Fixes CNVS-25343
Test plan:
- Verify that every visible iframe in Canvas has a non-empty title attribute
- Verify that every title attribute on an iframe has meaningful content ,
which correctly indicates the content the iframe contains.
Change-Id: Iac3a2031a81836b11e1e4bfdc2d242777a493172
Reviewed-on: https://gerrit.instructure.com/68027
Reviewed-by: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
Tested-by: Jenkins
QA-Review: Simon Williams <simon@instructure.com>
test plan:
* enable self-registration on the account in the console
Account.default.canvas_authentication_provider.tap do |aac|
aac.self_registration = true
aac.save!
end
* visit the self-registration page "/register"
* the login form in the upper-right corner should work
closes #CNVS-25585
Change-Id: I296976e58975c0c95337d7868c0c976085bc792a
Reviewed-on: https://gerrit.instructure.com/68887
Tested-by: Jenkins
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Ryan Allen <rallen@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
closes CNVS-19332
refs CNVS-15543
I can't find any date fields related to the self registration process,
so I'm declaring this code dead and removing rather than
accessibilifying it.
TEST PLAN:
1) tests should pass
2) self-registration should not break
Change-Id: Ic9b49ddec4a581bad529698b9f202560eeaa68ab
Reviewed-on: https://gerrit.instructure.com/56676
Tested-by: Jenkins
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
authentication
Fixes PFS-1084
Parent Registration:
When a Saml config is designated for Parent Registration the parent
signing up will be redirected to a Saml login page where they will log
in with their child's credentials. After login the child user's
Saml session will be ended and the parent registration process will complete.
Parent Adding Student:
When a Saml config is designated for Parent Registration the parent
adding another observee will be redirected to a Saml login page
where they will log in with their child's credentials. After login the child user's
Saml session will be ended and the observee creation process
will complete.
---------------------------------------
TEST PLAN:
SETUP:
1) In your account settings check the box for 'Self Registration' (and
either of the sub-options)
2) Add the following users to your account (these will be the students):
billyjoel
eltonjohn
3) In Authentication Settings add a SAML authentication service
and enter the following fields (I've set up a remote SAML Idp):
IdP Entity ID: http://107.170.212.143/saml2/idp/metadata.php
Log On URL: http://107.170.212.143/simplesaml/saml2/idp/SSOService.php
Log Out URL:
http://107.170.212.143/simplesaml/saml2/idp/SingleLogoutService.php
Certificate Fingerprint:
9C:11:68:93:95:CD:18:01:EC:52:2B:9E:22:7F:73:55:ED:6D:82:D4
Parent Registration: check
TEST:
Parent Registration:
* Go to '/login/canvas'
* Click on the signup banner
* sign up as a parent for billyjoel or eltonjohn
(on SAML login page the password for either user is: tantrum)
Add Student:
* Log in as a parent user w/ a Canvas Auth login
* Go to '/profile/observees'
* Add Student 'billyjoel' or 'eltonjohn'
Authentication Settings (new parent reg checkbox):
* Go to Authentication Settings
* Add a second SAML config
* check the parent registration checkbox
- it should warn that selection will deselect the other
and in fact do so upon save.
- the selected config is the one used for
parent reg/add student
---------------------------------------
Change-Id: Ief83b604fc252c88dbb912c56de65d8620fe802f
Reviewed-on: https://gerrit.instructure.com/49691
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Reviewed-by: Jacob Fugal <jacob@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
no significant issues/vulnerabilities fixed in this commit, rather this is
a catch-all so we can enforce linting in the build.
