fixes GRADE-2229
test plan
- export gradebook
- it should work
- set root_account to include integration_ids in gradebook
- export gradebook
- it should include integration_id
- account grade export reports should also use account setting
- import grade export that includes integration_id
- it should import with out error
Change-Id: I7b5eb980492c3ee657e87df27217263c36615cb4
Reviewed-on: https://gerrit.instructure.com/196982
Tested-by: Jenkins
QA-Review: Rob Orton <rob@instructure.com>
Product-Review: Rob Orton <rob@instructure.com>
Reviewed-by: Keith Garner <kgarner@instructure.com>
Reviewed-by: Nathan Mills <nathanm@instructure.com>
test plan:
- create a quiz that includes a question group that picks 0 questions
(either from a set of questions or a question bank)
- copy the course
- the copy should preserve the question group
fixes ADMIN-2724
Change-Id: If4a0197c307361b3cf1dce210fb6610c4ff05b0e
Reviewed-on: https://gerrit.instructure.com/197302
Tested-by: Jenkins
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: Carl Kibler <ckibler@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
closes PLAT-4550
test plan:
- tests pass
- this would be hard to manually qa, but if you want you could add a
sleep to the live event async worker loop, do some stuff that
queues events, ctrl-c the rails server, and watch the loggs for it
to process the events before finally exiting.
Change-Id: I8c82b07ff5eec75cf51a307a2571f3780e75a216
Reviewed-on: https://gerrit.instructure.com/197276
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins
refs CORE-2976
test plan
- enroll user via sis
- delete login with sis id
- run report
- it should just use the active login
Change-Id: I023b4aa259dd06b83165be7e9478d2b712023f72
Reviewed-on: https://gerrit.instructure.com/194082
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins
Fixes: CORE-2938 CORE-2937 CORE-2935 CORE-2933
We have a bunch of stuff in our code where we use data-whatever
attributes to tell our javascript what to do. and a few of those treat
whatever is in data-whatever as trusted html. The problem is that users
can save whatever data-* attributes in the content they save
in a rich text editor. So if they mimic the same classnames or ids as
elements we trust, they can exploit us.
The fix is to still allow data-* attributes EXCEPT the ones we treat
as html. By filtering those out, we can treat them as trusted html.
Refs: SEC-2166 ADMIN-2376
This partially reverts ADMIN-2376 because instead of having to load all
tinyMCE to sanitize it on the client, if we treat it the same as all of
these other ones, we can just count on data-html-tooltip-title as coming
from us.
NOTE: in the future:
1. Don’t treat the Dom as the source of truth.
2. If you do, use an attribute like x-canvaslms-trusted-whatever
because that will not be allowed through in our html sanitizer
so we can know if that attribute is ever there on an element,
we put it there and not a user or hacker.
Test plan:
* Look at the repro steps on any of the attached jiras.
* You should not be able to reproduce it
* there is an automated test fixture for each one that has been added
To spec/fixtures/xss/
Change-Id: Idf77ac6d80518bfe02445f94942ac5f6802772dc
Reviewed-on: https://gerrit.instructure.com/194850
Tested-by: Jenkins
Reviewed-by: Clay Diffrient <cdiffrient@instructure.com>
QA-Review: Clay Diffrient <cdiffrient@instructure.com>
Product-Review: Clay Diffrient <cdiffrient@instructure.com>
by replacing $.extend(true I18n, {translations: …}), we can speed up
the amount of time we spend loading the i18n string files.
