Expertiza_Wiki - User contributions [en]

CSC/ECE 517 Spring 2021 - E2109. Completion/Progress view

2021-05-01T00:58:14Z

Skrish28: /* Test Plan */

='''Problem Statement'''=
Expertiza allows users to complete peer reviews on fellow students' work. However, not all peer reviews are helpful, and some are more useful than others. Therefore, the application allows for the project's authors to provide feedback on the peer review, this is called "author feedback." The instructors have no easy way to access the author feedback while grading peer reviews, which would be a useful feature to have since this shows how helpful the peer review actually was to the group that received it. Thus, making the author feedback more accessible is the aim of this project. However, a group in 2018 was tasked with this project as well, and most of the functionality appears to have been implemented already, but that is in an older version of Expertiza. Our primary task is then to follow their implementation, refactor any code that may require it, make the suggested improvements that were left in their project feedback and make the feature compatible with the latest beta branch of Expertiza. Secondary tasks are to make the author feedback column toggleable and to refactor the function that averages author feedbacks so that it reuses existing code that exists somewhere in Expertiza already.

='''Goal'''=
#Our primary goal is to take the author feedback column functionality from the 2018 branch and update it so that it merges successfully with the current beta branch.
#In the 2018 branch, there is an author feedback column to the review report, but the previous team's submission added new code to calculate the average. However, this most likely already exists somewhere else in the system, and so we will identify where that functionality exists and refactor the code to reuse it to follow the DRY principle.
#Part of the 2018 group's feedback said that the review report UI began to look somewhat crowded in its appearance. However, there is often no author feedback, and so the column for that should be made toggleable. So we will make it so that the column is dynamic and will only be present if there is author feedback to display. The user could then toggle the column to show or hide that information depending on their own preference.

='''Design'''=
Below is the current implementation of the page we are going to edit on the beta branch. It can be seen that the "author feedback" column is not present in this view at all.

[[File:beta_view.PNG |1500px|]]

Here is the 2018 group's version of the page we are editing. It has the "author feedback" column as well as the necessary functionality. However, the user interface has clearly changed since 2018, and therefore, there will likely be merge conflicts between their branch and the current beta branch. Part of our task would then be to resolve those merge conflicts and port the functionality back over to the most recent beta branch. (Sourced from this [https://expertiza.csc.ncsu.edu/index.php/CSC/ECE_517_Fall_2018/E1876_Completion/Progress_view link])

[[File:impl_screenshot.png |1500px|]]

Currently, in the 2018 group's branch, the entries in the "Score awarded/Avg. score" and "Author Feedback Score" columns contain a lot of missing entries. Though, this does not appear to be the case in the most recent beta branch available in 2021. Therefore, we would add this filter (i.e. code that removes the missing entries represented by the dashes) to the missing entries available in the beta branch to the 2018 group's branch code.

In addition, the 2018 group's branch has the author feedback in its own column in-between "AVG score" and "Metrics". Instead, we will move it under the same header column "Scores" as seen in the current beta branch, just to the right of the "AVG Score" column. To accommodate for this additional column being introduced, the "Team reviewed" column width would be reduced a bit so that the "Scores" column renders approximately at the same location on the page.

Below is the final product of our implementation. As can be seen, some columns that had unnecessarily large amounts of space given to their width e.g. reviewer and team reviewed, have been reduced to accommodate the new author feedback column. There is also still ample space for the assign grade and write comments column to be expanded.

[[File:author_feedback1.png |1500px|]]

='''Files Changed'''=
The below files were expected to be edited by our group to complete this project:
#app/views/reports/_review_report.html.erb
#app/controllers/review_mapping_controller.rb
#app/models/on_the_fly_calc.rb
#app/views/reports/response_report.html.haml
#app/views/reports/_team_score.html.erb

However, the below files had to be edited (or added) in order to implement the author feedback column:
#app/helpers/report_formatter_helper.rb
#app/helpers/review_mapping_helper.rb
#app/models/on_the_fly_calc.rb
#app/views/reports/_review_report.html.erb
#app/views/reports/_team_score_author_feedback.html.erb

In the report_formatter_helper.rb file, an attribute had to be added to the helper (that is later mixed in with the reports_controller). This attribute gives the controller access to the model's author feedback scores that have been calculated.

The review_mapping_helper.rb file required an older method to be once again introduced, this method is called "get_each_round_score_awarded_for_review_report". It is required to properly read and display the computed author feedback scores from the hash they are stored in. Another method that is similar to it, "get_awarded_review_score", could not be used as it causes an exception to be thrown; this is due to the fact that the "get_awarded_review_score" method does not accommodate for when the hash does not contain the key it is trying to access (specifically, it is unable to handle when the "reviewer_id" does not exist in the hash's set of keys).

The on_the_fly_calc.rb file only required the expected changes as introduced in our implementation plan. However, one additional method, called "feedback_questionnaire_id" had to be added in order for the "calc_feedback_scores_sum" method (that is also in the same file) to work. This method used to exist else where in an older version of Expertiza, located in the assignment.rb model, but it is not needed beyond the scope of "calc_feedback_scores_sum", so it exists with private access in the on_the_fly_calc.rb file.

The _review_report.html.erb file had to be modified - the width of the other columns was reduced to make room for the author feedback column, the column header was added, and the necessary call to the author feedback column partial was also introduced.

Finally, a new file called _team_score_author_feedback.html.erb, was added to the repository. This file is the partial required to render the author feedback column, and is a reintroduction of the 2018 group's _team_feedback_score.html.erb file.

='''Implementation Plan'''=
Like the 2018 group, we plan to add three methods to the on_the_fly_calc.rb file in Models. These methods are:
#compute_author_feedback_scores
#calc_avg_feedback_score(response)
#calc_feedback_scores_sum

The feedbacks are stored in the ResponseMaps table and are queried using the assignment_id/reviewer who gave the response/reviews(responses) in each round in the 'compute_author_feedback_scores' method. The method iterates through all the rounds done during the review process, and calls the 'calc_avg_feedback_score' method, providing a "response" argument. The response argument is the review a team provides for the author's work. Lastly, in order to obtain the final average score for a particular review (response) that the authors (team) have gotten, they obtain a sum of the feedback scores from each of the authors and divide it by the total number of feedbacks that were obtained. These methods have already been implemented by the 2018 group and are included here again for the reader's convenience.

<pre style="color: black; border:1px;">
def compute_author_feedback_scores
@author_feedback_scores = {}
@response_maps = ResponseMap.where('reviewed_object_id = ? && type = ?', self.id, 'ReviewResponseMap')
rounds = self.rounds_of_reviews
(1..rounds).each do |round|
@response_maps.each do |response_map|
response = Response.where('map_id = ?', response_map.id)
response = response.select {|response| response.round == round }
@round = round
@response_map = response_map
calc_avg_feedback_score(response) unless response.empty?
end
end
@author_feedback_scores
end
</pre>

<pre style="color: black; border:1px;">
def calc_avg_feedback_score(response)
# Retrieve the author feedback response maps for the teammates reviewing the review of their work.
author_feedback_response_maps = ResponseMap.where('reviewed_object_id = ? && type = ?', response.first.id, 'FeedbackResponseMap')
author_feedback_response_maps.each do |author_feedback_response_map|
@corresponding_response = Response.where('map_id = ?', author_feedback_response_map.id)
next if @corresponding_response.empty?
calc_feedback_scores_sum
end
# Divide the sum of the author feedback scores for this review by their number to get the
# average.

if !@author_feedback_scores[@response_map.reviewer_id].nil? &&
!@author_feedback_scores[@response_map.reviewer_id][@round].nil? &&
!@author_feedback_scores[@response_map.reviewer_id][@round][@response_map.reviewee_id].nil? &&
!author_feedback_response_maps.empty?
@author_feedback_scores[@response_map.reviewer_id][@round][@response_map.reviewee_id] /= author_feedback_response_maps.count
end
end
</pre>

<pre style="color: black; border:1px;">
def calc_feedback_scores_sum
@respective_scores = {}
if !@author_feedback_scores[@response_map.reviewer_id].nil? && !@author_feedback_scores[@response_map.reviewer_id][@round].nil?
@respective_scores = @author_feedback_scores[@response_map.reviewer_id][@round]
end
author_feedback_questionnaire_id = feedback_questionnaire_id(@corresponding_response)
@questions = Question.where('questionnaire_id = ?', author_feedback_questionnaire_id)
# Calculate the score of the author feedback review.
calc_review_score
# Compute the sum of the author feedback scores for this review.
@respective_scores[@response_map.reviewee_id] = 0 if @respective_scores[@response_map.reviewee_id].nil?
@respective_scores[@response_map.reviewee_id] += @this_review_score
# The reviewer is the metareviewee whose review the authors or teammates are reviewing.
@author_feedback_scores[@response_map.reviewer_id] = {} if @author_feedback_scores[@response_map.reviewer_id].nil?
@author_feedback_scores[@response_map.reviewer_id][@round] = {} if @author_feedback_scores[@response_map.reviewer_id][@round].nil?
@author_feedback_scores[@response_map.reviewer_id][@round] = @respective_scores
end
</pre>

However, they calculate the average with a custom implementation that most likely exists somewhere else in Expertiza already as suggested by the instructors. As part of our project, we will identify where that functionality exists, and either reuse it or extend it so that it can be reused here instead. Though, we will first implement the functionality as the previous group did, and then slowly perform our refactor to ensure functionality is not broken by the refactoring process.

Since we will need to modify the user interface to introduce the author feedback column, we expect to add a column within the .erb files in the views folder that were identified above. These files were selected as they were the files necessary for the previous group to implement their UI changes.

They also add a 'calculate_avg_score_by_feedback' method to the controller for the file 'app/controllers/review_mapping_controller.rb'. The following method was written by the previous team to calculate the average scores for the feedback given by authors for the reviews of their work.

<pre style="color: black; border:1px;">
def calculate_avg_score_by_feedback(question_answers, q_max_score)
# get score and summary of answers for each question
# only include divide the valid_answer_sum with the number of valid answers

valid_answer_counter = 0
question_score = 0.0
question_answers.each do |ans|
# calculate score per question
unless ans.answer.nil?
question_score += ans.answer
valid_answer_counter += 1
end
end

if valid_answer_counter > 0 and q_max_score > 0
# convert the score in percentage
question_score /= (valid_answer_counter * q_max_score)
question_score = question_score.round(2) * 100
end
question_score
end
</pre>

Unfortunately, it exists in the controller level logic, and perhaps isn't required to exist there. It is likely better for this method to be moved to this controller's corresponding model, and we will do so during our project to make the code follow the principles of MVC.

='''Test Plan'''=
The 2018 group wrote a RSpec test when they wrote their function to calculate the author feedback scores. It was located in the on_the_fly_calc_spec.rb file and the method they wrote was called 'compute_author_feedback_scores'. Below is the snippet of the RSpec test that they wrote:

<pre style="color: black; border:1px;">

describe '#compute_author_feedback_score' do
let(:reviewer) { build(:participant, id: 1) }
let(:feedback) { Answer.new(answer: 2, response_id: 1, comments: 'Feedback Text', question_id: 2) }
let(:feedback_question) { build(:question, questionnaire: questionnaire2, weight: 1, id: 2) }
let(:questionnaire2) { build(:questionnaire, name: "feedback", private: 0, min_question_score: 0, max_question_score: 10, instructor_id: 1234) }
let(:reviewer1) { build(:participant, id: 2) }
let score = {}
let(:team_user) { build(:team_user, team: 2, user: 2) }
let(:feedback_response) { build(:response, id: 2, map_id: 2, scores: [feedback]) }
let(:feedback_response_map) { build(:response_map, id: 2, reviewed_object_id: 1, reviewer_id: 2, reviewee_id: 1) }

before(:each) do
allow(on_the_fly_calc).to receive(:rounds_of_reviews).and_return(1)
allow(on_the_fly_calc).to receive(:review_questionnaire_id).and_return(1)
end
context 'verifies feedback score' do
it 'computes feedback score based on reviews' do
expect(assignment.compute_author_feedback_scores).to eq(score)
end
end
end

</pre>

== UI Testing ==
The UI testing, isn't much of a functionality, but is rather the change in the view of the report page by the intructor. For anyone to test the UI, the following steps would be a suitable guide:
# First login to the expertiza website with ''Username'' as '''instructor6''' and ''password'' as '''password'''.
# Next click on Manage and tab on top left of the screen and click '''Anonymized View'''.
# Once we get into ananoymized view, click on '''Assignments'''.
# After the assignment list loads up, on any given assignment, eg: Final Project Documentation, navigate to the right side and search for the icon with a person on it and says Review report.
# Click on that icon. This will take you to another page where there is a button '''Report View'''. Click on that.
# This will navigate you to the report page as seen above and you will be able to view the Author's Feedback column and score obtained for every student.

