closes MBL-4905
test plan:
- as an observee or admin
- after making a POST to /users/self/observees as a parent with the
student's token as the access_token
- query the /users/:user_id/calendar_events endpoint just as you would
the /calendar_events endpoint but make sure the user is the parent
and the :user_id is the student's id
- it should return all the things the /calendar_events endpoint
returns for that student
Change-Id: Ib9f9d8f3fb51e9bc240c12f383a3cc86fcc3cd2c
Reviewed-on: https://gerrit.instructure.com/66321
QA-Review: Ben Kirato <benk@instructure.com>
Tested-by: Jenkins
Reviewed-by: Matthew Wheeler <mwheeler@instructure.com>
Product-Review: Cameron Sutter <csutter@instructure.com>
fixes MBL-5161
test plan:
- send a POST to /users/self/observees as a parent with the
student's token as the access_token
- as the parent, send a GET to /users/:student_id/missing_submissions
- it should return any assignment due in the past that does not have
a submission for the student
Change-Id: Idb2bcc3c76ab67d16e18b90f043e3be96f4b8872
Reviewed-on: https://gerrit.instructure.com/67403
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Tested-by: Jenkins
QA-Review: Ben Kirato <benk@instructure.com>
Product-Review: Cameron Sutter <csutter@instructure.com>
Fixes CNVS-16333
Test Plan:
1. Post a few broken links in various places throughout the course,
such as in discussions or announcements
2. from the course settings, on the right-hand side, click
on the "Validate Links in Content" button to reach the
link navigator
3. Click Link Validator button
4. You should expect the button to change to a Loading message
then see a list of results
5. Click the link of one of the results
(it should take you to the location of the broken link)
6. Remove link and re-run Link Validator
to ensure that link no longer appears
Change-Id: I5cba118a1781eff427ef7d9690ed5bfa752dd785
Refs: CNVS-16333
Reviewed-on: https://gerrit.instructure.com/58125
Reviewed-by: Clay Diffrient <cdiffrient@instructure.com>
Tested-by: Jenkins
QA-Review: Ryan Allen <rallen@instructure.com>
Product-Review: Cosme Salazar <cosme@instructure.com>
closes CNVS-24286
Add JWT (wrapped and signed by shared secret)
as a viable authentication method.
Also remove deprecation errors from login template
TEST PLAN:
1) have ECOSYSTEM_* env vars set (docker helps)
2) login as a user
3) take a token from "/jwts/generate"
4) wrap that token in another token signed
with the shared secret (ECOSYSTEM_SECRET,
see services_jwt_spec.rb for a way to do this)
5) use the base64 encoded string as a bearer
token for canvas
6) try it again in 70 minutes or so (the same
token), it should now be expired.
Change-Id: I721f42d7c9ca7edc82bc75b116354dd3edc50a88
Reviewed-on: https://gerrit.instructure.com/66110
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
Change-Id: I06c07b3b5d676e5aa49e88b547e965c214862a9f
Reviewed-on: https://gerrit.instructure.com/66528
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins
Product-Review: James Williams <jamesw@instructure.com>
QA-Review: James Williams <jamesw@instructure.com>
They now live in their own private repository.
Change-Id: Id4e9e3f745c1311fc75f99bb62333af44b90f145
Reviewed-on: https://gerrit.instructure.com/66125
Tested-by: Jenkins
Reviewed-by: Taylor Wilson <twilson@instructure.com>
Product-Review: Derek Hansen <dhansen@instructure.com>
QA-Review: Derek Hansen <dhansen@instructure.com>
FIXES MBL-4841
New Endpoint:
get api/v1/users/:user_id/courses/
Test Plan
1. Create student account with course enrollment on one shard.
2. Create an account to act as a parent on a different shard from student.
3. Add student as an observee of parent using the student's token to
create the association.
4. Call the new endpoint using the parent's auth token and the student's
id. Ensure that you can see the students courses on the student's shard.