From profiling, a non-trivial amount of the javascript run time was
Spent just in these calls to $.extend(true, …)
Test plan:
* in a prod build
* set your language to something non-english like spanish
* everything should still be translated the same as before
* pages should load a little faster, especially on low powered devices
like mobiles
Change-Id: I9ac4a7b67cf14498ee1b972ba083db952ad7f314
Reviewed-on: https://gerrit.instructure.com/194234
Tested-by: Jenkins
Reviewed-by: Clay Diffrient <cdiffrient@instructure.com>
QA-Review: Clay Diffrient <cdiffrient@instructure.com>
Product-Review: Clay Diffrient <cdiffrient@instructure.com>
closes GQL-57
Test plan:
* run some mutations
* without a config/dynamodb.yml, graphql queries/mutations should work
as usual
* set up a 'auditors' category in config/dynamodb.yml:
* information about mutations should be recorded to the
'#{auditors-prefix}-graphql_mutations' table
Change-Id: Ide0e3707f74488dfa896ddb97820956e5bdc8e27
Reviewed-on: https://gerrit.instructure.com/188460
Tested-by: Jenkins
Reviewed-by: Rob Orton <rob@instructure.com>
QA-Review: Rob Orton <rob@instructure.com>
Product-Review: Rob Orton <rob@instructure.com>
closes PLAT-3761
test plan:
- configure live events plugin setting to write to a local kinesalite
stream
- make sure there aren't any errors writing to the stream
Change-Id: I88944ad3ad80ecaa18c6da3739b34b2551ba2366
Reviewed-on: https://gerrit.instructure.com/192000
Reviewed-by: Weston Dransfield <wdransfield@instructure.com>
QA-Review: Weston Dransfield <wdransfield@instructure.com>
Tested-by: Jenkins
Product-Review: Brent Burgoyne <bburgoyne@instructure.com>
fixes CORE-2808
test plan
- load settings page, it should work
- load reports tab, it should work
Change-Id: I0616b4c2b23189a28a82360202fb1e4f5512892b
Reviewed-on: https://gerrit.instructure.com/189873
Reviewed-by: Ryan Shaw <ryan@instructure.com>
QA-Review: Ryan Shaw <ryan@instructure.com>
Tested-by: Jenkins
Product-Review: Rob Orton <rob@instructure.com>
the allowed-schemes andf safe-hosts checks were being bypassed
when non-ASCII characters were used in a URI
test plan:
- create an external tool module item
- attempt to change the URL link to
javascript:alert(document.domain);//嘊
- it should be rejected
fixes SEC-2317
Change-Id: Ib2fe75f302af61c596ef2123cc4238975b42698f
Reviewed-on: https://gerrit.instructure.com/189519
Tested-by: Jenkins
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: Anju Reddy <areddy@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
test plan:
* use the sis imports API to create a diffed sis batch
* refer to the API docs for 'diff_row_count_threshold'
to use the setting similarly to 'change_threshold' but
instead set an explicit row count and confirm that
diffing does not happen if the number of rows that
would be run in the diff exceeds the threshold
closes #CORE-2711
Change-Id: Idfc77d0aa64a82cf0665ffb5e3cc31f04d9e60e3
Reviewed-on: https://gerrit.instructure.com/189099
Tested-by: Jenkins
Reviewed-by: Rob Orton <rob@instructure.com>
QA-Review: Rob Orton <rob@instructure.com>
Product-Review: Rob Orton <rob@instructure.com>
Change-Id: I3111e149709ee46d6ee7952fcfba06aa553c475c
Reviewed-on: https://gerrit.instructure.com/188947
Tested-by: Jenkins
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: James Williams <jamesw@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
test plan
- specs should pass
Change-Id: Ia7ae5f03122760c6cc239094f06fb324f883bf3b
Reviewed-on: https://gerrit.instructure.com/188911
Reviewed-by: Mark Valentine <mvalentine@instructure.com>
Tested-by: Jenkins
QA-Review: Rob Orton <rob@instructure.com>
Product-Review: Rob Orton <rob@instructure.com>
we still don’t want to send a giant batch so this
will limit based off the number of ids being sent
refs CORE-2742
test plan
- specs should pass
Change-Id: Ife00367d818a48a9934b4f224eb865c20292dd31
Reviewed-on: https://gerrit.instructure.com/188807
Tested-by: Jenkins
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: James Williams <jamesw@instructure.com>
Product-Review: Rob Orton <rob@instructure.com>
refs CORE-2742
test plan
- report specs should pass
Change-Id: If11a71145b8ce21be6c91bfcf09f27792a095f68
Reviewed-on: https://gerrit.instructure.com/188692
Tested-by: Jenkins
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: James Williams <jamesw@instructure.com>
Product-Review: Rob Orton <rob@instructure.com>
will return an error if the periodic jobs
haven't been running
closes #CORE-2717
Change-Id: If192f45c0e1f32f53d26287240a717517dcb8440
Reviewed-on: https://gerrit.instructure.com/187809
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins
QA-Review: Rob Orton <rob@instructure.com>
Product-Review: Rob Orton <rob@instructure.com>
Add the override_score field to admin grade reports if the account in
question has the Final Grade Override feature flag either allowed or
enabled.