='''References'''=
#https://expertiza.csc.ncsu.edu/index.php/CSC/ECE_517_Fall_2018/E1876_Completion/Progress_view
#https://docs.google.com/document/d/1uzr5pybVKYr_K1Q8wSd4t-Id9nqTt3k1ePseDjY-RJg/edit#

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-30T02:04:31Z

Skrish28:

This wiki page describes the work done under E2018 OSS Program for Spring 2021, in the CSC/ECE 517 course.

===About Expertiza===

[http://expertiza.ncsu.edu/ Expertiza] is an open-source project based on [http://rubyonrails.org/ Ruby on Rails] framework. Expertiza is a complete instructor-student usage website where the instructor can assign assignments, deadlines, grades, etc that is required for the course. Similarly, the students can use this website to perform the tasks required as part of the course like project or assignments submission, forming groups and collaborating with them, as well as reviewing projects and teammates.

This project focuses on a specific feature of expertiza which allows administrators, instructors or teaching assistants to impersonate another user (like a student) and access their account.
The demonstration for the feature is as shown below.

[[File:Impersonate guide.jpg|figure 1|frame|center]]

[[File:Non impersonate.jpg|figure 2|frame|center]]

[[File:Impersonated view.jpg|figure 3|frame|center]]

===Problem Statement===
Expertiza allows administrators, instructors and Teaching Assistants to impersonate other users like a student. This allows the impersonator to view assignments, deadlines and submissions of other students.
The rules to impersonating a user is, the impersonator has to be an ancestor of the impersonate.
The hierarchy of impersonation is as follow:
super administrator -> Administrator -> Instructor -> Teaching Assistant -> Student
Note: impersonation cannot happen within the same level of hierarchy.
For Example, a Super Administrator can impersonate any user apart from other Super Administrators, an Administrator can impersonate Instructors, TA, Students and not other Admins and so on.
The aim of the project is to refactor the impersonate controller. The pre-existing code had the following major issues.

*All functions related to impersonate controller were present in a single method which is 79 lines long.

*Presence of repetitive code (Around 40 repetitive lines)
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
# Revert to original account
else
if !session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
else
flash[:error] = "No original account was found. Please close your browser and start a new session."
redirect_back
return
end
end
end

</pre>

*Block nesting
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>

* Too many return statements
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
</pre>

*The impersonation can be done by using an impersonate bar which currently does not allow initial impersonation.
[[File:impersonate.jpg]]

This project is focused on resolving the issues mentioned above.

===How Impersonating works?===
Basic login details: (Instructor login is only available) username -> instructor6, password -> password

When logged in as an instructor, under the manage option in the ribbon as in Figure 1, select impersonate user.
Upon redirected to impersonate page, enter the account which needs to be impersonated. It impersonates that user provided that user can be impersonated. Now a new button called revert appears on the ribbon as in figure 3, this can be used to revert the impersonation and return to the instructor profile.

===Problem Solution===
The above-mentioned issues have been tackled by refactoring the impersonate controller by splitting into many smaller methods which are later called by the main impersonate controller.

The following are the refactored new methods that help in tackling the issue1 apart from each being specifically for some issue rectification:
*check_if_user_impersonateable
*display_error_msg
*overwrite_session
*check_if_special_char
*do_main_operartion

=====A.check_if_user_impersonateable=====
This method plays the main role in tackling issue3 - 3 levels of block nesting apart from issue1.

'''Intial Code'''
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>
''' After recfactoring - Moved to separate method'''
<pre>
def check_if_user_impersonateable
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
if !@original_user.can_impersonate? user
@message = "You cannot impersonate '#{params[:user][:name]}'."
temp
AuthController.clear_user_info(session, nil)
else
overwrite_session
end
else
if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
overwrite_session
end
end
end
</pre>

=====B. display_error_msg=====
This method is used to tackle issues1, 2 and 4. All the error message related code is moved to this method.
<pre>
def display_error_msg
if params[:user]
@message = "No user exists with the name '#{params[:user][:name]}'."
elsif params[:impersonate]
@message = "No user exists with the name '#{params[:impersonate][:name]}'."
else
if params[:impersonate].nil?
@message = "You cannot impersonate '#{params[:user][:name]}'."
else
if !params[:impersonate][:name].empty?
@message = "You cannot impersonate '#{params[:impersonate][:name]}'."
else
@message = "No original account was found. Please close your browser and start a new session."
end
end
end
rescue Exception => e
flash[:error] = @message
redirect_to :back
end
</pre>

=====C.overwrite_session=====
This method reduces the number of return statements used in impersonate controller, apart from reducing the size of the controller.

'''Initial Code'''
<pre>
if params[:impersonate].nil?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:user][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:impersonate][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
</pre>
'''After Refactoring - Moved to a separate method and accessed through the adapter method do_main_operation'''
<pre>
def overwrite_session
#if not impersonatable, then original user's session remains
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = @original_user
session[:impersonate] = true
session[:user] = user
else
#if some user is to be impersonated, their session details are overwritten onto the current to impersonate

if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = @original_user
else
user = User.find_by(name: params[:user][:name])
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
end
end
end
</pre>

=====D. check_if_special_char=====
This code is used to reduce one functionality performed under the impersonate controller. This method checks to see if the given username is acceptable.
Older version consisted only of the following snippet of code.
<pre>
def check_if_special_char
if params[:user]
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
end
</pre>

In the current code, the following code is added to accomodate the navigation bar funcionality of impersonate.
<pre>
if params[:impersonate]
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
end
end
</pre>

=====E. do_main_operation=====
This like an adapter method that is used to interface the impersonate method with display_error_msg and check_if_user_impersonatable. One main purpose to do this is to make the methods flexible for change apart from reducing the number of lines from the impersonate controller.
<pre>
def do_main_operation(user)
if user
check_if_user_impersonateable
else
display_error_msg
end
end
</pre>

=====F. Changes made to implement Anonymized View=====
Initially, while using the anonymized view to impersonate the account: student8597, we received the following error.
[[File: anon_without_space_err.png|1000px]]
This occured as the following method was initially splitting the name using
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user_id = anonymized_name.split(' ’)[1]
user = User.find_by(id: user_id)
return user
end
</pre>
Thus while doing the above function, what happens is that the student’s name is searched for a space and the ID is obtained as the numerics after the space, which isn’t the case for our user’s names (eg: student8597). Thus we had to modify this method under app/models/user.rb to the following:
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user = User.find_by(name: anonymized_name)
return user
end
</pre>
In the above code snippet, what we are instead doing is, directly finding the user from the anonymized_name which in the errored case as in the figure above was ’’student8597'’.
Apart from these changes, we also had to include the following statements in various parts of the impersonate_controller.rb file to ensure the the previously written test for anonymous view doesn’t break anywhere.
<pre>
# E1991 : check whether instructor is currently in anonymized view
user = User.anonymized_view?(session[:ip]) ? User.real_user_from_anonymized_name(params[:impersonate][:name]) : user = user = User.find_by(name: params[:impersonate][:name])
</pre>

=====G. Changes to fix the broken impersonate Navigation Bar=====
The broken part of this refactoring project, as compared to the previous year’s, was the Navigation bar on the top right part of the screen. As mentioned earlier, in order to impersonate we have two methods:
Using the Manage --> Impersonate User
Using the Navigation Bar.
However, as far as the previous submission goes, the Navigation bar’s functionality wasn’t complete. The aim of this refactoring is to also fix this and enable the impersonate functionality to work from there as well.
The previous submission broke while trying to use the Navigation bar for impersonation because of the wrong passage of params between the views and controllers. In order to make the impersonate from the Manage --> Impersonate User work, the form that was rendered was the expertiza/app/views/impersonate/start.html.erb. Here, the field filled was :user. And was then checkd for in the impersonate_controller.rb.
However, the Navigation Bar makes use of the :impersonate symbol to pass the impersonated user’s name and other details to the controller, for which no check was included earlier. Thus, there was no way to procure a user from the navigation bar. In the current submission this is fixed by including the following check in the impersonate_controller.rb/check_if_special_char:

The check_if_special_char is a function which checks if the Username entered is valid or not.
<pre>
def check_if_special_char
if params[:user]
if warn_for_special_chars(params[:user][:name], “Username”)
redirect_back
return
end
end
if params[:impersonate]
if warn_for_special_chars(params[:impersonate][:name], “Username”)
redirect_back
return
end
end
end
</pre>
As you can see, in the above code snippet, there is a check for the :impersonate’s params, which earlier was missing(Refer [[#D. check_if_special_char|D. check_if_special_char]])

=== Test Plan ===
The UI testing of this project can be performed on three fronts:

#The normal impersonate functionality from the Manage tab and Revert functionality.
#The impersonate functionality using the navigation bar.
#The anonymized view's impersonate functionality(both from the Manage bar as well as the navigation bar).

You can use the following details of various users to test the heirarchies and the impersonations between them.

''Note: You cannot login as a super_administrator2, as the login details are unknown. However, we have included ways to test the inability for a lower hierarchy memeber to impersonate the super_administrator.''

{| class="wikitable"
|+ User details
! Hierarchy of user
! User account to enter

|-
! Super Administrator
| super_administrator2
|-
! Instructor
| intructor6
|-
|-
! TA
| teaching_assistant6753
|-
! Student
| student5890
|-
! Student
| student7609
|-
! Student
| student7610, 7603
|}

To test out the three fronts, follow the steps mentioned below under each sub-heading:

======A. Testing Impersonate functionality from the Manage tab and Revert functionality:======

Checking if impersonating a user is working
1. Input: User that can be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "student5890"
Now you will be able to see that user "student5890" has been impersonated.

[[File:imp test 1.jpg| figure 7| frame|center]]
[[File:imp test 2.jpg| figure 8| frame|center]]

[[File:imp test 4.jpg| figure 9| frame|center]]

2. Input: Reverting from impersonated account

We will have the user "student5890" impersonated.
- Press the blue revert button at the top of the window
Now you will have returned to the instructor profile

[[File:imp test 4.jpg| figure 10| frame|center]]
[[File:imp test 8.jpg| figure 11| frame|center]]

3. Input: User that cannot be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "super_administrator2"
Now you will be able to see a message being displayed on the screen, that tells that the given user cannot be impersonated.
[[File:imp test 6.jpg| figure 12| frame|center]]
[[File:imp test 5.jpg| figure 13| frame|center]]

4. Input: User that does not exist
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "studentstudent"
Now you will be able to see a message being displayed on the screen, that tells that the given user does not exist.
[[File:imp test 7.jpg| figure 14| frame|center]]
[[File:imp test 3.jpg| figure 15| frame|center]]

======B. Testing the impersonate functionality from the Navigation Bar:======

In order to perform the following testing:

1. Login as instructor using username: instructor6 and password: password.
2. Go on to the navigation bar on top right of the screen and enter student8598 and click on impersonate.
[[File: nav_bar1.png |1000px|]]

note: The above screenshot was captured after instructor6 impersonated student8597, you can also try to impersonate student8597

[[File: nav_bar2.png |1000px|]]

======C. Testing Anonymized View======
1.Login as instructor using username: instructor6 and password: password.
2.Go to Manage --> Anonymized view

[[File: Enter_anonymized_view.png |1000px|]]

3.Check for impersonate functionality using Manage --> Impersonate User with user account: student8597.

[[File: Manage_impersonate_anon.png |1000px|]]

[[File: manage_impersonated_user-anon.png |1000px|]]

4.Check for impersonate functionality using navigation bar on top right, with user account: student8598.

[[File: bar_anon.png |1000px|]]

[[File: bar_user_pg_anon.png |1000px|]]

=== Testing Functionalities from a RSPec end ===

======A. Testing Navigation Bar======
Instructor should be able to impersonate a user while already impersonating a user but from navigation bar.
This test is to ascertain the functionality of the user being able to impersonate another user(obeying hierarchy) through the navigation bar on the top right hand corner. This is to test the rectification of the previous issue, where this functionality was broken. Here, we test the functionality by first logging in as the instructor(id:2) and then first impersonating a student1 using the main menu’s Manage tab. This redirects us to the student1’s page. Now, from the navigation bar, we try to impersonate another student, student2. This test finally checks if the session is true and the parameters are correct.
<pre>
it 'instructor should be able to impersonate a user while already impersonating a user but from nav bar' do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(User).to receive(:find_by).with(name: student2.name).and_return(student2)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(instructor).to receive(:can_impersonate?).with(student2).and_return(true)
request.env["HTTP_REFERER"] = "http://www.example.com"
@params = { user: { name: student1.name } }
@session = { user: instructor }
post :impersonate, @params, @session
# nav bar uses the :impersonate as the param name, so let make sure it always works from there too.
@params = { impersonate: { name: student2.name } }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student2
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end
</pre>

======B. Testing Anonymized User======

This test verifies the functionality that is available with from the Anonymized view. It checks for the impersonation from both the ends - Through the Manage tab as well as the Navigation Bar.