Change-Id: Ie3fc15bc2c70a9e219d14c1a91e90eccfabc2559
Reviewed-on: https://gerrit.instructure.com/64943
Tested-by: Jenkins
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Ben Kirato <benk@instructure.com>
Product-Review: Josh Orr <jgorr@instructure.com>
closes CNVS-24285
This token isn't consumed by anyone yet, ultimately it will be used
to be passed back to canvas from other trusted services to
prove the user is authorized to those services and assets.
TEST PLAN:
1) login as a user
2) visit /jwts/generate
3) you should see a token-like thing in the JSON
Change-Id: I95852758597606d4ee3f1d2c788fcb252e7c154a
Reviewed-on: https://gerrit.instructure.com/65983
Tested-by: Jenkins
Reviewed-by: Mike Nomitch <mnomitch@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
Fixes CNVS-20747
Test plan:
- Create a user
- Add an email address to the user
- The address doesn't need to be able to actually receive
messages, so put anything you want in here
- Make note of the user's id
- Assuming the user's id is 42, open a rails console and type:
c = User.find(42).email_channel
c.bounce_count = 3
c.save!
- Log in as the user (actually log in, don't just masquerade)
- Visit the user's settings page
- Verify you see the usual warning triangle next to the user's
email address
- Verify you don't see the reset icon (just a refresh-like icon,
two arrows pointing in a circle)
- Log in as a siteadmin
- Masquerade as the user
- Visit the user's settings page
- Verify you see both the warning triangle and the reset icon
- Click the reset icon
- Verify that the reset icon and the warning triangle go away
- Refresh the page and verify that they're still gone
- Assuming the user's id is 42, open a rails console and type:
c = User.find(42).email_channel
c.bounce_count = 1
c.save!
- Log in as a siteadmin
- Masquerade as the user
- Visit the user's settings page
- Verify you see only the reset icon and not the warning
triangle
- Click the reset icon
- Verify that it goes away
- Refresh the page and verify that it's still gone
Change-Id: Ibd9d2e04555be2ec3eae811fd93f2cba0645d870
Reviewed-on: https://gerrit.instructure.com/55139
Reviewed-by: Joel Hough <joel@instructure.com>
Tested-by: Jenkins
QA-Review: Adrian Russell <arussell@instructure.com>
Product-Review: Allison Weiss <allison@instructure.com>
refs #CNVS-11466
Users who aren't logged in should submit
an email, otherwise we can't get back to them.
This adds some front-end validation to require
an email address if the user isn't logged in.
If they are, we leave it alone, we can identify
them from their session.
This also removes the 404.html page, I can't find
anywhere where we actually use it (and it is
exactly duplicated in the error_form and such)
Change-Id: I0aaa322aa25f4c3f316cb2ce15573c2ac288035c
Reviewed-on: https://gerrit.instructure.com/63715
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Tested-by: Jenkins
Reviewed-by: Jacob Fugal <jacob@instructure.com>
Product-Review: Ethan Vizitei <evizitei@instructure.com>
fixes CNVS-24178
- Updates FilesConverter so that it returns both files that will be
displayed in the ePub and the files that are unsupported.
- Adds CC::Exporters::Epub::FilesDirectory class, which accepts a
collection of file objects and adds them to a zip file.
- Updates UI so that a separate download link is present for the zip of
unsupported files.
- Adds support to MIME::Types library to be able identify ePubs.
- Updates EpubExport to have many attachments; one epub & one zip.
- Updates process of creating attachments related to EpubExports so that
the content_type value is properly set.
test plan:
- Have a course that contains files that are not supported by ePub, such
as pdf, doc or xls.
- Navigate to `/epub_exports`.
- Click the button to generate an ePub for the given course.
- Observe that, after the successful generation of the course, two
download links appear: one for the ePub, one for additional files.