closes GRADE-2000
Test plan:
- Don't forget to restart delayed_jobs if needed
- Set up an account with FGO set to ALLOW or ON
- In a course in the account, enable the feature and add some
override scores
- Run the admin reports (Grade Export and MGP Grade Export)
- Both reports should include an override_score column containing
the relevant values
- Disable FGO on the account
- Run the reports again
- The field should not be included in the output
Change-Id: Icd183ae324f52794f1ec80e0e70edb3af95d6a1a
Reviewed-on: https://gerrit.instructure.com/187353
Tested-by: Jenkins
Reviewed-by: Gary Mei <gmei@instructure.com>
Reviewed-by: Keith Garner <kgarner@instructure.com>
QA-Review: James Butters <jbutters@instructure.com>
Product-Review: Keith Garner <kgarner@instructure.com>
fixes CORE-2538
test plan
- configure statsd to use data dog
- it should work
Change-Id: Ie8428e4e99973b35506bd7a8e4d1a18f5a7875a1
Reviewed-on: https://gerrit.instructure.com/182083
Tested-by: Jenkins
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
refs CORE-2598
test plan
- specs should pass
Change-Id: I3c7490e77e83bcd12b8edda238ede70088b37f84
Reviewed-on: https://gerrit.instructure.com/186554
Reviewed-by: Mark Valentine <mvalentine@instructure.com>
Tested-by: Jenkins
QA-Review: Rob Orton <rob@instructure.com>
Product-Review: Rob Orton <rob@instructure.com>
Call the message validations on the lti messages
before we send the launch.
closes PLAT-4117
Test Plan:
- do a launch, it should still work
Change-Id: I34d20c328173158c76b11aacf7028f7eb152f87b
Reviewed-on: https://gerrit.instructure.com/185216
Tested-by: Jenkins
Reviewed-by: Nathan Mills <nathanm@instructure.com>
QA-Review: Marc Phillips <mphillips@instructure.com>
Product-Review: Marc Phillips <mphillips@instructure.com>
Change-Id: Ida0ea87736d2d22d0019f8cb2a010aeb7b9fafc3
Reviewed-on: https://gerrit.instructure.com/180785
Tested-by: Jenkins
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
this allows us to not download the entire aws sdk and old versions of
gems for statsd
Change-Id: Ib8305a008c2270845fd4f7ca5311a86a2e73ce7e
Reviewed-on: https://gerrit.instructure.com/180784
Tested-by: Jenkins
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
sqlite3 released a new version yesterday, but active record is pinned to
a previous version in a way that just errors. the version pins here can
be reverted once rails releases a compatibility update. see
https://github.com/rails/rails/pull/35154
Change-Id: If9edc76058d96a75b8731422407ecea2afb4ce29
Reviewed-on: https://gerrit.instructure.com/180583
Reviewed-by: James Butters <jbutters@instructure.com>
Tested-by: Jenkins
QA-Review: Simon Williams <simon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
Change-Id: I8a8dd135b7da10bd2659251821cb0af0ede5726a
Reviewed-on: https://gerrit.instructure.com/178970
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: James Williams <jamesw@instructure.com>
Tested-by: Jenkins
Product-Review: Cody Cutrer <cody@instructure.com>
ensures the database server unshackles itself and hits the master
Change-Id: I7590b230be6a18588547442ca0a0e220b5093873
Reviewed-on: https://gerrit.instructure.com/178971
Tested-by: Jenkins
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: James Williams <jamesw@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
The added spec covers the real error case that was popping up in
production.
test plan:
- test pass
Change-Id: I20e0915d15bb1f9eba3f9d1bc646df8af1ca8564
Reviewed-on: https://gerrit.instructure.com/177585
Reviewed-by: Adrian Packel <apackel@instructure.com>
Reviewed-by: Keith Garner <kgarner@instructure.com>
Tested-by: Jenkins
QA-Review: Derek Bender <djbender@instructure.com>
Product-Review: Derek Bender <djbender@instructure.com>
migrations from old courses should never use 0
for answer ids and migrations from new ones should
be consistent with their answer ids
closes #QO-458
Change-Id: Ia023b25879530382d5358067cb4ff170c1d41a70
Reviewed-on: https://gerrit.instructure.com/177491
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Tested-by: Jenkins
QA-Review: James Williams <jamesw@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
fixes GRADE-1935
Test plan:
- Specs pass
- In a console, call Utf8Cleaner.strip_invalid_utf8 on a frozen string
and make sure it doesn't throw an error
Change-Id: I5ede03328bf8dbd58e0350188514427d809c61d1
Reviewed-on: https://gerrit.instructure.com/177551
Reviewed-by: Rob Orton <rob@instructure.com>
QA-Review: Rob Orton <rob@instructure.com>
Product-Review: Rob Orton <rob@instructure.com>
Tested-by: Jenkins
Rob Orton