<pre>
it ‘instructor should be able to impersonate a user with their anonymized name’ do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(User).to receive(:anonymized_view?).and_return(true)
allow(User).to receive(:real_user_from_anonymized_name).with(“Student30”).and_return(student1)
request.env[“HTTP_REFERER”] = “http://www.example.com”
@params = { user: { name: “Student30" } }
@session = { user: instructor }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student1
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end

</pre>

=== Useful Links ===
The following are the links to the useful pages in understanding this project(as of Spring 2021)
* [https://expertiza.csc.ncsu.edu/index.php/Expertiza_documentation] - General wiki describing the Expertiza project.
* [https://www.youtube.com/channel/UCdKXzox7hrWjfOMML6FzTWg/videos] - Youtube page to expertiza tasks.
* [https://github.com/expertiza/expertiza] - GitHub repo that maintains code for Expertiza.
* [https://expertiza.csc.ncsu.edu/index.php/Main_Page/CSC/CSC_517_Spring_2020_Refactor_impersonate_controller] - Spring 2020's wiki for the refactoring of impersonate controller.
* [https://github.com/expertiza/expertiza/pull/1687] - Spring 2020's pull request for the refactored impersonate controller.
* [https://github.com/expertiza/expertiza/pull/1907] - Pull request for the work done in Spring 2021.

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-20T01:50:47Z

Skrish28: /* B. Testing Anonymized User */

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-20T01:49:25Z

Skrish28: /* Testing Functionalities */

This wiki page describes the work done under E2018 OSS Program for Spring 2021, in the CSC/ECE 517 course.

===About Expertiza===

[http://expertiza.ncsu.edu/ Expertiza] is an open-source project based on [http://rubyonrails.org/ Ruby on Rails] framework. Expertiza is a complete instructor-student usage website where the instructor can assign assignments, deadlines, grades, etc that is required for the course. Similarly, the students can use this website to perform the tasks required as part of the course like project or assignments submission, forming groups and collaborating with them, as well as reviewing projects and teammates.

This project focuses on a specific feature of expertiza which allows administrators, instructors or teaching assistants to impersonate another user (like a student) and access their account.
The demonstration for the feature is as shown below.

[[File:Impersonate guide.jpg|figure 1|frame|center]]

[[File:Non impersonate.jpg|figure 2|frame|center]]

[[File:Impersonated view.jpg|figure 3|frame|center]]

===Problem Statement===
Expertiza allows administrators, instructors and Teaching Assistants to impersonate other users like a student. This allows the impersonator to view assignments, deadlines and submissions of other students.
The rules to impersonating a user is, the impersonator has to be an ancestor of the impersonate.
The hierarchy of impersonation is as follow:
super administrator -> Administrator -> Instructor -> Teaching Assistant -> Student
Note: impersonation cannot happen within the same level of hierarchy.
For Example, a Super Administrator can impersonate any user apart from other Super Administrators, an Administrator can impersonate Instructors, TA, Students and not other Admins and so on.
The aim of the project is to refactor the impersonate controller. The pre-existing code had the following major issues.

*All functions related to impersonate controller were present in a single method which is 79 lines long.

*Presence of repetitive code (Around 40 repetitive lines)
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
# Revert to original account
else
if !session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
else
flash[:error] = "No original account was found. Please close your browser and start a new session."
redirect_back
return
end
end
end

</pre>

*Block nesting
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>

* Too many return statements
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
</pre>

*The impersonation can be done by using an impersonate bar which currently does not allow initial impersonation.
[[File:impersonate.jpg]]

This project is focused on resolving the issues mentioned above.

===How Impersonating works?===
Basic login details: (Instructor login is only available) username -> instructor6, password -> password

When logged in as an instructor, under the manage option in the ribbon as in Figure 1, select impersonate user.
Upon redirected to impersonate page, enter the account which needs to be impersonated. It impersonates that user provided that user can be impersonated. Now a new button called revert appears on the ribbon as in figure 3, this can be used to revert the impersonation and return to the instructor profile.

===Problem Solution===
The above-mentioned issues have been tackled by refactoring the impersonate controller by splitting into many smaller methods which are later called by the main impersonate controller.

The following are the refactored new methods that help in tackling the issue1 apart from each being specifically for some issue rectification:
*check_if_user_impersonateable
*display_error_msg
*overwrite_session
*check_if_special_char
*do_main_operartion

=====A.check_if_user_impersonateable=====
This method plays the main role in tackling issue3 - 3 levels of block nesting apart from issue1.

'''Intial Code'''
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>
''' After recfactoring - Moved to separate method'''
<pre>
def check_if_user_impersonateable
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
if !@original_user.can_impersonate? user
@message = "You cannot impersonate '#{params[:user][:name]}'."
temp
AuthController.clear_user_info(session, nil)
else
overwrite_session
end
else
if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
overwrite_session
end
end
end
</pre>

=====B. display_error_msg=====
This method is used to tackle issues1, 2 and 4. All the error message related code is moved to this method.
<pre>
def display_error_msg
if params[:user]
@message = "No user exists with the name '#{params[:user][:name]}'."
elsif params[:impersonate]
@message = "No user exists with the name '#{params[:impersonate][:name]}'."
else
if params[:impersonate].nil?
@message = "You cannot impersonate '#{params[:user][:name]}'."
else
if !params[:impersonate][:name].empty?
@message = "You cannot impersonate '#{params[:impersonate][:name]}'."
else
@message = "No original account was found. Please close your browser and start a new session."
end
end
end
rescue Exception => e
flash[:error] = @message
redirect_to :back
end
</pre>

=====C.overwrite_session=====
This method reduces the number of return statements used in impersonate controller, apart from reducing the size of the controller.

'''Initial Code'''
<pre>
if params[:impersonate].nil?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:user][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:impersonate][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
</pre>
'''After Refactoring - Moved to a separate method and accessed through the adapter method do_main_operation'''
<pre>
def overwrite_session
#if not impersonatable, then original user's session remains
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = @original_user
session[:impersonate] = true
session[:user] = user
else
#if some user is to be impersonated, their session details are overwritten onto the current to impersonate

if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = @original_user
else
user = User.find_by(name: params[:user][:name])
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
end
end
end
</pre>

=====D. check_if_special_char=====
This code is used to reduce one functionality performed under the impersonate controller. This method checks to see if the given username is acceptable.
Older version consisted only of the following snippet of code.
<pre>
def check_if_special_char
if params[:user]
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
end
</pre>

In the current code, the following code is added to accomodate the navigation bar funcionality of impersonate.
<pre>
if params[:impersonate]
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
end
end
</pre>

=====E. do_main_operation=====
This like an adapter method that is used to interface the impersonate method with display_error_msg and check_if_user_impersonatable. One main purpose to do this is to make the methods flexible for change apart from reducing the number of lines from the impersonate controller.
<pre>
def do_main_operation(user)
if user
check_if_user_impersonateable
else
display_error_msg
end
end
</pre>

=====F. Changes made to implement Anonymized View=====
Initially, while using the anonymized view to impersonate the account: student8597, we received the following error.
[[File: anon_without_space_err.png|1000px]]
This occured as the following method was initially splitting the name using
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user_id = anonymized_name.split(' ’)[1]
user = User.find_by(id: user_id)
return user
end
</pre>
Thus while doing the above function, what happens is that the student’s name is searched for a space and the ID is obtained as the numerics after the space, which isn’t the case for our user’s names (eg: student8597). Thus we had to modify this method under app/models/user.rb to the following:
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user = User.find_by(name: anonymized_name)
return user
end
</pre>
In the above code snippet, what we are instead doing is, directly finding the user from the anonymized_name which in the errored case as in the figure above was ’’student8597'’.
Apart from these changes, we also had to include the following statements in various parts of the impersonate_controller.rb file to ensure the the previously written test for anonymous view doesn’t break anywhere.
<pre>
# E1991 : check whether instructor is currently in anonymized view
user = User.anonymized_view?(session[:ip]) ? User.real_user_from_anonymized_name(params[:impersonate][:name]) : user = user = User.find_by(name: params[:impersonate][:name])
</pre>

=====G. Changes to fix the broken impersonate Navigation Bar=====
The broken part of this refactoring project, as compared to the previous year’s, was the Navigation bar on the top right part of the screen. As mentioned earlier, in order to impersonate we have two methods:
Using the Manage --> Impersonate User
Using the Navigation Bar.
However, as far as the previous submission goes, the Navigation bar’s functionality wasn’t complete. The aim of this refactoring is to also fix this and enable the impersonate functionality to work from there as well.
The previous submission broke while trying to use the Navigation bar for impersonation because of the wrong passage of params between the views and controllers. In order to make the impersonate from the Manage --> Impersonate User work, the form that was rendered was the expertiza/app/views/impersonate/start.html.erb. Here, the field filled was :user. And was then checkd for in the impersonate_controller.rb.
However, the Navigation Bar makes use of the :impersonate symbol to pass the impersonated user’s name and other details to the controller, for which no check was included earlier. Thus, there was no way to procure a user from the navigation bar. In the current submission this is fixed by including the following check in the impersonate_controller.rb/check_if_special_char:

The check_if_special_char is a function which checks if the Username entered is valid or not.
<pre>
def check_if_special_char
if params[:user]
if warn_for_special_chars(params[:user][:name], “Username”)
redirect_back
return
end
end
if params[:impersonate]
if warn_for_special_chars(params[:impersonate][:name], “Username”)
redirect_back
return
end
end
end
</pre>
As you can see, in the above code snippet, there is a check for the :impersonate’s params, which earlier was missing(Refer [[#D. check_if_special_char|D. check_if_special_char]])

=== Test Plan ===
The UI testing of this project can be performed on three fronts:

#The normal impersonate functionality from the Manage tab and Revert functionality.
#The impersonate functionality using the navigation bar.
#The anonymized view's impersonate functionality(both from the Manage bar as well as the navigation bar).

You can use the following details of various users to test the heirarchies and the impersonations between them.

''Note: You cannot login as a super_administrator2, as the login details are unknown. However, we have included ways to test the inability for a lower hierarchy memeber to impersonate the super_administrator.''

{| class="wikitable"
|+ User details
! Hierarchy of user
! User account to enter

|-
! Super Administrator
| super_administrator2
|-
! Instructor
| intructor6
|-
|-
! TA
| teaching_assistant6753
|-
! Student
| student5890
|-
! Student
| student7609
|-
! Student
| student7610, 7603
|}

To test out the three fronts, follow the steps mentioned below under each sub-heading:

======A. Testing Impersonate functionality from the Manage tab and Revert functionality:======

Checking if impersonating a user is working
1. Input: User that can be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "student5890"
Now you will be able to see that user "student5890" has been impersonated.

[[File:imp test 1.jpg| figure 7| frame|center]]
[[File:imp test 2.jpg| figure 8| frame|center]]

[[File:imp test 4.jpg| figure 9| frame|center]]

2. Input: Reverting from impersonated account

We will have the user "student5890" impersonated.
- Press the blue revert button at the top of the window
Now you will have returned to the instructor profile

[[File:imp test 4.jpg| figure 10| frame|center]]
[[File:imp test 8.jpg| figure 11| frame|center]]

3. Input: User that cannot be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "super_administrator2"
Now you will be able to see a message being displayed on the screen, that tells that the given user cannot be impersonated.
[[File:imp test 6.jpg| figure 12| frame|center]]
[[File:imp test 5.jpg| figure 13| frame|center]]

4. Input: User that does not exist
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "studentstudent"
Now you will be able to see a message being displayed on the screen, that tells that the given user does not exist.
[[File:imp test 7.jpg| figure 14| frame|center]]
[[File:imp test 3.jpg| figure 15| frame|center]]

======B. Testing the impersonate functionality from the Navigation Bar:======

In order to perform the following testing:

1. Login as instructor using username: instructor6 and password: password.
2. Go on to the navigation bar on top right of the screen and enter student8598 and click on impersonate.
[[File: nav_bar1.png |1000px|]]

note: The above screenshot was captured after instructor6 impersonated student8597, you can also try to impersonate student8597

[[File: nav_bar2.png |1000px|]]

======C. Testing Anonymized View======
1.Login as instructor using username: instructor6 and password: password.
2.Go to Manage --> Anonymized view

[[File: Enter_anonymized_view.png |1000px|]]

3.Check for impersonate functionality using Manage --> Impersonate User with user account: student8597.

[[File: Manage_impersonate_anon.png |1000px|]]

[[File: manage_impersonated_user-anon.png |1000px|]]

4.Check for impersonate functionality using navigation bar on top right, with user account: student8598.