Change-Id: I2f321362bc5ed23f8b28334395f8969c9d90a5de
Reviewed-on: https://gerrit.instructure.com/65753
Tested-by: Jenkins
Reviewed-by: Matt Berns <mberns@instructure.com>
QA-Review: Deepeeca Soundarrajan <dsoundarrajan@instructure.com>
Product-Review: Cosme Salazar <cosme@instructure.com>
Add grading period dropdowns on the 'grades' page,
and add a "Display Totals for 'All Grading Periods'"
feature flag. By default, the feature will be turned
'off'.
When the feature is 'off':
- Totals will not display in the gradebook
or the 'student grades' page when the 'All
Grading Periods' option is selected.
- The grading period dropdowns on the 'grades'
page will not have an 'All Grading Periods'
option.
When the feature is 'on':
- Totals will display in the gradebook and the
'student grades' page when the 'All Grading
Periods' option is selected.
- The grading period dropdowns on the 'grades'
page will have an 'All Grading Periods' option.
closes CNVS-23995
test plan:
1) as a teacher, enable the 'multiple grading
periods' feature (do not enable the 'display
totals for all grading periods' feature yet).
a) verify the gradebook does not show totals
when the 'All Grading Periods' option is
selected.
b) verify the 'student grades page'
(courses/4/grades/9#tab-assignments) does
not show totals, and the calculation of
'what-if' grades is disabled when the
'All Grading Periods' option is selected.
c) turn on the 'display totals for all
grading periods' feature. repeat steps
a & b and verify that the totals now
show up (and you can calculate what-if
grades on the student grades page when
'All Grading Periods is selected')
2) sign in as a student that is enrolled in
3 courses: 1 course with MGP disabled, 1
course with MGP enabled and 'display all
grading periods totals' (DAGPT) disabled,
and 1 course with MGP enabled and DAGPT
enabled. go the the 'grades' page (/grades).
a) verify there is a grading period dropdown
next to the totals for courses that have
MGP enabled. verify there is not a grading
period dropdown next to the total for the
course with MGP disabled.
b) verify that the current grading period is
selected by default, if one exists. if a
current grading period does not exist, then:
- the dropdown next to the total for the
course with DAGPT disabled should show
'Select a grading period' and the total
grade should show as '--'.
- the dropdown next to the total for the
course with DAGPT enabled should show
'All Grading Periods' and the total grade
should be displayed.
c) verify clicking a grading period in the
dropdown changes the total, and shows
the correct total for that grading period.
3) repeat steps 2a-c, but sign in as an observer that
is observing at least 3 students in 3 different
courses(1 course with MGP disabled, 1 with MGP
enabled and DAGPT disabled, and 1 course with
MGP enabled + DAGPT enabled).
4) verify that the grading period dropdowns that were
added are accessible.
Note: The 'grades' page (/grades) will _always_
display the total for 'All Grading Periods' when
signed in as a teacher. We are aware of this
existing bug and we're working on a solution.
Change-Id: If501b47aa57121d17d4e6629d1dcdbc8676971a2
Reviewed-on: https://gerrit.instructure.com/65847
Tested-by: Jenkins
Reviewed-by: Strand McCutchen <smccutchen@instructure.com>
Reviewed-by: Dylan Ross <dross@instructure.com>
Reviewed-by: Derek Bender <djbender@instructure.com>
QA-Review: Jason Carter <jcarter@instructure.com>
Product-Review: Spencer Olson <solson@instructure.com>
closes CNVS-24154
Don't make AccessToken errors get written to error
reports, these happen all the time whenever anyone
submits a bad error token
TEST PLAN:
1) use a bad access token in an api call
2) make sure an error report is not written
3) you should still get api feedback telling you your access token is
bad
Change-Id: Icc159bc6afd0ce41e41361501aad081086969ee7
Reviewed-on: https://gerrit.instructure.com/65523
Reviewed-by: Rob Orton <rob@instructure.com>
Reviewed-by: Jacob Fugal <jacob@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Tested-by: Jenkins
Product-Review: Jacob Fugal <jacob@instructure.com>
This patch exposes delayed jobs data as an API route, which makes it accessible using a bearer token. Currently, a token is not accepted as valid authentication, and an Unauthorized error is returned to the client.