to better understand what's going on here, see the following:
* public/javascripts/.xssignore
* script/xsslint.js
* https://github.com/jenseng/xsslint
high level summary of what's going on in this commit:
1. .html/.append/etc. now know what to do with a SafeString ... in many
cases we now put a $.raw around an .html argument to tell the linter
it's ok
2. although translation is an unlikely attack vector, we now htmlEscape
I18n.t calls used in html snippets, etc. this is a good thing, as it
ensures we don't create a vulnerability later (e.g. by interpolating
user content into a translation)
3. many vars were renamed (Html suffix, $ prefix) to let the linter know
it's something that was manually vetted
4. in some cases, rather than renaming or creating a superfluous var,
we add special xsslint comment overrides
test plan:
specs should all pass
Change-Id: Ide1df825b798d1b0c468a5308802543bf716c0d7
Reviewed-on: https://gerrit.instructure.com/46097
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Derek Hansen <dhansen@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
extraction and runtime for vanilla handlebars. ember will be part II
because its strings currently don't even get extracted on master
¯\_(ツ)_/¯
differences in generated yml:
1. `%h{...}` placeholders from hbs are just `%{...}`, since html-safety is
inferred at runtime without needing a placeholder hint (6 occcurrences)
2. inline `{{t ...}}` calls are now extracted (6 occurrences)
3. some trivial whitespace difference around some wrappers (2 occurrences)
4. html-entities are correctly converted into unicode equivalents, e.g.
`Move To…` -> `Move To…` (1 occurrence)
test plan:
1. verify string extraction:
1. `rake js:generate i18n:generate` before and after this commit
2. confirm `config/locales/generated/en.yml` is identical, except the
differences listed above
2. verify js translation file generation:
1. `rake i18n:generate_js` before and after this commit
2. confirm the files in public/javascripts/translations are identical
3. verify hbs translation keys/scope behavior at runtime:
1. run canvas w/ RAILS_LOAD_ALL_LOCALES=true and optimized js
2. use canvas in spanish
3. confirm that todo está bien
4. confirm you can now use i18nliner-y features:
1. block helper with no key `{{#t}}hello world{{/t}}`
2. inline helper with no key `{{t "hello world"}}`
Change-Id: Ic2a2c5cf102ca482919cbb91ac1c154467029685
Reviewed-on: https://gerrit.instructure.com/42942
Reviewed-by: Jennifer Stern <jstern@instructure.com>
Product-Review: Jennifer Stern <jstern@instructure.com>
QA-Review: Matt Fairbourn <mfairbourn@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
refs CNVS-11309
Test Plan
1. Navigate to '/register'
2. Click a signup link (teacher, student, parent)
3. Modal should function without regression
Change-Id: Id409e4b0b8c23b02a334ec9569e13f50869b1086
Reviewed-on: https://gerrit.instructure.com/31253
Reviewed-by: Landon Wilkins <lwilkins@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
Product-Review: Marc LeGendre <marc@instructure.com>
QA-Review: Marc LeGendre <marc@instructure.com>
fixes CNVS-8847
Test Plan
1) Enable self-registration on your default account via the console
(e.g. https://gist.github.com/JustAboutJeff/479e6fc120e5304ccf8e)
2) Navigate to localhost:3000/register_from_website
3) Click the 'Watch a Video' link and ensure the video plays as expected
Change-Id: Ic3e8f0de2066e2a73979c2a773143a6865f3e33c
Reviewed-on: https://gerrit.instructure.com/25407
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
Product-Review: Marc LeGendre <marc@instructure.com>
QA-Review: Marc LeGendre <marc@instructure.com>
also fix issue around communication_channels/confirm not giving a visual
indication that the terms must be accepted if you forget to check the box
fixes CNVS-7189
test plan:
1. go to /register
2. you should not need to agree to the terms on any form, but you should
see a link to the privacy policy
3. invite a user to a course
4. the user should not need to agree to the terms when setting a password
5. in the console, do Setting.set('terms_required', true)
6. go to /register
7. you should need to agree to the terms on all the forms
8. invite a user to a course
9. the user should need to agree to the terms when setting a password
Change-Id: I54857d7aaef1b528c6033a3464701abeae4ce14f
Reviewed-on: https://gerrit.instructure.com/22770
Reviewed-by: Jon Jensen <jon@instructure.com>
Product-Review: Marc LeGendre <marc@instructure.com>
QA-Review: Marc LeGendre <marc@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
fixes CNVS-6888
testing steps:
* from a console, set a custom privacy and terms url
Setting.set('privacy_policy_url', 'http://custom.example.com/privacy')
Setting.set('terms_of_use_url', 'http://custom.example.com/terms')
* verify the following location all display the new links:
* <canvas>/enroll/<join_code> - with self_enrollments enabled for
the course and currently logged out
* when self registration is disabled at the root account,
will be prompted to authenticate, "View Privacy Policy"
* when self registration is enabled at the root account,
will be prompted to authenticate or register, "View Privacy Policy"
* when logged in as a teacher, prompted to confirm enrollment
"View Privacy Policy"
* <canvas>/register_from_website - when logged out
* page footer links for "Terms of Use" and "Privacy Policy"
* "I'm a teacher", both links at bottom of dialog
* "I'm a student", both links at bottom of dialog
* "Parents sign up here", both links at bottom of dialog
* <canvas>/accounts/<id>/users - click "Add a New User" from
the right sidebar. "View Privacy Policy" in modal dialog.