[[File: bar_anon.png |1000px|]]

[[File: bar_user_pg_anon.png |1000px|]]

=== Testing Functionalities from a RSPec end ===

======A. Testing Navigation Bar======
Instructor should be able to impersonate a user while already impersonating a user but from navigation bar.
This test is to ascertain the functionality of the user being able to impersonate another user(obeying hierarchy) through the navigation bar on the top right hand corner. This is to test the rectification of the previous issue, where this functionality was broken. Here, we test the functionality by first logging in as the instructor(id:2) and then first impersonating a student1 using the main menu’s Manage tab. This redirects us to the student1’s page. Now, from the navigation bar, we try to impersonate another student, student2. This test finally checks if the session is true and the parameters are correct.
<pre>
it 'instructor should be able to impersonate a user while already impersonating a user but from nav bar' do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(User).to receive(:find_by).with(name: student2.name).and_return(student2)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(instructor).to receive(:can_impersonate?).with(student2).and_return(true)
request.env["HTTP_REFERER"] = "http://www.example.com"
@params = { user: { name: student1.name } }
@session = { user: instructor }
post :impersonate, @params, @session
# nav bar uses the :impersonate as the param name, so let make sure it always works from there too.
@params = { impersonate: { name: student2.name } }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student2
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end
</pre>

======B. Testing Anonymized User======

<pre>
it ‘instructor should be able to impersonate a user with their anonymized name’ do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(User).to receive(:anonymized_view?).and_return(true)
allow(User).to receive(:real_user_from_anonymized_name).with(“Student30”).and_return(student1)
request.env[“HTTP_REFERER”] = “http://www.example.com”
@params = { user: { name: “Student30" } }
@session = { user: instructor }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student1
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end

</pre>

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-20T01:48:47Z

Skrish28: /* Problem Solution */

This wiki page describes the work done under E2018 OSS Program for Spring 2021, in the CSC/ECE 517 course.

===About Expertiza===

[http://expertiza.ncsu.edu/ Expertiza] is an open-source project based on [http://rubyonrails.org/ Ruby on Rails] framework. Expertiza is a complete instructor-student usage website where the instructor can assign assignments, deadlines, grades, etc that is required for the course. Similarly, the students can use this website to perform the tasks required as part of the course like project or assignments submission, forming groups and collaborating with them, as well as reviewing projects and teammates.

This project focuses on a specific feature of expertiza which allows administrators, instructors or teaching assistants to impersonate another user (like a student) and access their account.
The demonstration for the feature is as shown below.

[[File:Impersonate guide.jpg|figure 1|frame|center]]

[[File:Non impersonate.jpg|figure 2|frame|center]]

[[File:Impersonated view.jpg|figure 3|frame|center]]

===Problem Statement===
Expertiza allows administrators, instructors and Teaching Assistants to impersonate other users like a student. This allows the impersonator to view assignments, deadlines and submissions of other students.
The rules to impersonating a user is, the impersonator has to be an ancestor of the impersonate.
The hierarchy of impersonation is as follow:
super administrator -> Administrator -> Instructor -> Teaching Assistant -> Student
Note: impersonation cannot happen within the same level of hierarchy.
For Example, a Super Administrator can impersonate any user apart from other Super Administrators, an Administrator can impersonate Instructors, TA, Students and not other Admins and so on.
The aim of the project is to refactor the impersonate controller. The pre-existing code had the following major issues.

*All functions related to impersonate controller were present in a single method which is 79 lines long.

*Presence of repetitive code (Around 40 repetitive lines)
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
# Revert to original account
else
if !session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
else
flash[:error] = "No original account was found. Please close your browser and start a new session."
redirect_back
return
end
end
end

</pre>

*Block nesting
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>

* Too many return statements
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
</pre>

*The impersonation can be done by using an impersonate bar which currently does not allow initial impersonation.
[[File:impersonate.jpg]]

This project is focused on resolving the issues mentioned above.

===How Impersonating works?===
Basic login details: (Instructor login is only available) username -> instructor6, password -> password

When logged in as an instructor, under the manage option in the ribbon as in Figure 1, select impersonate user.
Upon redirected to impersonate page, enter the account which needs to be impersonated. It impersonates that user provided that user can be impersonated. Now a new button called revert appears on the ribbon as in figure 3, this can be used to revert the impersonation and return to the instructor profile.

===Problem Solution===
The above-mentioned issues have been tackled by refactoring the impersonate controller by splitting into many smaller methods which are later called by the main impersonate controller.

The following are the refactored new methods that help in tackling the issue1 apart from each being specifically for some issue rectification:
*check_if_user_impersonateable
*display_error_msg
*overwrite_session
*check_if_special_char
*do_main_operartion

=====A.check_if_user_impersonateable=====
This method plays the main role in tackling issue3 - 3 levels of block nesting apart from issue1.

'''Intial Code'''
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>
''' After recfactoring - Moved to separate method'''
<pre>
def check_if_user_impersonateable
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
if !@original_user.can_impersonate? user
@message = "You cannot impersonate '#{params[:user][:name]}'."
temp
AuthController.clear_user_info(session, nil)
else
overwrite_session
end
else
if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
overwrite_session
end
end
end
</pre>

=====B. display_error_msg=====
This method is used to tackle issues1, 2 and 4. All the error message related code is moved to this method.
<pre>
def display_error_msg
if params[:user]
@message = "No user exists with the name '#{params[:user][:name]}'."
elsif params[:impersonate]
@message = "No user exists with the name '#{params[:impersonate][:name]}'."
else
if params[:impersonate].nil?
@message = "You cannot impersonate '#{params[:user][:name]}'."
else
if !params[:impersonate][:name].empty?
@message = "You cannot impersonate '#{params[:impersonate][:name]}'."
else
@message = "No original account was found. Please close your browser and start a new session."
end
end
end
rescue Exception => e
flash[:error] = @message
redirect_to :back
end
</pre>

=====C.overwrite_session=====
This method reduces the number of return statements used in impersonate controller, apart from reducing the size of the controller.

'''Initial Code'''
<pre>
if params[:impersonate].nil?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:user][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:impersonate][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
</pre>
'''After Refactoring - Moved to a separate method and accessed through the adapter method do_main_operation'''
<pre>
def overwrite_session
#if not impersonatable, then original user's session remains
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = @original_user
session[:impersonate] = true
session[:user] = user
else
#if some user is to be impersonated, their session details are overwritten onto the current to impersonate

if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = @original_user
else
user = User.find_by(name: params[:user][:name])
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
end
end
end
</pre>

=====D. check_if_special_char=====
This code is used to reduce one functionality performed under the impersonate controller. This method checks to see if the given username is acceptable.
Older version consisted only of the following snippet of code.
<pre>
def check_if_special_char
if params[:user]
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
end
</pre>

In the current code, the following code is added to accomodate the navigation bar funcionality of impersonate.
<pre>
if params[:impersonate]
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
end
end
</pre>

=====E. do_main_operation=====
This like an adapter method that is used to interface the impersonate method with display_error_msg and check_if_user_impersonatable. One main purpose to do this is to make the methods flexible for change apart from reducing the number of lines from the impersonate controller.
<pre>
def do_main_operation(user)
if user
check_if_user_impersonateable
else
display_error_msg
end
end
</pre>

=====F. Changes made to implement Anonymized View=====
Initially, while using the anonymized view to impersonate the account: student8597, we received the following error.
[[File: anon_without_space_err.png|1000px]]
This occured as the following method was initially splitting the name using
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user_id = anonymized_name.split(' ’)[1]
user = User.find_by(id: user_id)
return user
end
</pre>
Thus while doing the above function, what happens is that the student’s name is searched for a space and the ID is obtained as the numerics after the space, which isn’t the case for our user’s names (eg: student8597). Thus we had to modify this method under app/models/user.rb to the following:
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user = User.find_by(name: anonymized_name)
return user
end
</pre>
In the above code snippet, what we are instead doing is, directly finding the user from the anonymized_name which in the errored case as in the figure above was ’’student8597'’.
Apart from these changes, we also had to include the following statements in various parts of the impersonate_controller.rb file to ensure the the previously written test for anonymous view doesn’t break anywhere.
<pre>
# E1991 : check whether instructor is currently in anonymized view
user = User.anonymized_view?(session[:ip]) ? User.real_user_from_anonymized_name(params[:impersonate][:name]) : user = user = User.find_by(name: params[:impersonate][:name])
</pre>

=====G. Changes to fix the broken impersonate Navigation Bar=====
The broken part of this refactoring project, as compared to the previous year’s, was the Navigation bar on the top right part of the screen. As mentioned earlier, in order to impersonate we have two methods:
Using the Manage --> Impersonate User
Using the Navigation Bar.
However, as far as the previous submission goes, the Navigation bar’s functionality wasn’t complete. The aim of this refactoring is to also fix this and enable the impersonate functionality to work from there as well.
The previous submission broke while trying to use the Navigation bar for impersonation because of the wrong passage of params between the views and controllers. In order to make the impersonate from the Manage --> Impersonate User work, the form that was rendered was the expertiza/app/views/impersonate/start.html.erb. Here, the field filled was :user. And was then checkd for in the impersonate_controller.rb.
However, the Navigation Bar makes use of the :impersonate symbol to pass the impersonated user’s name and other details to the controller, for which no check was included earlier. Thus, there was no way to procure a user from the navigation bar. In the current submission this is fixed by including the following check in the impersonate_controller.rb/check_if_special_char:

The check_if_special_char is a function which checks if the Username entered is valid or not.
<pre>
def check_if_special_char
if params[:user]
if warn_for_special_chars(params[:user][:name], “Username”)
redirect_back
return
end
end
if params[:impersonate]
if warn_for_special_chars(params[:impersonate][:name], “Username”)
redirect_back
return
end
end
end
</pre>
As you can see, in the above code snippet, there is a check for the :impersonate’s params, which earlier was missing(Refer [[#D. check_if_special_char|D. check_if_special_char]])

=== Test Plan ===
The UI testing of this project can be performed on three fronts:

#The normal impersonate functionality from the Manage tab and Revert functionality.
#The impersonate functionality using the navigation bar.
#The anonymized view's impersonate functionality(both from the Manage bar as well as the navigation bar).

You can use the following details of various users to test the heirarchies and the impersonations between them.

''Note: You cannot login as a super_administrator2, as the login details are unknown. However, we have included ways to test the inability for a lower hierarchy memeber to impersonate the super_administrator.''

{| class="wikitable"
|+ User details
! Hierarchy of user
! User account to enter

|-
! Super Administrator
| super_administrator2
|-
! Instructor
| intructor6
|-
|-
! TA
| teaching_assistant6753
|-
! Student
| student5890
|-
! Student
| student7609
|-
! Student
| student7610, 7603
|}

To test out the three fronts, follow the steps mentioned below under each sub-heading:

======A. Testing Impersonate functionality from the Manage tab and Revert functionality:======

Checking if impersonating a user is working
1. Input: User that can be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "student5890"
Now you will be able to see that user "student5890" has been impersonated.

[[File:imp test 1.jpg| figure 7| frame|center]]
[[File:imp test 2.jpg| figure 8| frame|center]]

[[File:imp test 4.jpg| figure 9| frame|center]]

2. Input: Reverting from impersonated account

We will have the user "student5890" impersonated.
- Press the blue revert button at the top of the window
Now you will have returned to the instructor profile

[[File:imp test 4.jpg| figure 10| frame|center]]
[[File:imp test 8.jpg| figure 11| frame|center]]

3. Input: User that cannot be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "super_administrator2"
Now you will be able to see a message being displayed on the screen, that tells that the given user cannot be impersonated.
[[File:imp test 6.jpg| figure 12| frame|center]]
[[File:imp test 5.jpg| figure 13| frame|center]]

4. Input: User that does not exist
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "studentstudent"
Now you will be able to see a message being displayed on the screen, that tells that the given user does not exist.
[[File:imp test 7.jpg| figure 14| frame|center]]
[[File:imp test 3.jpg| figure 15| frame|center]]

======B. Testing the impersonate functionality from the Navigation Bar:======

In order to perform the following testing:

1. Login as instructor using username: instructor6 and password: password.
2. Go on to the navigation bar on top right of the screen and enter student8598 and click on impersonate.
[[File: nav_bar1.png |1000px|]]

note: The above screenshot was captured after instructor6 impersonated student8597, you can also try to impersonate student8597

[[File: nav_bar2.png |1000px|]]

======C. Testing Anonymized View======
1.Login as instructor using username: instructor6 and password: password.
2.Go to Manage --> Anonymized view

[[File: Enter_anonymized_view.png |1000px|]]

3.Check for impersonate functionality using Manage --> Impersonate User with user account: student8597.

[[File: Manage_impersonate_anon.png |1000px|]]

[[File: manage_impersonated_user-anon.png |1000px|]]

4.Check for impersonate functionality using navigation bar on top right, with user account: student8598.