Test plan:
- create a user in the Site Admin account and grant it admin rights to Site Admin
- create a user in the Site Admin account (or any other account) but do not grant it admin rights to Site Admin
- create some delayed jobs, failed and otherwise
- test the following routes:
-`GET /api/v1/jobs?only=jobs&flavor=[failed|future|current|waiting]`: should return list of jobs for specified flavor in JSON
-`GET /api/v1/jobs/:id`: should return a specific non-failed job
-`GET /api/v1/jobs/:id`: should return a specific failed job
- `POST /api/v1/jobs/batch_update` with body
`update_action=destroy&job_ids[]=$id1&job_ids[]=$id2`: (replacing
$id1 and $id2 with the IDs of real non-failed jobs) should return a success message with count of destroyed jobs.
- `POST /api/v1/jobs/batch_update` with body
`update_action=destroy&job_ids[]=$id1&job_ids[]=$id2&flavor=failed`:
(replacing $id1 and $id2 with the IDs of real failed jobs) will fail
pending instructure/canvas-jobs#2 (with that pull, it will return a
success message with count of destroyed jobs).
- `POST /api/v1/jobs/batch_update` with body `update_action=destroy&flavor=future`: should return a success message with count of destroyed jobs
- `POST /api/v1/jobs/batch_update` with body
`update_action=hold&flavor=future`: should return an error report
(can't hold failed jobs).
When testing the routes, using the second user created (without Site Admin rights) should throw an Unauthorized error. Using a developer key should throw an Invalid Token error.
test plan:
0. enable New Styles
1. go to the dashboard with the rectangle card things
2. click the gear icon on a course card
3. edit the course name in the box above the colors and
click Apply
4. notice the course name in the dashboard card has changed
and the original name is visible if you hover over
the nickname
5. click the card to go to the course and notice your
course nickname is used:
- on the course home page (with 'recent activity'
or 'syllabus' selected)
- in the Courses menu
- in "All Courses" under the Courses menu
- in the UI navigation (breadcrumbs)
- on the calendar (right side list)
- in the Inbox (course dropdown)
6. go back to the dashboard, click the gear menu on
a course card, clear out the nickname, and click Apply.
- the original course name should be restored
and shown in the locations listed in step 5
7. repeat steps 2-6 with a different student in the same
course; ensure the first student's course nickname
doesn't leak through to a second student
8. regression test course color choosing functionality
on both the dashboard and the calendar
closes CNVS-23201
Change-Id: I8dd714cad83dca5e17e65c6c463cdadc655db83c
Reviewed-on: https://gerrit.instructure.com/65052
Tested-by: Jenkins
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: Clare Strong <clare@instructure.com>
Product-Review: Hilary Scharton <hilary@instructure.com>
fixes CNVS-23657
test plan:
- make a parent theme and appluy
- make a subaccount theme and apply
- go back to the editor for the parent
- it starts off with its current theme
- go back to the editor for the subaccount
- it starts off with its current theme
- changes to both apply correctly
Change-Id: I77d306be0fe34e0fcb6305bd799240ebb45072f0
Reviewed-on: https://gerrit.instructure.com/64032
Tested-by: Jenkins
Reviewed-by: Jacob Fugal <jacob@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Jacob Fugal <jacob@instructure.com>
fixes CNVS-23835
test plan:
* use any API endpoint that takes a user id (and thus sis_login_id)
* change the case of the login id (all uppercase, etc.) in the URL
* it should still find the user
Change-Id: I0821b5d7213142aefa7e26699c26b981845a220b
Reviewed-on: https://gerrit.instructure.com/64586
Tested-by: Jenkins
Reviewed-by: Rob Orton <rob@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
test plan:
- perform an action that will generate a delayed job
- the last line of the delayed job log, which starts with STAT, should
include the job_id
Change-Id: I3c02f01494ffa138fa4f5dc022522d8c7f3ab2ef
Reviewed-on: https://gerrit.instructure.com/64540
Reviewed-by: Cody Cutrer <cody@instructure.com>
Reviewed-by: Brian Palmer <brianp@instructure.com>
Tested-by: Jenkins
