan:
- create a course with three sections
- enroll a student in two of these sections (from the console)
- navigate to the course settings page, users tab
- make sure the student only shows up once, with both enrollments listed
underneath
- try changing one of these enrollments to the third section.
- try deleting one, and then both of these enrollments
Change-Id: I4bc35ac2f79fd6297b50e5217a567290eff59a92
Reviewed-on: https://gerrit.instructure.com/8364
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Brian Palmer <brianp@instructure.com>
test plan:
1. click on the sent filter
2. ensure you only see non-archived conversations where you have written
at least one message
3. ensure that the timestamp and preview on the left reflect your latest
message (not necessarily the latest in the conversation)
4. ensure the conversations are sorted by the timestamp of your most
recent message
5. ensure that when you delete the last message by you in a given
conversation, that conversation is removed from the ui
Change-Id: I85468d19122f1190bd2c53cb640145b7d14e2b42
Reviewed-on: https://gerrit.instructure.com/8416
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
when you add a learning outcome to a rubric, you can optionally choose to
ignore it when grading. this commit ensures that point totals acutally ignore
the line consistently across the varios places they are displayed, including
when creating the rubric, when grading from the speed grader, and when grading
from the assignment submission page.
test plan:
- create a learning outcome
- create an assignment with a rubric for grading
- make sure the rubric has at least one normal criterion for grading
- include the learning outcome, and choose ignore for grading
- make sure point totals are consistent in the rubric form
- grade the assignment with the speed_grader, make sure point totals are
consistent.
- modify the grade at /courses/c.id/assignments/a.id/submissions/user.id and
make sure point totals are still constistant.
Change-Id: I454d73897ee5d4e6413b7c653ffafa1c4ac98e2e
Reviewed-on: https://gerrit.instructure.com/8263
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Hudson <hudson@instructure.com>
provides a role override permission for viewing discussions. primarily useful
for disallowing observers from reading discussion, although by default it is
enabled.
test plan:
- create a course
- create a discussion (d1) in that course
- create a discussion assignment (d2) in that course
- log in as an observer and make sure you can see both discussions above
- log in as an admin and revoke the read_forum permission for observers
- log back in as the observer and make sure you can't see the discussions
- also check that the assignment shows the assignment page, but does not
redirect to the associated discussion.
Change-Id: I4c6441c781c24e6aadacbfc23dcc307c772ecd2c
Reviewed-on: https://gerrit.instructure.com/8069
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Cody Cutrer <cody@instructure.com>
Hook into the redis library at a pretty low level, to try and do
everything we can to avoid erroring if redis goes down. This applies to
both redis-as-cache and redis-as-data-store.
test plan: Set up redis and caching in your local instance. Point it to
both an existing box on a port not running redis, and a non-existent IP.
In both situations, you should not see caching errors or redis data
errors. After the first error, it shouldn't attempt to hit redis again for 5
minutes.
Change-Id: I101b2d3d2123151b244eb82ba78b176ed1f4d5ad
Reviewed-on: https://gerrit.instructure.com/8097
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
ContentZipper for some reason was allowing fetching all files (as if a
teacher) when user was not specified. This fixes that and requires correct
permissions when zipping up a folder.
It also runs a migration which will delete existing folder zip files for
anonymous users, since those are cached.
test plan:
* Create a public course and put some files in it.
* Lock and hide some of those files.
* Log out and browse to the course files.
* Choose "download zip file".
* Verify that the zip file you get only has visible files in it.
Change-Id: Icf5929f7d1dbc4a7f2122337aff9ed6ae003af12
Reviewed-on: https://gerrit.instructure.com/8085
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Brian Palmer <brianp@instructure.com>
In the SpeedGrader, if you went past a user with > 1 submission, grading
subsequent students with only one submission would result in a page error in
the submission content iframe after the grade is saved. We were only
populating the <select> element for > 1 submissions people, and the change()
binding on it would call for everyone else, triggering badness.
test plan:
* Create 2 users in a course with an assignment.
* Submit the assignment twice as student A, and once as student B.
* In SpeedGrader for that assignment, browser to student A, then student B.
* Grade student B's submission.
* Notice that when the submission reloads in the iframe, it is not a page
error.
