E1842 Issues Related To Participants

From Expertiza_Wiki
Revision as of 07:06, 3 November 2018 by Ckaidab (talk | contribs)
Jump to navigation Jump to search

Introduction

Problem Statement

In Expertiza, an instructor is responsible for adding a participant to his course or assignment. This makes the course material available to the participant (or student per se). Since the instructor has admin rights, he is capable of impersonating the participant. This creates a few problems. This project addresses those issues.

Issues to be fixed

Issues as described by the problem statement:

Issue #536

Once the instructor impersonates the participant, he/she is capable of accessing all of participant’s work, irrespective of the course or the assignment. This raises serious security concerns. Suggested solution is to restrict the instructor to view only his coursework.

Issue #1185

After adding a participant, the page has to be manually refreshed to show the name of the participant on the list. This creates a bad user experience and needs to be fixed.

Modified Files

1) app/controllers/auth_controller.rb

2) app/controllers/impersonate_controller.rb

3) app/controllers/student_task_controller.rb

4) app/views/participants/add.js.erb

5) app/views/participants/_participant.html.erb

6) app/views/shared_scripts/_user_list.html.erb

Approach taken to resolve the issues

Issue #536

Once the instructor or teaching assistant impersonates the participant, he/she is capable of accessing all the assignments of this participant irrespective of the course and this raises serious security concerns. Ideally, when this happened, the system should have displayed only those assignments to which he/she is assigned as an instructor or teaching assistant.


This issue has been fixed by modifying the current implementations of data filtering and session/role handling features.


1. Impersonation and Session Handling:


Setting and resetting of all the session data associated with impersonation are handled in auth_controller.rb file.


i] After login, session[:impersonate] value is set to false by default. 

 session[:impersonate] = false


ii] Once the Instructor tries to impersonate any student, the following actions are performed.


a) Assign the instructor/TA data to a session variable and use this data when instructor/TA tries to switch back to their original role. 

     This data is used during data filtering also.
     
     original_user = session[:super_user] || session[:user]
     session[:original_user] = original_user

b) Impersonate flag is set to true and the session's user variable is set to the user data of impersonated student. 

     session[:impersonate] = true
     session[:user] = user


iii] All the session data is cleared off when the user logs out. 

   session[:original_user] = nil
   session[:impersonate] = nil


2. Data Filtering:

Logged in user's role data and impersonation status is used to filter the data for populating the assignments list.

This is implemented in student_task_controller.rb file: 

 // check if the user is impersonating as TA
 def impersonating_as_ta?
   original_user = session[:original_user]
   ta_role = Role.where(name:['Teaching Assistant']).pluck(:id)
   ta_role.include? original_user.role_id
 end

 // Filter and populate all the relevant data
 def list
   redirect_to(controller: 'eula', action: 'display') if current_user.is_new_user
   session[:user] = User.find_by(id: current_user.id)
   @student_tasks = StudentTask.from_user current_user
   if session[:impersonate] && !impersonating_as_admin?
     @student_tasks = @student_tasks.select {|t| session[:original_user].id == t.assignment.instructor_id }
      if impersonating_as_ta?
       ta_course_ids = TaMapping.where(:ta_id => session[:original_user].id).pluck(:course_id)
       @student_tasks = @student_tasks.select {|t| ta_course_ids.include?t.assignment.course_id }
     else
       @student_tasks = @student_tasks.select {|t| session[:original_user].id == t.assignment.course.instructor_id }
     end
  end

Issue #1185

If a user has an assignment and a topic only then (s)he will be able to advertise for team members to join their team. If a user doesn't have a topic (s)he won't be able to advertise. The scenario in which A, B were two users, A with a topic, B without a topic, A joins B's team but A's topic gets dropped; A,B become a team but with no topic. Such cases are now avoided as we have ensured that without first selecting a topic a user cannot advertise for team members nor can he send invitations to other users to join his team. This is done by quering in the database using inner join between tables-SignUpTopic, signed_up_teams, team_users; and checking if the user has a topic for a particular assignment. If (s)he has a topic then he'll be able to see the option for advertising for teammates. If the assignment doesn't have a topic then the user will be able to send out team invitations. Pseudocode representing the logic we have used to modify student_teams_helper.rb: 

 StudentTeamsHelper
   If the concerned assignment has topics
      return false if their are topics
   else return true