Product-Review: Simon Williams <simon@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
fixes CNVS-23369
Test Plan:
-Run build
Change-Id: I15f60901c74fec85782641d06b71f41f0e3d354a
Reviewed-on: https://gerrit.instructure.com/64431
Tested-by: Jenkins
Reviewed-by: Steven Burnett <sburnett@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
QA-Review: James Williams <jamesw@instructure.com>
Rack generates a session_id internally which we like to include in logs
for tracking requests. This session_id wasn't getting picked up by out
log wrapper because of interdependencies in the middleware call stack
and bugs in rack/rails. Read on for details:
See the order of the middleware stack by running: `rake middleware`
The main players in this saga are:
- RequestContextGenerate middleware
- session store middleware:
ActionDispatch::Session::EncryptedCookieStore <
ActionDispatch::Session::CookieStore <
Rack::Session::Cookie <
Rack::Session::Abstract::ID
- Rack::Session::Abstract::SessionHash
How to intercept the session_id:
The Rack session_id is generated lazily the first time the SessionHash
(which is a thin wrapper around a ruby hash) is read from or written to.
This needs to happen after the session has been loaded out of the cookie
by the session store middleware, which happens after our
RequestContextGenerate middleware. We don't just want to move the
generation of the request id later, because then the first couple log
lines will not tagged with a request id.
So our idea was to capture the session_id in an un-encrypted cookie that
could be read early in the middleware call stack (which is fine to be
public, and only used for logs to not a big deal if it's tampered with).
Again, this happens lazily on first access, so our best bet is to catch
it on the way out of the middleware stack. But when
RequestContextGenerator returns it's already too late, because cookies
have already been written to the header. So we introduce a new
middleware that captures the session_id, writes it to a cookie, and then
modify RequestContextGenerator to read from the cookie.
This works great except that with this setup, after a log in attempt the
redirect after login would still be logged with the old "unknown"
session_id and not the new, logged-in session_id. When a session is
cleared (what happens at log in time), ActionDispatch implements
a `reset_session` that we call, which calls session.destroy, but rack
had not implemented session.destroy, so rails patched it, but then after
calling destroy, they reset the session to a plain hash (not
a SessionHash), so an id isn't generated until the plain-hash session is
written to the cookie, which happens AFTER our new middleware finishes
in the stack (and never sets it in the place we look for it).
Rails 4:
Rack internals changed somewhat between rack-1.4 and rack-1.5 and the id
moves from being stored in the session options hash to the main session
hash. We'll need to fix this for rails 4.
A better way:
It may be better to try to keep a handle on the actual SessionHash so
that we can dynamically load the id for log lines, and pick up id
changes immediately as they happen, mid-request. We'd have to make sure
the lookups weren't too expensive though, vs just saving a string.
fixes CNVS-15259
Test plan:
- start a server, make a request
- you should see log lines start with [session_id, request_id] and
session_id should be present, not just "-"
Change-Id: I0289db255b2b0bc3b118e32fc1d0d9381455b1ec
Reviewed-on: https://gerrit.instructure.com/64092
Reviewed-by: Brian Palmer <brianp@instructure.com>
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
Adds the following endpoint:
POST api/v1/accounts/1/self_registration
Fixes MBL-4838
Test Plan:
1. Enable self-registration on the test domain
2. Call the above endpoints with all of the params necessary to create a user but without any bearer token.
3. Ensure that user was created properly
Change-Id: Ia768516fec4f1dc8c55222375c9e26c9905e1ad8
Reviewed-on: https://gerrit.instructure.com/64064
Reviewed-by: Brad Humphrey <brad@instructure.com>
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Product-Review: Josh Orr <jgorr@instructure.com>
fixes CNVS-21793, CNVS-21794, CNVS-21795
- Adds EpubExport model to manage state of generated epubs.