Change-Id: If461ecc1121fcae0549f1f451ecaa33edf2aa69e
Reviewed-on: https://gerrit.instructure.com/8046
Reviewed-by: Ryan Shaw <ryan@instructure.com>
Tested-by: Hudson <hudson@instructure.com>
allow points in rubric criteria and ratings to have decimal values. in working
with brian, we're operating under the following assumptions:
- round to 2 decimal places
- splitting always gives you a integer by default (you can change it yourself after)
- if there's not room to split with an integer, repeat the low value
test plan
- create a new rubric
- change a criterial value to something with a decimal point
- try setting specific ratings with decimals
- try to split between a large space (ie 10.5 and 0), should be 5
- try to split between a small space (ie 0.5 and 0), should be 0
closes#5355
Change-Id: I17e26fe18dda0847fa59dd40976e4d6f38851287
Reviewed-on: https://gerrit.instructure.com/7882
Reviewed-by: Brian Palmer <brianp@instructure.com>
Tested-by: Brian Palmer <brianp@instructure.com>
Reviewed-by: Ryan Florence <ryanf@instructure.com>
* adds course url to course record
* adds avatar url to users record more globally
test plan: make api calls that return courses or users, ensure they still work
Change-Id: I1db69fe3865a39744ba7f3fcc7fc885f46c6551b
Reviewed-on: https://gerrit.instructure.com/7496
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
Test Plan:
* Create a tool with api
* Edit tool with api
* Get tool with api
* List tools with api
* Delete tool with api
* Etc., etc.
closes#6589
Change-Id: I3f1adc97937588534f8005574bd0278b6f03cbde
Reviewed-on: https://gerrit.instructure.com/7612
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Brian Palmer <brianp@instructure.com>
fixes#6510
Most of this is a refactor so that all API JSON generation goes through
an api_json method, in order to standardize stuff like permissions and
:include_root. The existing specs verify that this doesn't inadvertently
change any existing responses -- except the discussion topics responses,
which were returning the :permissions array in the json unintentionally.
The refactor fixes the locked assignment response as a side effect.
Change-Id: I287b366fe05ef6116f713fc52075aff93d5e87b6
Reviewed-on: https://gerrit.instructure.com/7262
Reviewed-by: Brian Palmer <brianp@instructure.com>
Tested-by: Hudson <hudson@instructure.com>
testplan:
* make sure user models destroy transactionally
* create two users, one with a managed pseudonym and one without,
destroy both, and make sure that the failure to remove the managed
pseudonym makes the original user destroy bail
* make sure you can force delete a user with managed pseudonyms
* make sure that the account controller can destroy users with managed
pseudonyms
* make sure the users controller can destroy users with managed
pseudonyms only when the current user has permission
* also, make sure other user destruction functionality is unchanged
* make sure the users controller doesn't confirm a deletion when
the user doesn't have permission
* make sure we don't add a user destruction link when we know the
destruction will fail, but add it otherwise
Change-Id: Ie7c17de1134543fe55a3fdd03c60879925ecc50d
Reviewed-on: https://gerrit.instructure.com/6832
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
fixes the logic that determines when to display the "Customize" and
"View all courses" links in the course menu. the two problems were:
1. if all Courses were already favorited (via Customize UI), the
Customize link would no longer show up
2. if the number of active enrollments was less than 12, but with your
temporary enrollments you exceeded that, you would not see the
"Customize" or "View all courses" links
test plan:
* enroll in more than 12 courses and customize the menu so they all
appear. ensure you can still customize the menu when you reload the
page
* enroll in fewer than 12 courses and then invite yourself to a bunch of
courses so that your total exceeds twelve. ensure that you can
customize the menu and you have a "View all courses" link
* basic regression of course menu customization
Change-Id: Iaddc54fd011159a498e39c28adfd81672f87261f
Reviewed-on: https://gerrit.instructure.com/7141
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Zach Pendleton <zachp@instructure.com>
test plan: run the tests
Change-Id: If7fd4288520af765211a026ff0202b18249f86fe
Reviewed-on: https://gerrit.instructure.com/7254
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Brian Palmer <brianp@instructure.com>
When student submits a quiz with an essay question, it now
displays as ungraded in Speedgrader until the grader reviews/
grades the essay question.
test plan:
1. create a quiz with an essay question;
2. complete the quiz;
3. view the quiz assignment in speedgrader;
4. verify that assignment is marked as "not graded"
in the student dropdown menu;
5. grade the essay question;
6. verify that the assignment is now marked as "graded"
in the student dropdown menu.