[[File: bar_anon.png |1000px|]]

[[File: bar_user_pg_anon.png |1000px|]]

=== Testing Functionalities ===

======A. Testing Navigation Bar======
Instructor should be able to impersonate a user while already impersonating a user but from navigation bar.
This test is to ascertain the functionality of the user being able to impersonate another user(obeying hierarchy) through the navigation bar on the top right hand corner. This is to test the rectification of the previous issue, where this functionality was broken. Here, we test the functionality by first logging in as the instructor(id:2) and then first impersonating a student1 using the main menu’s Manage tab. This redirects us to the student1’s page. Now, from the navigation bar, we try to impersonate another student, student2. This test finally checks if the session is true and the parameters are correct.
<pre>
it 'instructor should be able to impersonate a user while already impersonating a user but from nav bar' do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(User).to receive(:find_by).with(name: student2.name).and_return(student2)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(instructor).to receive(:can_impersonate?).with(student2).and_return(true)
request.env["HTTP_REFERER"] = "http://www.example.com"
@params = { user: { name: student1.name } }
@session = { user: instructor }
post :impersonate, @params, @session
# nav bar uses the :impersonate as the param name, so let make sure it always works from there too.
@params = { impersonate: { name: student2.name } }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student2
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end
</pre>

======B. Testing Anonymized User======

<pre>
it ‘instructor should be able to impersonate a user with their anonymized name’ do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(User).to receive(:anonymized_view?).and_return(true)
allow(User).to receive(:real_user_from_anonymized_name).with(“Student30”).and_return(student1)
request.env[“HTTP_REFERER”] = “http://www.example.com”
@params = { user: { name: “Student30" } }
@session = { user: instructor }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student1
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end

</pre>

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-20T01:48:11Z

Skrish28: /* Problem Solution */

This wiki page describes the work done under E2018 OSS Program for Spring 2021, in the CSC/ECE 517 course.

===About Expertiza===

[http://expertiza.ncsu.edu/ Expertiza] is an open-source project based on [http://rubyonrails.org/ Ruby on Rails] framework. Expertiza is a complete instructor-student usage website where the instructor can assign assignments, deadlines, grades, etc that is required for the course. Similarly, the students can use this website to perform the tasks required as part of the course like project or assignments submission, forming groups and collaborating with them, as well as reviewing projects and teammates.

This project focuses on a specific feature of expertiza which allows administrators, instructors or teaching assistants to impersonate another user (like a student) and access their account.
The demonstration for the feature is as shown below.

[[File:Impersonate guide.jpg|figure 1|frame|center]]

[[File:Non impersonate.jpg|figure 2|frame|center]]

[[File:Impersonated view.jpg|figure 3|frame|center]]

===Problem Statement===
Expertiza allows administrators, instructors and Teaching Assistants to impersonate other users like a student. This allows the impersonator to view assignments, deadlines and submissions of other students.
The rules to impersonating a user is, the impersonator has to be an ancestor of the impersonate.
The hierarchy of impersonation is as follow:
super administrator -> Administrator -> Instructor -> Teaching Assistant -> Student
Note: impersonation cannot happen within the same level of hierarchy.
For Example, a Super Administrator can impersonate any user apart from other Super Administrators, an Administrator can impersonate Instructors, TA, Students and not other Admins and so on.
The aim of the project is to refactor the impersonate controller. The pre-existing code had the following major issues.

*All functions related to impersonate controller were present in a single method which is 79 lines long.

*Presence of repetitive code (Around 40 repetitive lines)
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
# Revert to original account
else
if !session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
else
flash[:error] = "No original account was found. Please close your browser and start a new session."
redirect_back
return
end
end
end

</pre>

*Block nesting
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>

* Too many return statements
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
</pre>

*The impersonation can be done by using an impersonate bar which currently does not allow initial impersonation.
[[File:impersonate.jpg]]

This project is focused on resolving the issues mentioned above.

===How Impersonating works?===
Basic login details: (Instructor login is only available) username -> instructor6, password -> password

When logged in as an instructor, under the manage option in the ribbon as in Figure 1, select impersonate user.
Upon redirected to impersonate page, enter the account which needs to be impersonated. It impersonates that user provided that user can be impersonated. Now a new button called revert appears on the ribbon as in figure 3, this can be used to revert the impersonation and return to the instructor profile.

===Problem Solution===
The above-mentioned issues have been tackled by refactoring the impersonate controller by splitting into many smaller methods which are later called by the main impersonate controller.

The following are the refactored new methods that help in tackling the issue1 apart from each being specifically for some issue rectification:
*check_if_user_impersonateable
*display_error_msg
*overwrite_session
*check_if_special_char
*do_main_operartion

=====A.check_if_user_impersonateable=====
This method plays the main role in tackling issue3 - 3 levels of block nesting apart from issue1.

'''Intial Code'''
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>
''' After recfactoring - Moved to separate method'''
<pre>
def check_if_user_impersonateable
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
if !@original_user.can_impersonate? user
@message = "You cannot impersonate '#{params[:user][:name]}'."
temp
AuthController.clear_user_info(session, nil)
else
overwrite_session
end
else
if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
overwrite_session
end
end
end
</pre>

=====B. display_error_msg=====
This method is used to tackle issues1, 2 and 4. All the error message related code is moved to this method.
<pre>
def display_error_msg
if params[:user]
@message = "No user exists with the name '#{params[:user][:name]}'."
elsif params[:impersonate]
@message = "No user exists with the name '#{params[:impersonate][:name]}'."
else
if params[:impersonate].nil?
@message = "You cannot impersonate '#{params[:user][:name]}'."
else
if !params[:impersonate][:name].empty?
@message = "You cannot impersonate '#{params[:impersonate][:name]}'."
else
@message = "No original account was found. Please close your browser and start a new session."
end
end
end
rescue Exception => e
flash[:error] = @message
redirect_to :back
end
</pre>

=====C.overwrite_session=====
This method reduces the number of return statements used in impersonate controller, apart from reducing the size of the controller.

'''Initial Code'''
<pre>
if params[:impersonate].nil?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:user][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:impersonate][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
</pre>
'''After Refactoring - Moved to a separate method and accessed through the adapter method do_main_operation'''
<pre>
def overwrite_session
#if not impersonatable, then original user's session remains
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = @original_user
session[:impersonate] = true
session[:user] = user
else
#if some user is to be impersonated, their session details are overwritten onto the current to impersonate

if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = @original_user
else
user = User.find_by(name: params[:user][:name])
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
end
end
end
</pre>

=====D. check_if_special_char=====
This code is used to reduce one functionality performed under the impersonate controller. This method checks to see if the given username is acceptable.
Older version consisted only of the following snippet of code.
<pre>
def check_if_special_char
if params[:user]
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
end
</pre>

In the current code, the following code is added to accomodate the navigation bar funcionality of impersonate.
<pre>
if params[:impersonate]
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
end
end
</pre>

=====E. do_main_operation=====
This like an adapter method that is used to interface the impersonate method with display_error_msg and check_if_user_impersonatable. One main purpose to do this is to make the methods flexible for change apart from reducing the number of lines from the impersonate controller.
<pre>
def do_main_operation(user)
if user
check_if_user_impersonateable
else
display_error_msg
end
end
</pre>

=====F. Changes made to implement Anonymized View=====
Initially, while using the anonymized view to impersonate the account: student8597, we received the following error.
[[File: anon_without_space_err.png|1000px]]
This occured as the following method was initially splitting the name using
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user_id = anonymized_name.split(' ’)[1]
user = User.find_by(id: user_id)
return user
end
</pre>
Thus while doing the above function, what happens is that the student’s name is searched for a space and the ID is obtained as the numerics after the space, which isn’t the case for our user’s names (eg: student8597). Thus we had to modify this method under app/models/user.rb to the following:
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user = User.find_by(name: anonymized_name)
return user
end
</pre>
In the above code snippet, what we are instead doing is, directly finding the user from the anonymized_name which in the errored case as in the figure above was ’’student8597'’.
Apart from these changes, we also had to include the following statements in various parts of the impersonate_controller.rb file to ensure the the previously written test for anonymous view doesn’t break anywhere.
<pre>
# E1991 : check whether instructor is currently in anonymized view
user = User.anonymized_view?(session[:ip]) ? User.real_user_from_anonymized_name(params[:impersonate][:name]) : user = user = User.find_by(name: params[:impersonate][:name])
</pre>

======G. Changes to fix the broken impersonate Navigation Bar======
The broken part of this refactoring project, as compared to the previous year’s, was the Navigation bar on the top right part of the screen. As mentioned earlier, in order to impersonate we have two methods:
Using the Manage --> Impersonate User
Using the Navigation Bar.
However, as far as the previous submission goes, the Navigation bar’s functionality wasn’t complete. The aim of this refactoring is to also fix this and enable the impersonate functionality to work from there as well.
The previous submission broke while trying to use the Navigation bar for impersonation because of the wrong passage of params between the views and controllers. In order to make the impersonate from the Manage --> Impersonate User work, the form that was rendered was the expertiza/app/views/impersonate/start.html.erb. Here, the field filled was :user. And was then checkd for in the impersonate_controller.rb.
However, the Navigation Bar makes use of the :impersonate symbol to pass the impersonated user’s name and other details to the controller, for which no check was included earlier. Thus, there was no way to procure a user from the navigation bar. In the current submission this is fixed by including the following check in the impersonate_controller.rb/check_if_special_char:

The check_if_special_char is a function which checks if the Username entered is valid or not.
<pre>
def check_if_special_char
if params[:user]
if warn_for_special_chars(params[:user][:name], “Username”)
redirect_back
return
end
end
if params[:impersonate]
if warn_for_special_chars(params[:impersonate][:name], “Username”)
redirect_back
return
end
end
end
</pre>
As you can see, in the above code snippet, there is a check for the :impersonate’s params, which earlier was missing(Refer [[#D. check_if_special_char|D. check_if_special_char]])

=== Test Plan ===
The UI testing of this project can be performed on three fronts:

#The normal impersonate functionality from the Manage tab and Revert functionality.
#The impersonate functionality using the navigation bar.
#The anonymized view's impersonate functionality(both from the Manage bar as well as the navigation bar).

You can use the following details of various users to test the heirarchies and the impersonations between them.

''Note: You cannot login as a super_administrator2, as the login details are unknown. However, we have included ways to test the inability for a lower hierarchy memeber to impersonate the super_administrator.''

{| class="wikitable"
|+ User details
! Hierarchy of user
! User account to enter

|-
! Super Administrator
| super_administrator2
|-
! Instructor
| intructor6
|-
|-
! TA
| teaching_assistant6753
|-
! Student
| student5890
|-
! Student
| student7609
|-
! Student
| student7610, 7603
|}

To test out the three fronts, follow the steps mentioned below under each sub-heading:

======A. Testing Impersonate functionality from the Manage tab and Revert functionality:======

Checking if impersonating a user is working
1. Input: User that can be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "student5890"
Now you will be able to see that user "student5890" has been impersonated.

[[File:imp test 1.jpg| figure 7| frame|center]]
[[File:imp test 2.jpg| figure 8| frame|center]]

[[File:imp test 4.jpg| figure 9| frame|center]]

2. Input: Reverting from impersonated account

We will have the user "student5890" impersonated.
- Press the blue revert button at the top of the window
Now you will have returned to the instructor profile

[[File:imp test 4.jpg| figure 10| frame|center]]
[[File:imp test 8.jpg| figure 11| frame|center]]

3. Input: User that cannot be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "super_administrator2"
Now you will be able to see a message being displayed on the screen, that tells that the given user cannot be impersonated.
[[File:imp test 6.jpg| figure 12| frame|center]]
[[File:imp test 5.jpg| figure 13| frame|center]]

4. Input: User that does not exist
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "studentstudent"
Now you will be able to see a message being displayed on the screen, that tells that the given user does not exist.
[[File:imp test 7.jpg| figure 14| frame|center]]
[[File:imp test 3.jpg| figure 15| frame|center]]

======B. Testing the impersonate functionality from the Navigation Bar:======

In order to perform the following testing:

1. Login as instructor using username: instructor6 and password: password.
2. Go on to the navigation bar on top right of the screen and enter student8598 and click on impersonate.
[[File: nav_bar1.png |1000px|]]

note: The above screenshot was captured after instructor6 impersonated student8597, you can also try to impersonate student8597

[[File: nav_bar2.png |1000px|]]

======C. Testing Anonymized View======
1.Login as instructor using username: instructor6 and password: password.
2.Go to Manage --> Anonymized view

[[File: Enter_anonymized_view.png |1000px|]]

3.Check for impersonate functionality using Manage --> Impersonate User with user account: student8597.

[[File: Manage_impersonate_anon.png |1000px|]]

[[File: manage_impersonated_user-anon.png |1000px|]]

4.Check for impersonate functionality using navigation bar on top right, with user account: student8598.