Change-Id: Ic80c369dcea8483c93fb8adfcd9a80c1d6d3ad6a
Reviewed-on: https://gerrit.instructure.com/22712
Reviewed-by: Jon Jensen <jon@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Marc LeGendre <marc@instructure.com>
Product-Review: Marc LeGendre <marc@instructure.com>
* expose templates so plugins can override them
* tweak ENV data we pass into js
* basic cilent-side field validations
test plan:
N/A, see plugin commit
Change-Id: Ic3998affc99e24f9c8d57b8f0068d03ae3be9fef
Reviewed-on: https://gerrit.instructure.com/20056
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Myller de Araujo <myller@instructure.com>
Product-Review: Jon Jensen <jon@instructure.com>
Reviewed-by: Joe Tanner <joe@instructure.com>
test plan:
1. set up a new password policy via the console, e.g.
a = Account.default
a.settings[:password_policy] = {:min_length=>6, :max_sequence=>3, :max_repeats=>3, :disallow_common_passwords=>true}
a.save!
2. go to /register and sign up as a student
3. make sure the password policy is enforced, i.e.
1. confirm that the password must be at least 6 chars
2. confirm that the password cannot be a common one (e.g. football)
3. confirm that the password cannot contain a run of 4 or more chars
(e.g. abc123lol is ok, abcd1234 is not)
4. confirm that the password cannot have the same char repeated 4 or
more times (e.g. aaa000bb is ok aaaabbbb is not)
4. verify the password policy is enforced when changing your password as
an existing user (via user profile/settings)
5. verify the password policy is enforced when adding a login for a user
6. verify the password policy is enforced when resetting your password
(via forgot password on login page)
7. invite a new user into a course, and as that user verify the password
policy is enforced when you set up your account
Change-Id: Ie619fc255dc940249676bf5e510ce68eaf17441c
Reviewed-on: https://gerrit.instructure.com/19104
Reviewed-by: Brian Palmer <brianp@instructure.com>
Product-Review: Jon Jensen <jon@instructure.com>
Tested-by: Jon Jensen <jon@instructure.com>
QA-Review: Cam Theriault <cam@instructure.com>
just a refactor to make the password policy commit more DRY
test plan:
1. ensure that /register works and error messages show up appropriately
Change-Id: I0eea8c4107fa9ae69d45941f45edd5a9621ee3c8
Reviewed-on: https://gerrit.instructure.com/19271
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Ryan Florence <ryanf@instructure.com>
Product-Review: Jon Jensen <jon@instructure.com>
QA-Review: Jon Jensen <jon@instructure.com>
make it a little easier to have a form spinner that doesn't go away on
success (e.g. if you are going to change location.href or something)
test plan:
1. /register should still work
2. the self enrollment form should still work
Change-Id: I0040a64ecadea2bae2899364ef820df3d2bc62c0
Reviewed-on: https://gerrit.instructure.com/19270
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Ryan Florence <ryanf@instructure.com>
Product-Review: Jon Jensen <jon@instructure.com>
QA-Review: Jon Jensen <jon@instructure.com>
require students to enter a join code when registering via /register.