Change-Id: I67ca56df2ec08380c75aa1ddf64fe8848e2b574d
Reviewed-on: https://gerrit.instructure.com/6619
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
We are now prepending all json responses with "while(1);" to protect
against browsers that allow stealing this information from a <script>
tag on third-party sites, by overriding constructors or property
getters/setters.
this loop is not prepended to API requests, unless those requests are
authenticated via a session cookie (canvas itself makes API
requests using the user's session, but we don't want third-party apps to
have to remove the loop before parsing).
fixes#6459
Change-Id: Icf00056d4d7fba198a8957892af09cdd84d55bc4
testplan:
* Do anything in the application that results in a AJAX request
returning JSON -- for instance, load your list of conversations.
* Use a web inspector to verify that the canvas is returning the JSON
response with this prepended loop, but that the javascript code
handles that and still can parse the response.
* Make API calls to Canvas, verify that nothing is prepended to the
JSON responses.
Reviewed-on: https://gerrit.instructure.com/7144
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
mocha deliberately doesn't support evaluating thunks in mocked objects,
so, that broke our usage pattern when we switched.
testplan: n/a
Change-Id: I2ae8d2e4de1249965b12659ee76a785b13f7c73d
Reviewed-on: https://gerrit.instructure.com/6654
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Brian Palmer <brianp@instructure.com>
This uses redis to store the nonces as locks that expire after 90
minutes. Timestamps are epoch UTC values, as per the oauth spec.
testplan: send oauth requests to the api endpoint with the same nonce
more than once, or with a too-old timestamp
refs #5892
Change-Id: Id6130c2a07e206dad716673aa6adbe9d36565a7c
Reviewed-on: https://gerrit.instructure.com/6683
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Brian Whitmer <brian@instructure.com>
This was already happening for a couple of the default front
pages, but this fix makes it happen for all of them
closes#5842
Change-Id: If11db2e93cdfe228a3ee9019ff68ffe97e03696f
Reviewed-on: https://gerrit.instructure.com/6601
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Hudson <hudson@instructure.com>
refs #5948
adjust specs so that if a login does inject themselves in by adding
additonal redirects, we keep following them
Change-Id: I16e616066ea1bef1aa5ed97718cbd8ddbd2c27c5
Reviewed-on: https://gerrit.instructure.com/6536
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Jacob Fugal <jacob@instructure.com>
Reviewed-by: Brian Palmer <brianp@instructure.com>
fixes#5573, #5572, #5753
* communication channels are now only unique within a single user
* UserList changes
* Always resolve pseudonym#unique_ids
* Support looking up by SMS CCs
* Option to either require e-mails match an existing CC,
or e-mails that don't match a Pseudonym will always be
returned unattached (relying on better merging behavior
to not have a gazillion accounts created)
* Method to return users, creating new ones (*without* a
Pseudonym) if necessary. (can't create with a pseudonym,
since Pseudonym#unique_id is still unique, I can't have
multiple outstanding users with the same unique_id)
* EnrollmentsFromUserList is mostly gutted, now using UserList's
functionality directy.
* Use UserList for adding account admins, removing the now
unused Account#add_admin => User#find_by_email/User#assert_by_email
codepath
* Update UsersController#create to not worry about duplicate
communication channels
* Remove AccountsController#add_user, and just use
UsersController#create
* Change SIS::UserImporter to send out a merge opportunity
e-mail if a conflicting CC is found (but still create the CC)
* In /profile, don't worry about conflicting CCs (the CC confirmation
process will now allow merging)
* Remove CommunicationChannelsController#try_merge and #merge
* For the non-simple case of CoursesController#enrollment_invitation
redirect to /register (CommunicationsChannelController#confirm)
* Remove CoursesController#transfer_enrollment
* Move PseudonymsController#registration_confirmation to
CommunicationChannelsController#confirm (have to be able to
register an account without a Pseudonym yet)
* Fold the old direct confirm functionality in, if there are
no available merge opportunities
* Allow merging the new account with the currently logged in user
* Allow changing the Pseudonym#unique_id when registering a new
account (since there might be conflicts)
* Display a list of merge opportunities based on conflicting
communication channels
* Provide link(s) to log in as the other user,
redirecting back to the registration page after login is
complete (to complete the merge as the current user)
* Remove several assert_* methods that are no longer needed
* Update PseudonymSessionsController a bit to deal with the new
way of dealing with conflicting CCs (especially CCs from LDAP),
and to redirect back to the registration/confirmation page when
attempting to do a merge
* Expose the open_registration setting; use it to control if
inviting users to a course is able to create new users
Change-Id: If2f38818a71af656854d3bf8431ddbf5dcb84691
Reviewed-on: https://gerrit.instructure.com/6149
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Jacob Fugal <jacob@instructure.com>
we would need a separate cache for each [@current_user,
@real_current_user] combination because the authenticity token is
included in the html here -- it's not really worth it, just skip the
cache when masquerading.