 User_Has_Topic(user_id, assignment_id)
   Query the database using inner joins between SignUpTopic, signed_up_teams, team_users
   rows= number of rows returned by the above query
   If rows>0
      return true
   else
      return false

Pseudocode representing the logic we have used to modify view.html.erb: 

   If concerned assignment does not have topics OR User_Has_Topic is true
      Make Invite link visible

Test Plan

Automated tests cannot be written for this project. Automated tests will only be able to test the functionality of Rails and not the functionality of the amended files.

https://mymediasite.online.ncsu.edu/online/Play/3b649b16e7f7448d9d1ee79ee1448b221d

https://mymediasite.online.ncsu.edu/online/Play/31dcb783510c4322bcfbc894c71fbdd01d

Issue #536

1) Login as Instructor4. Add a new assignment Assignment_Instructor4 under the course Course 617, Spring 2016.

2) Make student6400 as the participant of that assignment and logout.

3) Login as Instructor6. Add a new assignment Assignment_Instructor6 under the course Course 517, Spring 2016.

4) Make student6400 as the participant of that assignment and logout.

5) Click on Manage -> Impersonate User and enter student6400 as the user to be impersonated.

6) After impersonation, Instructor6 will be able to see only his/her assignment details and not of any other instructors.

7) We need to login as Instructor4 and verify that Instructor4 is not able to see other assignment details of the other instructors.

8) Login as Instructor4. Click on Manage -> Impersonate user. Enter student6400 as the user to be impersonated.

9) After impersonation, Instructor4 will be able to see only his/her assignment details and not of any other instructors.

10) Login as TeachingAssistant1274 who is a TA for the Course 517, Spring 2016, who is a TA under Instructor6.

11) Create an assignment TA_Assignment and make student6400 as a participant.

12) Click on Manage->Impersonate user and enter student6400 as the student to be impersonated.

13) After impersonation, TeachingAssistant1274 will be able to see all the assignment details of all courses for which (s)he is the TA and not the details of the other assignments.

14) This verifies that the bugs have been fixed.

Issue #1185

1) Login as an Instructor or Admin or Super-Admin or TA.

2) Click on Manage -> Assignments. In the Actions column click on Add Participant.

3) After the list of all the participants you will be able to see Enter a user login text box.

4) Enter the user login in the text box (Ex: student9000) and click on Add button.

5) After clicking on the Add button, you will see the participant added at end of the list.

6) This verifies the bug has been fixed.

Screenshots of new feature

1) Login as Instructor4. Add a new assignment Assignment_Instructor4 under the course Course 617, Spring 2016.

2) Make student6400 as the participant of that assignment and logout.

3) Login as Instructor6. Add a new assignment Assignment_Instructor6 under the course Course 517, Spring 2016. [[File: Ins6 homepage.png]]

4) Make student6400 as the participant of that assignment and logout.


5) Click on Manage -> Impersonate User and enter student6400 as the user to be impersonated.

6) After impersonation, Instructor6 will be able to see only his/her assignment details and not of any other instructors.

7) We need to login as Instructor4 and verify that Instructor4 is not able to see other assignment details of the other instructors.

8) Login as Instructor4. Click on Manage -> Impersonate user. Enter student6400 as the user to be impersonated.

9) After impersonation, Instructor4 will be able to see only his/her assignment details and not of any other instructors.

10) Login as TeachingAssistant1274 who is a TA for the Course 517, Spring 2016, who is a TA under Instructor6.


11) Create an assignment TA_Assignment and make student6400 as a participant.

12) Click on Manage->Impersonate user and enter student6400 as the student to be impersonated.

13) After impersonation, TeachingAssistant1274 will be able to see all the assignment details of all courses for which (s)he is the TA and not the details of the other assignments.

14) This verifies that the bugs have been fixed.

Issue #1185

1) Login as an Instructor or Admin or Super-Admin or TA.

2) Click on Manage -> Assignments. In the Actions column click on Add Participant.

3) After the list of all the participants you will be able to see Enter a user login text box.

4) Enter the user login in the text box (Ex: student9000) and click on Add button.

5) After clicking on the Add button, you will see the participant added at end of the list.

6) This verifies the bug has been fixed.

Retrieved from "https://wiki.expertiza.ncsu.edu/index.php?title=E1842_Issues_Related_To_Participants&oldid=118633"