E1842 Issues Related To Participants: Difference between revisions

From Expertiza_Wiki
Jump to navigation Jump to search
Line 43: Line 43:
This issue has been fixed by modifying the current implementations of session handling, data filtering and role handling features.
This issue has been fixed by modifying the current implementations of session handling, data filtering and role handling features.


Pseudocode representing the logic we have used to modify sign_up_sheet.rb:
Code representing the logic we have used to modify sign_up_sheet.rb:


   Respond_To_Ads(user_id, assignment_id)
   def impersonating_as_ta?
   p_id=Fetch participant_id corresponding to (user_id, assignment_id)
    original_user = session[:original_user]
  Check entries for p_id in table join_team_request_table where status is either "A" or "P"
    ta_role = Role.where(name:['Teaching Assistant']).pluck(:id)
  count=number of such entries
    ta_role.include? original_user.role_id
  return count
   end
 
  def list
Pseudocode representing the logic we have used to modify view.html.erb:
    redirect_to(controller: 'eula', action: 'display') if current_user.is_new_user
 
    session[:user] = User.find_by(id: current_user.id)
  If Sign Up Sheet has topics for a particular assignment()
    @student_tasks = StudentTask.from_user current_user
  If Respond_To_Ads(user_id, assignment_id) is equal to 0
    if session[:impersonate] && !impersonating_as_admin?
    Show Trumpet icon which is a link to the Ads
      @student_tasks = @student_tasks.select {|t| session[:original_user].id == t.assignment.instructor_id }
      if impersonating_as_ta?
        ta_course_ids = TaMapping.where(:ta_id => session[:original_user].id).pluck(:course_id)
        @student_tasks = @student_tasks.select {|t| ta_course_ids.include?t.assignment.course_id }
      else
        @student_tasks = @student_tasks.select {|t| session[:original_user].id == t.assignment.course.instructor_id }
      end
  end


==='''Issue #1185 '''===
==='''Issue #1185 '''===

Revision as of 23:10, 2 November 2018

Introduction

Problem Statement

In Expertiza, an instructor is responsible for adding a participant to his course or assignment. This makes the course material available to the participant (or student per se). Since the instructor has admin rights, he is capable of impersonating the participant. This creates a few problems. This project addresses those issues.

Issues to be fixed

Issues as described by the problem statement:

Issue #536

Once the instructor impersonates the participant, he/she is capable of accessing all of participant’s work, irrespective of the course or the assignment. This raises serious security concerns. Suggested solution is to restrict the instructor to view only his coursework.

Issue #1185

After adding a participant, the page has to be manually refreshed to show the name of the participant on the list. This creates a bad user experience and needs to be fixed.

Modified Files

1) app/controllers/auth_controller.rb

2) app/controllers/impersonate_controller.rb

3) app/controllers/student_task_controller.rb

4) app/views/participants/add.js.erb

5) app/views/participants/_participant.html.erb

6) app/views/shared_scripts/_user_list.html.erb

Approach taken to resolve the issues

Issue #536

Once the instructor or teaching assistant impersonates the participant, he/she is capable of accessing all the assignments of this participant irrespective of the course and this raises serious security concerns. Ideally, when this happened, the system should have displayed only those assignments to which he/she is assigned as an instructor or teaching assistant.

This issue has been fixed by modifying the current implementations of session handling, data filtering and role handling features.

Code representing the logic we have used to modify sign_up_sheet.rb: 

 def impersonating_as_ta?
   original_user = session[:original_user]
   ta_role = Role.where(name:['Teaching Assistant']).pluck(:id)
   ta_role.include? original_user.role_id
 end
 def list
   redirect_to(controller: 'eula', action: 'display') if current_user.is_new_user
   session[:user] = User.find_by(id: current_user.id)
   @student_tasks = StudentTask.from_user current_user
   if session[:impersonate] && !impersonating_as_admin?
     @student_tasks = @student_tasks.select {|t| session[:original_user].id == t.assignment.instructor_id }
      if impersonating_as_ta?
       ta_course_ids = TaMapping.where(:ta_id => session[:original_user].id).pluck(:course_id)
       @student_tasks = @student_tasks.select {|t| ta_course_ids.include?t.assignment.course_id }
     else
       @student_tasks = @student_tasks.select {|t| session[:original_user].id == t.assignment.course.instructor_id }
     end
  end

Issue #1185

If a user has an assignment and a topic only then (s)he will be able to advertise for team members to join their team. If a user doesn't have a topic (s)he won't be able to advertise. The scenario in which A, B were two users, A with a topic, B without a topic, A joins B's team but A's topic gets dropped; A,B become a team but with no topic. Such cases are now avoided as we have ensured that without first selecting a topic a user cannot advertise for team members nor can he send invitations to other users to join his team. This is done by quering in the database using inner join between tables-SignUpTopic, signed_up_teams, team_users; and checking if the user has a topic for a particular assignment. If (s)he has a topic then he'll be able to see the option for advertising for teammates. If the assignment doesn't have a topic then the user will be able to send out team invitations. Pseudocode representing the logic we have used to modify student_teams_helper.rb: 