Change-Id: Ie1440a6e592ef96649467e06006520d176438a70
Reviewed-on: https://gerrit.instructure.com/6385
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
Assessment questions can be shared among multiple contexts, so we need to make
the Canvas links used inside authorized to anyone with the link.
Change-Id: I0df4907405fd518ee0efebccf1b9fb8717dca141
Reviewed-on: https://gerrit.instructure.com/6341
Reviewed-by: Brian Palmer <brianp@instructure.com>
Tested-by: Hudson <hudson@instructure.com>
fixes#5737
There is one situation where a session is still desireable -- if the
attachment data includes links, for instance a html file attachment,
then a session will be needed to view the links from that file. The
limited safefiles session will still be created when downloading the
file, so apps can optionally use the session to support that
functionality.
Change-Id: I48558c4a3217ebea92118f8f08d1254041bd65e5
Reviewed-on: https://gerrit.instructure.com/5860
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Hudson <hudson@instructure.com>
so that things don't asplode if you do something that auto-commits the
transaction, and then AR can neither commit or rollback the transaction
it thinks it's in
Change-Id: I9df10697a255f60155fa256d93675aa8792009be
Reviewed-on: https://gerrit.instructure.com/5943
Reviewed-by: Brian Palmer <brianp@instructure.com>
Tested-by: Hudson <hudson@instructure.com>
notable changes:
* nothing is processed as a sis-import blocking error now. bad imports now
result in warnings, while just skipping bad data
* we no longer check for duplicates before going to the database
Change-Id: Iedc96b29d92caccdc6a71ae1de8100a1c82dd137
Reviewed-on: https://gerrit.instructure.com/5724
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
also streamlined conversations json and made it more consistent
Change-Id: I422d9eaf5e2e8d228c184302cb2e95d2755f50d4
Reviewed-on: https://gerrit.instructure.com/5399
Reviewed-by: Brian Palmer <brianp@instructure.com>
Tested-by: Hudson <hudson@instructure.com>
requires :manage_courses, or :manage_sis and the course is a SIS
course, or :update (teachers) and the course is not a SIS course.
Change-Id: I198897164c5fb024fad4bc594500296200eaf4a0
Reviewed-on: https://gerrit.instructure.com/5371
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: JT Olds <jt@instructure.com>
also tweaked named_context_url to work better with UserProfile
contexts
Change-Id: If16ef16db507c8713436d0d88a1867f206ecdf48
Reviewed-on: https://gerrit.instructure.com/5225
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
The specs didn't catch this because our user_session spec helper stubs
out PseudonymSession, so you'll have the user session available even if
you make a request to a different domain name, so the normal user
permissions were being applied. I've upgraded the specs to make sure
that the user isn't getting logged in on the safefiles
request.
Change-Id: I01b64a87bb51fbf2e947f5c2a1ae5471d1f1e216
Reviewed-on: https://gerrit.instructure.com/5244
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Zach Wily <zach@instructure.com>
Refs #4952
* Fix saving role overrides for Site Admin account roles
* Add the following permissions:
* read_course_list (for listing or searching courses)
* view_statistics (for viewing account statistics)
* manage_user_notes (instead of being implied-ish by read_reports)
* Hide UI elements that provide access to features that are not
allowed
* Remove lots of not applicable stuff from Site Admin settings
Change-Id: I7414368b472ba655d04118db30c1bb46542deb37
Reviewed-on: https://gerrit.instructure.com/5054
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Bracken Mosbacker <bracken@instructure.com>
Simon Williams