test plan:
see coverage in previous rspec/selenium builds, same numbers as before
Change-Id: I331bf5102914da00a5d350f32b74b4bc9d49c5f8
Reviewed-on: https://gerrit.instructure.com/106895
Tested-by: Jenkins
Reviewed-by: Landon Wilkins <lwilkins@instructure.com>
Product-Review: Landon Wilkins <lwilkins@instructure.com>
QA-Review: Landon Wilkins <lwilkins@instructure.com>
as of this commit, all canvas gems should be on rspec 3.5, and pass
without deprecation warnings.
closes CNVS-34040
test plan: specs should pass without deprecation warnings
Change-Id: I556b1a4a5aeb791c6ddd50ee35b51c513e025019
Reviewed-on: https://gerrit.instructure.com/98414
Reviewed-by: Landon Wilkins <lwilkins@instructure.com>
Product-Review: Landon Wilkins <lwilkins@instructure.com>
QA-Review: Landon Wilkins <lwilkins@instructure.com>
Tested-by: Jenkins
rely on test_all_gems.sh to output header and trailer,
and use `set -e` in each test.sh to simplify passing
through errors
Change-Id: I3ba724ad2539ddfe31195394c43f646acfc73920
Reviewed-on: https://gerrit.instructure.com/70469
Tested-by: Jenkins
Reviewed-by: Simon Williams <simon@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
closes CNVS-18870
CNVS-18870 as described in the ticket description is not a bug. see
comments on the ticket for more details. but while investigating and
confirming that, it became obvious that the odd structure and scattered
implementation of the CSRF protection was both making it hard to reason
about and easy to introduce new bugs. after the refactor, we still:
* don't perform CSRF validation on GET requests
* don't perform it on token-authenticated API requests
* do perform it on session-authenticated API requests
* do perform it on non-API requests regardless of authentication method
additionally, we now:
* don't perform CSRF validation on HEAD requests
finally, we _don't_ support a csrf_token in the session anymore. that's
been deprecated forever; we can remove the code now.
test-plan:
- should not perform CSRF validation for:
- GET requests
- token-authenticated POST requests to API endpoints (path prefixed
by /api/) without an authenticity_token parameter or X-CSRF-Token
header
- token-authenticated POST requests to API endpoints even with an
authenticity_token parameter
- token-authenticated POST requests to API endpoints even with an
X-CSRF-Token header
- should perform CSRF validation for:
- POST requests to non-API endpoints
- session-authenticated POST requests to API endpoints
- when CSRF validation should occur, but the user has cookies off:
- POST requests to non-API endpoints should redirect to a "need
cookies" page
- XHR POST requests to non-API endpoints should not redirect
- POST requests to API endpoints should not redirect
Change-Id: I3dbb3a68623bc9d03a3e744a9d4e1f038a32709c
Reviewed-on: https://gerrit.instructure.com/65103
Reviewed-by: Simon Williams <simon@instructure.com>
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Product-Review: Jacob Fugal <jacob@instructure.com>
Change-Id: Ib7db93b7ce5c877d2c0dcf24ee0d748f11ec58cb
Reviewed-on: https://gerrit.instructure.com/44806
Reviewed-by: Adam Ard <aard@instructure.com>
Product-Review: Adam Ard <aard@instructure.com>
QA-Review: Adam Ard <aard@instructure.com>
Tested-by: Adam Ard <aard@instructure.com>
fixes CNVS-16884
test-plan:
- in HTTP-session environment (`secure: false` or unset in
config/session_store.yml), CSRF cookie should be sent without secure
flag
- in HTTPS-session environment (`secure: true` in
config/session_store.yml), CSRF cookie should be sent with secure
flag.
- on a non-files host, javascript should be able to read the CSRF
cookie: value of "document.cookie" in javascript console should
include "_csrf_token"
- on a files host, javascript should not be able to read the CSRF
cookie: value of "document.cookie" in javascript console should not
include "_csrf_token"
Change-Id: Ifd57c973478a6d07497a404dcf1a9b9caa9014af
Reviewed-on: https://gerrit.instructure.com/44451
Reviewed-by: Cody Cutrer <cody@instructure.com>
Reviewed-by: Rob Orton <rob@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
test plan:
* in one tab, start to fill out an ajax form
(e.g. editing a quiz)
* in another tab, log out of canvas
* return to the original tab and try to
submit the form (e.g. save your changes)
* should get an error message with a link to
login in a new tab
* login in the new tab
* return to the original, and try to resubmit
* should save successfully
closes #CNVS-3957 #CNVS-13673
Change-Id: I7758514de8ce09361fef469034645d8a29e2a5e5
Reviewed-on: https://gerrit.instructure.com/40396
Reviewed-by: Jacob Fugal <jacob@instructure.com>
QA-Review: Clare Strong <clare@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
Product-Review: Cosme Salazar <cosme@instructure.com>
they're likely already installed, and it will save a ton of trips
to rubygems.org
Change-Id: I9ccf2194619a6e8f97d7f21b4e232dac7ff20d3c
Reviewed-on: https://gerrit.instructure.com/35694
Reviewed-by: Bryan Madsen <bryan@instructure.com>
QA-Review: Bryan Madsen <bryan@instructure.com>
Product-Review: Bryan Madsen <bryan@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
Change-Id: I0dad5345aae75e552af97f5b54ded10bbfebbe37
Reviewed-on: https://gerrit.instructure.com/33925
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Mike Nomitch <mnomitch@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
QA-Review: Simon Williams <simon@instructure.com>
fixes CNVS-11072
test plan: in a canvas repository without a .git directory (like a deploy) call
a bundle command (like script/console). it should not give you warnings about
missing .git directories
Change-Id: I2daa1371d97c94f7c3db81d3fd2bad387fcabaf8
Reviewed-on: https://gerrit.instructure.com/29947
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Stephan Hagemann <stephan@pivotallabs.com>
Product-Review: Stephan Hagemann <stephan@pivotallabs.com>
QA-Review: Stephan Hagemann <stephan@pivotallabs.com>
Landon Wilkins