[[File: bar_anon.png |1000px|]]

[[File: bar_user_pg_anon.png |1000px|]]

=== Testing Functionalities ===

======A. Testing Navigation Bar======
Instructor should be able to impersonate a user while already impersonating a user but from navigation bar.
This test is to ascertain the functionality of the user being able to impersonate another user(obeying hierarchy) through the navigation bar on the top right hand corner. This is to test the rectification of the previous issue, where this functionality was broken. Here, we test the functionality by first logging in as the instructor(id:2) and then first impersonating a student1 using the main menu’s Manage tab. This redirects us to the student1’s page. Now, from the navigation bar, we try to impersonate another student, student2. This test finally checks if the session is true and the parameters are correct.
<pre>
it 'instructor should be able to impersonate a user while already impersonating a user but from nav bar' do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(User).to receive(:find_by).with(name: student2.name).and_return(student2)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(instructor).to receive(:can_impersonate?).with(student2).and_return(true)
request.env["HTTP_REFERER"] = "http://www.example.com"
@params = { user: { name: student1.name } }
@session = { user: instructor }
post :impersonate, @params, @session
# nav bar uses the :impersonate as the param name, so let make sure it always works from there too.
@params = { impersonate: { name: student2.name } }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student2
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end
</pre>

======B. Testing Anonymized User======

<pre>
it ‘instructor should be able to impersonate a user with their anonymized name’ do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(User).to receive(:anonymized_view?).and_return(true)
allow(User).to receive(:real_user_from_anonymized_name).with(“Student30”).and_return(student1)
request.env[“HTTP_REFERER”] = “http://www.example.com”
@params = { user: { name: “Student30" } }
@session = { user: instructor }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student1
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end

</pre>

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-20T01:47:47Z

Skrish28: /* F. Changes made to implement Anonymized View */

This wiki page describes the work done under E2018 OSS Program for Spring 2021, in the CSC/ECE 517 course.

===About Expertiza===

[http://expertiza.ncsu.edu/ Expertiza] is an open-source project based on [http://rubyonrails.org/ Ruby on Rails] framework. Expertiza is a complete instructor-student usage website where the instructor can assign assignments, deadlines, grades, etc that is required for the course. Similarly, the students can use this website to perform the tasks required as part of the course like project or assignments submission, forming groups and collaborating with them, as well as reviewing projects and teammates.

This project focuses on a specific feature of expertiza which allows administrators, instructors or teaching assistants to impersonate another user (like a student) and access their account.
The demonstration for the feature is as shown below.

[[File:Impersonate guide.jpg|figure 1|frame|center]]

[[File:Non impersonate.jpg|figure 2|frame|center]]

[[File:Impersonated view.jpg|figure 3|frame|center]]

===Problem Statement===
Expertiza allows administrators, instructors and Teaching Assistants to impersonate other users like a student. This allows the impersonator to view assignments, deadlines and submissions of other students.
The rules to impersonating a user is, the impersonator has to be an ancestor of the impersonate.
The hierarchy of impersonation is as follow:
super administrator -> Administrator -> Instructor -> Teaching Assistant -> Student
Note: impersonation cannot happen within the same level of hierarchy.
For Example, a Super Administrator can impersonate any user apart from other Super Administrators, an Administrator can impersonate Instructors, TA, Students and not other Admins and so on.
The aim of the project is to refactor the impersonate controller. The pre-existing code had the following major issues.

*All functions related to impersonate controller were present in a single method which is 79 lines long.

*Presence of repetitive code (Around 40 repetitive lines)
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
# Revert to original account
else
if !session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
else
flash[:error] = "No original account was found. Please close your browser and start a new session."
redirect_back
return
end
end
end

</pre>

*Block nesting
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>

* Too many return statements
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
</pre>

*The impersonation can be done by using an impersonate bar which currently does not allow initial impersonation.
[[File:impersonate.jpg]]

This project is focused on resolving the issues mentioned above.

===How Impersonating works?===
Basic login details: (Instructor login is only available) username -> instructor6, password -> password

When logged in as an instructor, under the manage option in the ribbon as in Figure 1, select impersonate user.
Upon redirected to impersonate page, enter the account which needs to be impersonated. It impersonates that user provided that user can be impersonated. Now a new button called revert appears on the ribbon as in figure 3, this can be used to revert the impersonation and return to the instructor profile.

===Problem Solution===
The above-mentioned issues have been tackled by refactoring the impersonate controller by splitting into many smaller methods which are later called by the main impersonate controller.

The following are the refactored new methods that help in tackling the issue1 apart from each being specifically for some issue rectification:
*check_if_user_impersonateable
*display_error_msg
*overwrite_session
*check_if_special_char
*do_main_operartion

=====A.check_if_user_impersonateable=====
This method plays the main role in tackling issue3 - 3 levels of block nesting apart from issue1.

'''Intial Code'''
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>
''' After recfactoring - Moved to separate method'''
<pre>
def check_if_user_impersonateable
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
if !@original_user.can_impersonate? user
@message = "You cannot impersonate '#{params[:user][:name]}'."
temp
AuthController.clear_user_info(session, nil)
else
overwrite_session
end
else
if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
overwrite_session
end
end
end
</pre>

=====B. display_error_msg=====
This method is used to tackle issues1, 2 and 4. All the error message related code is moved to this method.
<pre>
def display_error_msg
if params[:user]
@message = "No user exists with the name '#{params[:user][:name]}'."
elsif params[:impersonate]
@message = "No user exists with the name '#{params[:impersonate][:name]}'."
else
if params[:impersonate].nil?
@message = "You cannot impersonate '#{params[:user][:name]}'."
else
if !params[:impersonate][:name].empty?
@message = "You cannot impersonate '#{params[:impersonate][:name]}'."
else
@message = "No original account was found. Please close your browser and start a new session."
end
end
end
rescue Exception => e
flash[:error] = @message
redirect_to :back
end
</pre>

=====C.overwrite_session=====
This method reduces the number of return statements used in impersonate controller, apart from reducing the size of the controller.

'''Initial Code'''
<pre>
if params[:impersonate].nil?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:user][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:impersonate][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
</pre>
'''After Refactoring - Moved to a separate method and accessed through the adapter method do_main_operation'''
<pre>
def overwrite_session
#if not impersonatable, then original user's session remains
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = @original_user
session[:impersonate] = true
session[:user] = user
else
#if some user is to be impersonated, their session details are overwritten onto the current to impersonate

if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = @original_user
else
user = User.find_by(name: params[:user][:name])
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
end
end
end
</pre>

=====D. check_if_special_char=====
This code is used to reduce one functionality performed under the impersonate controller. This method checks to see if the given username is acceptable.
Older version consisted only of the following snippet of code.
<pre>
def check_if_special_char
if params[:user]
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
end
</pre>

In the current code, the following code is added to accomodate the navigation bar funcionality of impersonate.
<pre>
if params[:impersonate]
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
end
end
</pre>

=====E. do_main_operation=====
This like an adapter method that is used to interface the impersonate method with display_error_msg and check_if_user_impersonatable. One main purpose to do this is to make the methods flexible for change apart from reducing the number of lines from the impersonate controller.
<pre>
def do_main_operation(user)
if user
check_if_user_impersonateable
else
display_error_msg
end
end
</pre>

=====F. Changes made to implement Anonymized View=====
Initially, while using the anonymized view to impersonate the account: student8597, we received the following error.
[[File: anon_without_space_err.png|1000px]]
This occured as the following method was initially splitting the name using
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user_id = anonymized_name.split(' ’)[1]
user = User.find_by(id: user_id)
return user
end
</pre>
Thus while doing the above function, what happens is that the student’s name is searched for a space and the ID is obtained as the numerics after the space, which isn’t the case for our user’s names (eg: student8597). Thus we had to modify this method under app/models/user.rb to the following:
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user = User.find_by(name: anonymized_name)
return user
end
</pre>
In the above code snippet, what we are instead doing is, directly finding the user from the anonymized_name which in the errored case as in the figure above was ’’student8597'’.
Apart from these changes, we also had to include the following statements in various parts of the impersonate_controller.rb file to ensure the the previously written test for anonymous view doesn’t break anywhere.
<pre>
# E1991 : check whether instructor is currently in anonymized view
user = User.anonymized_view?(session[:ip]) ? User.real_user_from_anonymized_name(params[:impersonate][:name]) : user = user = User.find_by(name: params[:impersonate][:name])
</pre>

=== Test Plan ===
The UI testing of this project can be performed on three fronts:

#The normal impersonate functionality from the Manage tab and Revert functionality.
#The impersonate functionality using the navigation bar.
#The anonymized view's impersonate functionality(both from the Manage bar as well as the navigation bar).

You can use the following details of various users to test the heirarchies and the impersonations between them.

''Note: You cannot login as a super_administrator2, as the login details are unknown. However, we have included ways to test the inability for a lower hierarchy memeber to impersonate the super_administrator.''

{| class="wikitable"
|+ User details
! Hierarchy of user
! User account to enter

|-
! Super Administrator
| super_administrator2
|-
! Instructor
| intructor6
|-
|-
! TA
| teaching_assistant6753
|-
! Student
| student5890
|-
! Student
| student7609
|-
! Student
| student7610, 7603
|}

To test out the three fronts, follow the steps mentioned below under each sub-heading:

======A. Testing Impersonate functionality from the Manage tab and Revert functionality:======

Checking if impersonating a user is working
1. Input: User that can be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "student5890"
Now you will be able to see that user "student5890" has been impersonated.

[[File:imp test 1.jpg| figure 7| frame|center]]
[[File:imp test 2.jpg| figure 8| frame|center]]

[[File:imp test 4.jpg| figure 9| frame|center]]

2. Input: Reverting from impersonated account

We will have the user "student5890" impersonated.
- Press the blue revert button at the top of the window
Now you will have returned to the instructor profile

[[File:imp test 4.jpg| figure 10| frame|center]]
[[File:imp test 8.jpg| figure 11| frame|center]]

3. Input: User that cannot be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "super_administrator2"
Now you will be able to see a message being displayed on the screen, that tells that the given user cannot be impersonated.
[[File:imp test 6.jpg| figure 12| frame|center]]
[[File:imp test 5.jpg| figure 13| frame|center]]

4. Input: User that does not exist
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "studentstudent"
Now you will be able to see a message being displayed on the screen, that tells that the given user does not exist.
[[File:imp test 7.jpg| figure 14| frame|center]]
[[File:imp test 3.jpg| figure 15| frame|center]]

======B. Testing the impersonate functionality from the Navigation Bar:======

In order to perform the following testing:

1. Login as instructor using username: instructor6 and password: password.
2. Go on to the navigation bar on top right of the screen and enter student8598 and click on impersonate.
[[File: nav_bar1.png |1000px|]]

note: The above screenshot was captured after instructor6 impersonated student8597, you can also try to impersonate student8597

[[File: nav_bar2.png |1000px|]]

======C. Testing Anonymized View======
1.Login as instructor using username: instructor6 and password: password.
2.Go to Manage --> Anonymized view

[[File: Enter_anonymized_view.png |1000px|]]

3.Check for impersonate functionality using Manage --> Impersonate User with user account: student8597.

[[File: Manage_impersonate_anon.png |1000px|]]

[[File: manage_impersonated_user-anon.png |1000px|]]

4.Check for impersonate functionality using navigation bar on top right, with user account: student8598.

[[File: bar_anon.png |1000px|]]

[[File: bar_user_pg_anon.png |1000px|]]

=== Testing Functionalities ===

======A. Testing Navigation Bar======
Instructor should be able to impersonate a user while already impersonating a user but from navigation bar.
This test is to ascertain the functionality of the user being able to impersonate another user(obeying hierarchy) through the navigation bar on the top right hand corner. This is to test the rectification of the previous issue, where this functionality was broken. Here, we test the functionality by first logging in as the instructor(id:2) and then first impersonating a student1 using the main menu’s Manage tab. This redirects us to the student1’s page. Now, from the navigation bar, we try to impersonate another student, student2. This test finally checks if the session is true and the parameters are correct.
<pre>
it 'instructor should be able to impersonate a user while already impersonating a user but from nav bar' do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(User).to receive(:find_by).with(name: student2.name).and_return(student2)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(instructor).to receive(:can_impersonate?).with(student2).and_return(true)
request.env["HTTP_REFERER"] = "http://www.example.com"
@params = { user: { name: student1.name } }
@session = { user: instructor }
post :impersonate, @params, @session
# nav bar uses the :impersonate as the param name, so let make sure it always works from there too.
@params = { impersonate: { name: student2.name } }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student2
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end
</pre>

======B. Testing Anonymized User======

<pre>
it ‘instructor should be able to impersonate a user with their anonymized name’ do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(User).to receive(:anonymized_view?).and_return(true)
allow(User).to receive(:real_user_from_anonymized_name).with(“Student30”).and_return(student1)
request.env[“HTTP_REFERER”] = “http://www.example.com”
@params = { user: { name: “Student30" } }
@session = { user: instructor }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student1
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end

</pre>

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-20T01:45:54Z

Skrish28: /* Test Plan */

This wiki page describes the work done under E2018 OSS Program for Spring 2021, in the CSC/ECE 517 course.