 StudentTeamsHelper
   If the concerned assignment has topics
      return false if their are topics
   else return true

 User_Has_Topic(user_id, assignment_id)
   Query the database using inner joins between SignUpTopic, signed_up_teams, team_users
   rows= number of rows returned by the above query
   If rows>0
      return true
   else
      return false

Pseudocode representing the logic we have used to modify view.html.erb: 

   If concerned assignment does not have topics OR User_Has_Topic is true
      Make Invite link visible

Test Plan

Automated tests cannot be written for this project. Automated tests will only be able to test the functionality of Rails and not the functionality of the amended files.

https://mymediasite.online.ncsu.edu/online/Play/3b649b16e7f7448d9d1ee79ee1448b221d

https://mymediasite.online.ncsu.edu/online/Play/31dcb783510c4322bcfbc894c71fbdd01d

Issue #536

1)Login as Admin, create an assignment with all the necessary details like maximum no of users per team, add topics for the assignment, enroll users(students) in the assignment.

2)Login as user(Student) or impersonate a student, say student A, whom you have enrolled in the assignment. You should be able to see the assignment now in the Assignment section.

3)Since A doesn't have a topic yet, so you won't be able to see the advertise link.

4)Go to the sign-up sheet for the assignment, select a topic. A now has a topic, so now A can advertise for team-members.

5)Post an advertisement-"Need team-members who know Ruby."

6)Login as another user(Student) or impersonate another student, say student B, whom you have enrolled in the assignment.

7)Since B doesn't have a topic yet, so you won't be able to see the advertise link.

8)Go to the sign-up sheet for the assignment, you'll be able to see a trumpet icon next to the topic that has an ad posted.

9)Click on the icon, you'll see the ad posted by A. Click on request to join A's team.

10)On doing so an entry is created on the table "" and status holds value "P" signifying a pending request.

11)Now if you go on the sign-up sheet again, you will no longer see the trumpet icon through which you can access the ads since you have already responded to an ad and the request is in pending state.

12)Login as user A or impersonate A, now you'll be able to see the team join request sent by user B.

13) Now, you can either approve it or decline it. Suppose you approve it, B will become a part of your team, and the status will change to "A". And now if you login as B or impersonate B, you will no longer be able to access the trumpet icon which is a link to all ads pertaining to topics the concerned assignment.

14)Had user A declined User Bs join request, the status in the table "" would change to "D", that means user B still doesn't have a team. So, now if you login as B or impersonate, you'll be able to see the ads again.

Issue #1185

1)Login as user(Student) or impersonate a student, say student A, whom you have enrolled in the assignment.

2)You should be able to see the assignment now in the Assignment section. Since A doesn't have a topic yet, so you won't be able to see the advertise link.

3)Go to the sign-up sheet for the assignment, select a topic. A now has a topic, so now A can advertise for team-members. Post an advertisement-"Need team-members who know Ruby."

4)This ensures that for an assignment with topics, a user can send out advertisements only if (s)he has a topic.

5)Login as Admin, create an assignment with all the necessary details like maximum no of users per team, do not add topics for the assignment, enroll users(students) in the assignment.

6)Login as user(Student) or impersonate a student, say student A, whom you have enrolled in the assignment. You should be able to see the assignment now in the Assignment section.

7)Since the assignment doesn't have any topics, therefore, you will be able to see the advertise link. You won't see a sign-up sheet since the assignment has no topics. You can advertise for teammates.

Screenshots from conducted Test

1) On clicking on 'Manage Content' the following screen is rendered which lists the existing assignments.

2) On clicking on 'New Public Assignment' the following form is displayed in which assignment details can be entered.

3)Editing the created assignment.

4)Click on 'Topics' to add topics for the assignment.

5)Click on 'Rubrics' to set up assignment rubrics.

6)The following screenshot shows the completed setup.

7)On clicking on the image-link for adding participants for an assignment, the following screen is rendered.

8)Showing all added participants.

9)The following screen is rendered when a student who is a participant in the current assignment clicks on it's sign-up sheet.

10)The following screen is rendered when a participant clicks on the sign-up sheet for the assignment. link.

11)The following screen is rendered when a participant chooses a topic and then clicks on 'create advertisement'.

12)After creating an ad, user can now see a horn icon which is a link to display the advertisements corresponding to that topic in that assignment.

13)The following screen is rendered after clicking on the horn icon.

14)The following screen is rendered after clicking on the link 'Request invitation'.

15)After sending a request to join a team (via ad), the user will no longer see the link for the ads unless the request is denied by the receiver.

16)This is the screen of the user who had created the ad. He is now able to see any join requests that he can approve/decline.

Retrieved from "https://wiki.expertiza.ncsu.edu/index.php?title=E1842_Issues_Related_To_Participants&oldid=118312"