teachers and observers still have no such requirement
test plan:
1. go to /register
2. click "I'm a student"
3. confirm that the join code field is required and there is no option to
sign up without one
Change-Id: I17ebdfcc6558308474af820318621d7dfed69e0c
Reviewed-on: https://gerrit.instructure.com/18969
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Joe Tanner <joe@instructure.com>
QA-Review: Cam Theriault <cam@instructure.com>
Product-Review: Jon Jensen <jon@instructure.com>
test plan:
- go to /register_from_website
- the forms should behave normally
Change-Id: I4b25612611a8500b80f236480fdd1f055379f777
Reviewed-on: https://gerrit.instructure.com/18531
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Cam Theriault <cam@instructure.com>
Reviewed-by: Joe Tanner <joe@instructure.com>
Revert "allow a plugin to override the signup form, refs #CNVS-4198"
This reverts commit ae013fcabb
Change-Id: Ibbad3d88bdb2022d6594a17a342abb680bc7b1b5
Reviewed-on: https://gerrit.instructure.com/18530
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Joe Tanner <joe@instructure.com>
QA-Review: Joe Tanner <joe@instructure.com>
test plan:
- go to /register_from_website
- the forms should behave normally
Change-Id: I317f4a8404cbf00f2de112a88421c724834e6181
Reviewed-on: https://gerrit.instructure.com/18470
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
QA-Review: Cam Theriault <cam@instructure.com>
adds privacy policy link in the following places:
1. "Add a New User" dialog (on account pages)
2. /register now has a footer w/ a link to the privacy policy
3. /register dialogs (student/parent/teacher signups) now prompt the user
to agree to the privacy policy in addition to the terms
4. self enrollment dialogs (can be seen via "Join this Course" button or
via canvas.net "Enroll" button) now have a link to the privacy policy
for all flows (i.e. even if already authenticated)... previously there
was only a checkbox/link for new users
test plan:
1. confirm privacy policy links appear in the places listed above
Change-Id: I1ad48eee7fc116901c901673ca985bbc354b5c13
Reviewed-on: https://gerrit.instructure.com/18107
Reviewed-by: Ryan Florence <ryanf@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Cam Theriault <cam@instructure.com>
test plan:
1. go to /register
2. you should not be prompted to enter a birthdate in any of the flows
3. the forms should work
4. go to your (user) settings
5. you should not see your birthdate nor be able to enter one
6. the form should work
7. go to the self enrollment page for a course as a new user
8. you should not be prompted to enter a birthdate
9. the form should work
Change-Id: I9bf92d27e208696b2aed74b4a6396d434494679c
Reviewed-on: https://gerrit.instructure.com/18143
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Ryan Florence <ryanf@instructure.com>
QA-Review: Cam Theriault <cam@instructure.com>
fixes #CNVS-1119, potentially supersedes
https://gerrit.instructure.com/14501 with a little work.
simpler flow that is more consistent with FFT signup. whether you click
the "join course" button (popup) or go to the join url, the workflow is
the same:
1. if you are authenticated, you just click the enroll button.
2. if you are not authenticated, you can either:
1. enter your (canvas/ldap) credentials and submit to join the course.