- Adds controller to list, create & show epub exports.
- Adds a mini react app to manage UI for creating epub exports.
- Adds shared ApiProgressBar react comoponent to diplay a progress bar
that polls the progress API.
- Updates ContentExport to have a relationship with EpubExport.
test plan:
- Navigate to `/epub_exports`.
- Observe a list of courses that are active & user is enrolled in.
- Click on the Generate button.
- Observe that info about the state of the export and the timestamp are
added to the middle of the row.
- Observe that a progress bar is displayed while the export is in
progress.
- Observe that upon completion, the progress bar is replaced by two
button / links: Download & Regenerate.
- Observe that Download at the moment does nothing... this is because
the backend is not yet hooked up to generate the epub.
- Observe that the Regenerate button triggers the process all over
again.
Change-Id: I6cd844baa06db0c6648ad19389d235b89659919c
Reviewed-on: https://gerrit.instructure.com/62135
Tested-by: Jenkins
Reviewed-by: Matt Berns <mberns@instructure.com>
QA-Review: Adam Stone <astone@instructure.com>
Product-Review: Cosme Salazar <cosme@instructure.com>
also add beta documentation for these endpoints and the
moderation set API endpoints
test plan:
- specs cover the controller/route change
- render documentation and sanity check the
Moderated Grading page (noting the beta tag)
closes CNVS-23310
Change-Id: I64517184fc38d5af0cd7d088222fd5131534e448
Reviewed-on: https://gerrit.instructure.com/63682
Tested-by: Jenkins
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: Clare Strong <clare@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
test plan:
1. create a moderated assignment
2. associate a rubric with the assignment
3. add a student to the moderation set, using g/63360, or if that's
not available yet, the Rails console:
assignment.moderated_grading_selections.create! student: student
4. submit to the assignment as a student
5. grade the assignment as a TA in speedgrader, commenting and marking
the rubric in the process
6. as a teacher, view the submission using the "Get a single submission"
API endpoint, including provisional_grades, submission_comments,
and rubric_assessment
GET /api/v1/courses/{course_id}/assignments/{assignment_id}/submissions/{user_id}?include[]=provisional_grades&include[]=submission_comments&include[]=rubric_assessment
7. retrieve the provisional_grade_id from the above, to use in the next step
8. as a teacher, call the copy_to_final_grade endpoint to copy the TA's
provisional grade to the "final" provisional grade editable by
moderators
POST /api/v1/courses/{course_id}/assignments/{assignment_id}/provisional_grades/{provisional_grade_id}/copy_to_final_mark
9. as a teacher, repeat the GET from step 6 and ensure that the provisional
grade appears twice, once with the TA as the scorer_id and once with the teacher
- the teacher's entry should have final=true while the TA's is false
- the comments and rubric assessment written by the TA should be included
in the teacher's provisional grade, but still attributed to the TA's user id
closes CNVS-23300
Change-Id: Id09f828ddb4c262ef5452a62702a3a1828091486
Reviewed-on: https://gerrit.instructure.com/63563
Reviewed-by: James Williams <jamesw@instructure.com>
Tested-by: Jenkins
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
refs CNVS-22002
Test Plan:
- Load up a moderated assignment's moderate page
- Click a few of the checkboxes
- Click the + Reviewer button
- A success flash message should appear
- The previously selected checkmarks should still be selected
but should now be disabled.
- Refresh the page, the same ones should be disabled still
Change-Id: Ia828ad7e28d692f93aa0c1404a53d293290fc083
Reviewed-on: https://gerrit.instructure.com/63275
Tested-by: Jenkins
Reviewed-by: Sterling Cobb <sterling@instructure.com>
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
Product-Review: Clay Diffrient <cdiffrient@instructure.com>
James Williams