===About Expertiza===

[http://expertiza.ncsu.edu/ Expertiza] is an open-source project based on [http://rubyonrails.org/ Ruby on Rails] framework. Expertiza is a complete instructor-student usage website where the instructor can assign assignments, deadlines, grades, etc that is required for the course. Similarly, the students can use this website to perform the tasks required as part of the course like project or assignments submission, forming groups and collaborating with them, as well as reviewing projects and teammates.

This project focuses on a specific feature of expertiza which allows administrators, instructors or teaching assistants to impersonate another user (like a student) and access their account.
The demonstration for the feature is as shown below.

[[File:Impersonate guide.jpg|figure 1|frame|center]]

[[File:Non impersonate.jpg|figure 2|frame|center]]

[[File:Impersonated view.jpg|figure 3|frame|center]]

===Problem Statement===
Expertiza allows administrators, instructors and Teaching Assistants to impersonate other users like a student. This allows the impersonator to view assignments, deadlines and submissions of other students.
The rules to impersonating a user is, the impersonator has to be an ancestor of the impersonate.
The hierarchy of impersonation is as follow:
super administrator -> Administrator -> Instructor -> Teaching Assistant -> Student
Note: impersonation cannot happen within the same level of hierarchy.
For Example, a Super Administrator can impersonate any user apart from other Super Administrators, an Administrator can impersonate Instructors, TA, Students and not other Admins and so on.
The aim of the project is to refactor the impersonate controller. The pre-existing code had the following major issues.

*All functions related to impersonate controller were present in a single method which is 79 lines long.

*Presence of repetitive code (Around 40 repetitive lines)
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
# Revert to original account
else
if !session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
else
flash[:error] = "No original account was found. Please close your browser and start a new session."
redirect_back
return
end
end
end

</pre>

*Block nesting
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>

* Too many return statements
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
</pre>

*The impersonation can be done by using an impersonate bar which currently does not allow initial impersonation.
[[File:impersonate.jpg]]

This project is focused on resolving the issues mentioned above.

===How Impersonating works?===
Basic login details: (Instructor login is only available) username -> instructor6, password -> password

When logged in as an instructor, under the manage option in the ribbon as in Figure 1, select impersonate user.
Upon redirected to impersonate page, enter the account which needs to be impersonated. It impersonates that user provided that user can be impersonated. Now a new button called revert appears on the ribbon as in figure 3, this can be used to revert the impersonation and return to the instructor profile.

===Problem Solution===
The above-mentioned issues have been tackled by refactoring the impersonate controller by splitting into many smaller methods which are later called by the main impersonate controller.

The following are the refactored new methods that help in tackling the issue1 apart from each being specifically for some issue rectification:
*check_if_user_impersonateable
*display_error_msg
*overwrite_session
*check_if_special_char
*do_main_operartion

=====A.check_if_user_impersonateable=====
This method plays the main role in tackling issue3 - 3 levels of block nesting apart from issue1.

'''Intial Code'''
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>
''' After recfactoring - Moved to separate method'''
<pre>
def check_if_user_impersonateable
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
if !@original_user.can_impersonate? user
@message = "You cannot impersonate '#{params[:user][:name]}'."
temp
AuthController.clear_user_info(session, nil)
else
overwrite_session
end
else
if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
overwrite_session
end
end
end
</pre>

=====B. display_error_msg=====
This method is used to tackle issues1, 2 and 4. All the error message related code is moved to this method.
<pre>
def display_error_msg
if params[:user]
@message = "No user exists with the name '#{params[:user][:name]}'."
elsif params[:impersonate]
@message = "No user exists with the name '#{params[:impersonate][:name]}'."
else
if params[:impersonate].nil?
@message = "You cannot impersonate '#{params[:user][:name]}'."
else
if !params[:impersonate][:name].empty?
@message = "You cannot impersonate '#{params[:impersonate][:name]}'."
else
@message = "No original account was found. Please close your browser and start a new session."
end
end
end
rescue Exception => e
flash[:error] = @message
redirect_to :back
end
</pre>

=====C.overwrite_session=====
This method reduces the number of return statements used in impersonate controller, apart from reducing the size of the controller.

'''Initial Code'''
<pre>
if params[:impersonate].nil?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:user][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:impersonate][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
</pre>
'''After Refactoring - Moved to a separate method and accessed through the adapter method do_main_operation'''
<pre>
def overwrite_session
#if not impersonatable, then original user's session remains
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = @original_user
session[:impersonate] = true
session[:user] = user
else
#if some user is to be impersonated, their session details are overwritten onto the current to impersonate

if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = @original_user
else
user = User.find_by(name: params[:user][:name])
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
end
end
end
</pre>

=====D. check_if_special_char=====
This code is used to reduce one functionality performed under the impersonate controller. This method checks to see if the given username is acceptable.
Older version consisted only of the following snippet of code.
<pre>
def check_if_special_char
if params[:user]
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
end
</pre>

In the current code, the following code is added to accomodate the navigation bar funcionality of impersonate.
<pre>
if params[:impersonate]
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
end
end
</pre>

=====E. do_main_operation=====
This like an adapter method that is used to interface the impersonate method with display_error_msg and check_if_user_impersonatable. One main purpose to do this is to make the methods flexible for change apart from reducing the number of lines from the impersonate controller.
<pre>
def do_main_operation(user)
if user
check_if_user_impersonateable
else
display_error_msg
end
end
</pre>

=====F. Changes made to implement Anonymized View=====
Initially, while using the anonymized view to impersonate the account: student8597, we received the following error.
[[File: anon_without_space_err.png|1000px]]
This occured as the following method was initially splitting the name using
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user_id = anonymized_name.split(' ’)[1]
user = User.find_by(id: user_id)
return user
end
</pre>
Thus while doing the above function, what happens is that the student’s name is searched for a space and the ID is obtained as the numerics after the space, which isn’t the case for our user’s names (eg: student8597). Thus we had to modify this method under app/models/user.rb to the following:
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user = User.find_by(name: anonymized_name)
return user
end
</pre>
In the above code snippet, what we are instead doing is, directly finding the user from the anonymized_name which in the errored case as in the figure above was ’’student8597'’.
Apart from these changes, we also had to include the following statements in various parts of the impersonate_controller.rb file to ensure the the previously written test for anonymous view doesn’t break anywhere.
<pre>
# E1991 : check whether instructor is currently in anonymized view
user = User.anonymized_view?(session[:ip]) ? User.real_user_from_anonymized_name(params[:impersonate][:name]) : user = user = User.find_by(name: params[:impersonate][:name])
</pre>

======G. Changes to fix the broken impersonate Navigation Bar======
The broken part of this refactoring project, as compared to the previous year’s, was the Navigation bar on the top right part of the screen. As mentioned earlier, in order to impersonate we have two methods:
Using the Manage --> Impersonate User
Using the Navigation Bar.
However, as far as the previous submission goes, the Navigation bar’s functionality wasn’t complete. The aim of this refactoring is to also fix this and enable the impersonate functionality to work from there as well.
The previous submission broke while trying to use the Navigation bar for impersonation because of the wrong passage of params between the views and controllers. In order to make the impersonate from the Manage --> Impersonate User work, the form that was rendered was the expertiza/app/views/impersonate/start.html.erb. Here, the field filled was :user. And was then checkd for in the impersonate_controller.rb.
However, the Navigation Bar makes use of the :impersonate symbol to pass the impersonated user’s name and other details to the controller, for which no check was included earlier. Thus, there was no way to procure a user from the navigation bar. In the current submission this is fixed by including the following check in the impersonate_controller.rb/check_if_special_char:

The check_if_special_char is a function which checks if the Username entered is valid or not.
<pre>
def check_if_special_char
if params[:user]
if warn_for_special_chars(params[:user][:name], “Username”)
redirect_back
return
end
end
if params[:impersonate]
if warn_for_special_chars(params[:impersonate][:name], “Username”)
redirect_back
return
end
end
end
</pre>
As you can see, in the above code snippet, there is a check for the :impersonate’s params, which earlier was missing(Refer [[#D. check_if_special_char|D. check_if_special_char]])

=== Test Plan ===
The UI testing of this project can be performed on three fronts:

#The normal impersonate functionality from the Manage tab and Revert functionality.
#The impersonate functionality using the navigation bar.
#The anonymized view's impersonate functionality(both from the Manage bar as well as the navigation bar).

You can use the following details of various users to test the heirarchies and the impersonations between them.

''Note: You cannot login as a super_administrator2, as the login details are unknown. However, we have included ways to test the inability for a lower hierarchy memeber to impersonate the super_administrator.''

{| class="wikitable"
|+ User details
! Hierarchy of user
! User account to enter

|-
! Super Administrator
| super_administrator2
|-
! Instructor
| intructor6
|-
|-
! TA
| teaching_assistant6753
|-
! Student
| student5890
|-
! Student
| student7609
|-
! Student
| student7610, 7603
|}

To test out the three fronts, follow the steps mentioned below under each sub-heading:

======A. Testing Impersonate functionality from the Manage tab and Revert functionality:======

Checking if impersonating a user is working
1. Input: User that can be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "student5890"
Now you will be able to see that user "student5890" has been impersonated.

[[File:imp test 1.jpg| figure 7| frame|center]]
[[File:imp test 2.jpg| figure 8| frame|center]]

[[File:imp test 4.jpg| figure 9| frame|center]]

2. Input: Reverting from impersonated account

We will have the user "student5890" impersonated.
- Press the blue revert button at the top of the window
Now you will have returned to the instructor profile

[[File:imp test 4.jpg| figure 10| frame|center]]
[[File:imp test 8.jpg| figure 11| frame|center]]

3. Input: User that cannot be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "super_administrator2"
Now you will be able to see a message being displayed on the screen, that tells that the given user cannot be impersonated.
[[File:imp test 6.jpg| figure 12| frame|center]]
[[File:imp test 5.jpg| figure 13| frame|center]]

4. Input: User that does not exist
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "studentstudent"
Now you will be able to see a message being displayed on the screen, that tells that the given user does not exist.
[[File:imp test 7.jpg| figure 14| frame|center]]
[[File:imp test 3.jpg| figure 15| frame|center]]

======B. Testing the impersonate functionality from the Navigation Bar:======

In order to perform the following testing:

1. Login as instructor using username: instructor6 and password: password.
2. Go on to the navigation bar on top right of the screen and enter student8598 and click on impersonate.
[[File: nav_bar1.png |1000px|]]

note: The above screenshot was captured after instructor6 impersonated student8597, you can also try to impersonate student8597

[[File: nav_bar2.png |1000px|]]

======C. Testing Anonymized View======
1.Login as instructor using username: instructor6 and password: password.
2.Go to Manage --> Anonymized view

[[File: Enter_anonymized_view.png |1000px|]]

3.Check for impersonate functionality using Manage --> Impersonate User with user account: student8597.

[[File: Manage_impersonate_anon.png |1000px|]]

[[File: manage_impersonated_user-anon.png |1000px|]]

4.Check for impersonate functionality using navigation bar on top right, with user account: student8598.

[[File: bar_anon.png |1000px|]]

[[File: bar_user_pg_anon.png |1000px|]]

=== Testing Functionalities ===

======A. Testing Navigation Bar======
Instructor should be able to impersonate a user while already impersonating a user but from navigation bar.
This test is to ascertain the functionality of the user being able to impersonate another user(obeying hierarchy) through the navigation bar on the top right hand corner. This is to test the rectification of the previous issue, where this functionality was broken. Here, we test the functionality by first logging in as the instructor(id:2) and then first impersonating a student1 using the main menu’s Manage tab. This redirects us to the student1’s page. Now, from the navigation bar, we try to impersonate another student, student2. This test finally checks if the session is true and the parameters are correct.
<pre>
it 'instructor should be able to impersonate a user while already impersonating a user but from nav bar' do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(User).to receive(:find_by).with(name: student2.name).and_return(student2)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(instructor).to receive(:can_impersonate?).with(student2).and_return(true)
request.env["HTTP_REFERER"] = "http://www.example.com"
@params = { user: { name: student1.name } }
@session = { user: instructor }
post :impersonate, @params, @session
# nav bar uses the :impersonate as the param name, so let make sure it always works from there too.
@params = { impersonate: { name: student2.name } }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student2
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end
</pre>

======B. Testing Anonymized User======

<pre>
it ‘instructor should be able to impersonate a user with their anonymized name’ do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(User).to receive(:anonymized_view?).and_return(true)
allow(User).to receive(:real_user_from_anonymized_name).with(“Student30”).and_return(student1)
request.env[“HTTP_REFERER”] = “http://www.example.com”
@params = { user: { name: “Student30" } }
@session = { user: instructor }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student1
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end

</pre>

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-20T01:41:52Z

Skrish28: /* Impersonate functionality navigation */

This wiki page describes the work done under E2018 OSS Program for Spring 2021, in the CSC/ECE 517 course.