2. register and join the course (single form). you will then be
dropped on the course dashboard in the pre_registered state just
like a /register signup (you have to follow the link in your email
to set a password).
note that if open registration is turned off, option 2.2 is not available.
other items of interest:
* fix CSRF vulnerabilities where you can enroll authenticated users in
open courses, or un-enroll them if you know their enrollment's UUID
* move to shorter course-id-less route (w/ join code)
* reuse UserController#create
* handy openAsDialog behavior and embedded view mode
* better json support in PseudonymSessionsController#create
* extract markdown helper from mt
* show "you need to confirm your email" popup when you land on the course
page the first time (already showed on dashboard)
test plan:
1. test the authenticated/unauthenticated scenarios above, for both the
popup and join pages
2. regression test of /registration forms
Change-Id: I0d8351695356d437bdbba72cb66c23ed268b0d1a
Reviewed-on: https://gerrit.instructure.com/15902
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Joe Tanner <joe@instructure.com>
QA-Review: Jon Jensen <jon@instructure.com>
when a new user signs up, we don't want the form to be reenabled during
the window between the ajax response and the redirect to the dashboard
test plan:
1. go to /register
2. submit the form with missing/invalid data
3. it should be disabled, and then reenabled with appropriate error boxes
4. submit the form with valid data
5. it should remain disabled until you are redirected to the dashboard
Change-Id: If6a65db71ecbbcabdb747214cee181e25a5cff52
Reviewed-on: https://gerrit.instructure.com/12922
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
change to dropdowns since the datepicker control is not very friendly for
selecting the year
test plan:
1. go to sign up as a student (w/ course code)
2. it should not let you sign up without putting in a birthdate
3. it should save the birthdate correctly
4. go to sign up as a higher-ed student
5. it should not let you sign up without putting in a birthdate, or if you
are under 13
6. it should save the birthdate correctly
Change-Id: I68fb35afa179ab57aaff22624282f218791b10e0
Reviewed-on: https://gerrit.instructure.com/12437
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Zach Pendleton <zachp@instructure.com>
change registration flows for teachers, higher-ed students, and parents.
now users can start using canvas immediately before confirming their
email address (and setting a password). they get a nice big reminder when
they first view the dashboard, and can't edit their profile (or related
things) until they do so.
test plan:
1. go to the signup form for a teacher
2. fill it out
3. confirm that you are immediately logged in to the dashboard
4. confirm that you get a big popup when you first view the dashboard
5. confirm that you can't edit your profile
6. repeat steps 1-5 for higher-ed students (no join code)
7. repeat steps 1-5 for parents (observers)
8. confirm that students registering with a join code do not need to
verify their email address (since no email is sent)
Change-Id: I4e7e1c083d70725fffd345016f1ca1eec4aeab13
Reviewed-on: https://gerrit.instructure.com/12172
Reviewed-by: Ryan Shaw <ryan@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
our current version of require.js is unable to optimize loadDir correctly.
just explicitly include each template and create a map.
test plan:
1. on unoptimized canvas, go to the registration page
2. dialogs should appear when you click the buttons
3. on optimized canvas, go to the registration page
4. dialogs should appear when you click the buttons
Change-Id: Ifb55d739ac0bc485e64969bc4251c3a2d678d4c6
Reviewed-on: https://gerrit.instructure.com/12224
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Ryan Shaw <ryan@instructure.com>
fixes#9209, #9216, #9217, #9227
visual changes:
* restore bootstrap form styles
* change "course code" to "join code"
* made dialog buttons consistent with rest of app
* fix observer submit button wording
* remove verbiage around minimum age (before validation)
* fix link to home page (logo)
behavioral change:
* only enforce min age for signups without a join code. once they fail
validation, display an error and hide the form
test plan:
* go through signup flows, ensure visual stuff above is correct
* ensure users with a course code can sign up with any age
* ensure users without a course code must be >= 13
Change-Id: I3d02a6f1a768ab054c825db30fb73a81f4eb5e59
Reviewed-on: https://gerrit.instructure.com/11939
Reviewed-by: Ryan Shaw <ryan@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
test plan:
1. sign up as a teacher
2. sign up as a student with a course code
1. confirm that you are auto-logged in as soon as you submit valid info
in the form
3. sign up as a student without a course code
4. sign up as an observer
1. confirm that you are auto-enrolled in the child's courses
5. test the log in form
Change-Id: I581de48095e85ca869b9ded101fe143ffadb9c9a
Reviewed-on: https://gerrit.instructure.com/11111
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
Aaron Cannon