===About Expertiza===

[http://expertiza.ncsu.edu/ Expertiza] is an open-source project based on [http://rubyonrails.org/ Ruby on Rails] framework. Expertiza is a complete instructor-student usage website where the instructor can assign assignments, deadlines, grades, etc that is required for the course. Similarly, the students can use this website to perform the tasks required as part of the course like project or assignments submission, forming groups and collaborating with them, as well as reviewing projects and teammates.

This project focuses on a specific feature of expertiza which allows administrators, instructors or teaching assistants to impersonate another user (like a student) and access their account.
The demonstration for the feature is as shown below.

[[File:Impersonate guide.jpg|figure 1|frame|center]]

[[File:Non impersonate.jpg|figure 2|frame|center]]

[[File:Impersonated view.jpg|figure 3|frame|center]]

===Problem Statement===
Expertiza allows administrators, instructors and Teaching Assistants to impersonate other users like a student. This allows the impersonator to view assignments, deadlines and submissions of other students.
The rules to impersonating a user is, the impersonator has to be an ancestor of the impersonate.
The hierarchy of impersonation is as follow:
super administrator -> Administrator -> Instructor -> Teaching Assistant -> Student
Note: impersonation cannot happen within the same level of hierarchy.
For Example, a Super Administrator can impersonate any user apart from other Super Administrators, an Administrator can impersonate Instructors, TA, Students and not other Admins and so on.
The aim of the project is to refactor the impersonate controller. The pre-existing code had the following major issues.

*All functions related to impersonate controller were present in a single method which is 79 lines long.

*Presence of repetitive code (Around 40 repetitive lines)
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
# Revert to original account
else
if !session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
else
flash[:error] = "No original account was found. Please close your browser and start a new session."
redirect_back
return
end
end
end

</pre>

*Block nesting
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>

* Too many return statements
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
</pre>

*The impersonation can be done by using an impersonate bar which currently does not allow initial impersonation.
[[File:impersonate.jpg]]

This project is focused on resolving the issues mentioned above.

===How Impersonating works?===
Basic login details: (Instructor login is only available) username -> instructor6, password -> password

When logged in as an instructor, under the manage option in the ribbon as in Figure 1, select impersonate user.
Upon redirected to impersonate page, enter the account which needs to be impersonated. It impersonates that user provided that user can be impersonated. Now a new button called revert appears on the ribbon as in figure 3, this can be used to revert the impersonation and return to the instructor profile.

===Problem Solution===
The above-mentioned issues have been tackled by refactoring the impersonate controller by splitting into many smaller methods which are later called by the main impersonate controller.

The following are the refactored new methods that help in tackling the issue1 apart from each being specifically for some issue rectification:
*check_if_user_impersonateable
*display_error_msg
*overwrite_session
*check_if_special_char
*do_main_operartion

=====A.check_if_user_impersonateable=====
This method plays the main role in tackling issue3 - 3 levels of block nesting apart from issue1.

'''Intial Code'''
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>
''' After recfactoring - Moved to separate method'''
<pre>
def check_if_user_impersonateable
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
if !@original_user.can_impersonate? user
@message = "You cannot impersonate '#{params[:user][:name]}'."
temp
AuthController.clear_user_info(session, nil)
else
overwrite_session
end
else
if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
overwrite_session
end
end
end
</pre>

=====B. display_error_msg=====
This method is used to tackle issues1, 2 and 4. All the error message related code is moved to this method.
<pre>
def display_error_msg
if params[:user]
@message = "No user exists with the name '#{params[:user][:name]}'."
elsif params[:impersonate]
@message = "No user exists with the name '#{params[:impersonate][:name]}'."
else
if params[:impersonate].nil?
@message = "You cannot impersonate '#{params[:user][:name]}'."
else
if !params[:impersonate][:name].empty?
@message = "You cannot impersonate '#{params[:impersonate][:name]}'."
else
@message = "No original account was found. Please close your browser and start a new session."
end
end
end
rescue Exception => e
flash[:error] = @message
redirect_to :back
end
</pre>

=====C.overwrite_session=====
This method reduces the number of return statements used in impersonate controller, apart from reducing the size of the controller.

'''Initial Code'''
<pre>
if params[:impersonate].nil?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:user][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:impersonate][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
</pre>
'''After Refactoring - Moved to a separate method and accessed through the adapter method do_main_operation'''
<pre>
def overwrite_session
#if not impersonatable, then original user's session remains
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = @original_user
session[:impersonate] = true
session[:user] = user
else
#if some user is to be impersonated, their session details are overwritten onto the current to impersonate

if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = @original_user
else
user = User.find_by(name: params[:user][:name])
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
end
end
end
</pre>

=====D. check_if_special_char=====
This code is used to reduce one functionality performed under the impersonate controller. This method checks to see if the given username is acceptable.
Older version consisted only of the following snippet of code.
<pre>
def check_if_special_char
if params[:user]
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
end
</pre>

In the current code, the following code is added to accomodate the navigation bar funcionality of impersonate.
<pre>
if params[:impersonate]
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
end
end
</pre>

=====E. do_main_operation=====
This like an adapter method that is used to interface the impersonate method with display_error_msg and check_if_user_impersonatable. One main purpose to do this is to make the methods flexible for change apart from reducing the number of lines from the impersonate controller.
<pre>
def do_main_operation(user)
if user
check_if_user_impersonateable
else
display_error_msg
end
end
</pre>

=====F. Changes made to implement Anonymized View=====
Initially, while using the anonymized view to impersonate the account: student8597, we received the following error.
[[File: anon_without_space_err.png|1000px]]
This occured as the following method was initially splitting the name using
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user_id = anonymized_name.split(' ’)[1]
user = User.find_by(id: user_id)
return user
end
</pre>
Thus while doing the above function, what happens is that the student’s name is searched for a space and the ID is obtained as the numerics after the space, which isn’t the case for our user’s names (eg: student8597). Thus we had to modify this method under app/models/user.rb to the following:
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user = User.find_by(name: anonymized_name)
return user
end
</pre>
In the above code snippet, what we are instead doing is, directly finding the user from the anonymized_name which in the errored case as in the figure above was ’’student8597'’.
Apart from these changes, we also had to include the following statements in various parts of the impersonate_controller.rb file to ensure the the previously written test for anonymous view doesn’t break anywhere.
<pre>
# E1991 : check whether instructor is currently in anonymized view
user = User.anonymized_view?(session[:ip]) ? User.real_user_from_anonymized_name(params[:impersonate][:name]) : user = user = User.find_by(name: params[:impersonate][:name])
</pre>

======G. Changes to fix the broken impersonate Navigation Bar======
The broken part of this refactoring project, as compared to the previous year’s, was the Navigation bar on the top right part of the screen. As mentioned earlier, in order to impersonate we have two methods:
Using the Manage --> Impersonate User
Using the Navigation Bar.
However, as far as the previous submission goes, the Navigation bar’s functionality wasn’t complete. The aim of this refactoring is to also fix this and enable the impersonate functionality to work from there as well.
The previous submission broke while trying to use the Navigation bar for impersonation because of the wrong passage of params between the views and controllers. In order to make the impersonate from the Manage --> Impersonate User work, the form that was rendered was the expertiza/app/views/impersonate/start.html.erb. Here, the field filled was :user. And was then checkd for in the impersonate_controller.rb.
However, the Navigation Bar makes use of the :impersonate symbol to pass the impersonated user’s name and other details to the controller, for which no check was included earlier. Thus, there was no way to procure a user from the navigation bar. In the current submission this is fixed by including the following check in the impersonate_controller.rb/check_if_special_char:

The check_if_special_char is a function which checks if the Username entered is valid or not.
<pre>
def check_if_special_char
if params[:user]
if warn_for_special_chars(params[:user][:name], “Username”)
redirect_back
return
end
end
if params[:impersonate]
if warn_for_special_chars(params[:impersonate][:name], “Username”)
redirect_back
return
end
end
end
</pre>
As you can see, in the above code snippet, there is a check for the :impersonate’s params, which earlier was missing(Refer [[#D. check_if_special_char|D. check_if_special_char]])

=== Test Plan ===
The UI testing of this project can be performed on three fronts:

#The normal impersonate functionality from the Manage tab and Revert functionality.
#The impersonate functionality using the navigation bar.
#The anonymized view's impersonate functionality(both from the Manage bar as well as the navigation bar).

You can use the following details of various users to test the heirarchies and the impersonations between them.
{| class="wikitable"
|+ User details
! Hierarchy of user
! User Name to enter

|-
! Super Administrator
| super_administrator2
|-
! Instructor
| intructor6
|-
|-
! TA
| teaching_assistant6753
|-
! Student
| student5890
|-
! Student
| student7609
|-
! Student
| student7610, 7603
|}

To test out the three fronts follow the steps mentioned below under each sub-heading:

======A. Testing Impersonate functionality from the Manage tab and Revert functionality:======

Checking if impersonating a user is working
1. Input: User that can be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "student5890"
Now you will be able to see that user "student5890" has been impersonated.

[[File:imp test 1.jpg| figure 7| frame|center]]
[[File:imp test 2.jpg| figure 8| frame|center]]

[[File:imp test 4.jpg| figure 9| frame|center]]

2. Input: Reverting from impersonated account

We will have the user "student5890" impersonated.
- Press the blue revert button at the top of the window
Now you will have returned to the instructor profile

[[File:imp test 4.jpg| figure 10| frame|center]]
[[File:imp test 8.jpg| figure 11| frame|center]]

3. Input: User that cannot be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "super_administrator2"
Now you will be able to see a message being displayed on the screen, that tells that the given user cannot be impersonated.
[[File:imp test 6.jpg| figure 12| frame|center]]
[[File:imp test 5.jpg| figure 13| frame|center]]

4. Input: User that does not exist
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "studentstudent"
Now you will be able to see a message being displayed on the screen, that tells that the given user does not exist.
[[File:imp test 7.jpg| figure 14| frame|center]]
[[File:imp test 3.jpg| figure 15| frame|center]]

======B. Testing the impersonate functionality from the Navigation Bar:======

In order to perform the following testing:

1. Login as instructor using username: instructor6 and password: password.
2. Go on to the navigation bar on top right of the screen and enter student8598 and click on impersonate.
[[File: nav_bar1.png |1000px|]]

note: The above screenshot was captured after instructor6 impersonated student8597, you can also try to impersonate student8597

[[File: nav_bar2.png |1000px|]]

======C. Testing Anonymized View======
1.Login as instructor using username: instructor6 and password: password.
2.Go to Manage --> Anonymized view

[[File: Enter_anonymized_view.png |1000px|]]

3.Check for impersonate functionality using Manage --> Impersonate User with user account: student8597.

[[File: Manage_impersonate_anon.png |1000px|]]

[[File: manage_impersonated_user-anon.png |1000px|]]

4.Check for impersonate functionality using navigation bar on top right, with user account: student8598.

[[File: bar_anon.png |1000px|]]

[[File: bar_user_pg_anon.png |1000px|]]

=== Testing Functionalities ===

======A. Testing Navigation Bar======
Instructor should be able to impersonate a user while already impersonating a user but from navigation bar.
This test is to ascertain the functionality of the user being able to impersonate another user(obeying hierarchy) through the navigation bar on the top right hand corner. This is to test the rectification of the previous issue, where this functionality was broken. Here, we test the functionality by first logging in as the instructor(id:2) and then first impersonating a student1 using the main menu’s Manage tab. This redirects us to the student1’s page. Now, from the navigation bar, we try to impersonate another student, student2. This test finally checks if the session is true and the parameters are correct.
<pre>
it 'instructor should be able to impersonate a user while already impersonating a user but from nav bar' do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(User).to receive(:find_by).with(name: student2.name).and_return(student2)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(instructor).to receive(:can_impersonate?).with(student2).and_return(true)
request.env["HTTP_REFERER"] = "http://www.example.com"
@params = { user: { name: student1.name } }
@session = { user: instructor }
post :impersonate, @params, @session
# nav bar uses the :impersonate as the param name, so let make sure it always works from there too.
@params = { impersonate: { name: student2.name } }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student2
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end
</pre>

======B. Testing Anonymized User======

<pre>
it ‘instructor should be able to impersonate a user with their anonymized name’ do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(User).to receive(:anonymized_view?).and_return(true)
allow(User).to receive(:real_user_from_anonymized_name).with(“Student30”).and_return(student1)
request.env[“HTTP_REFERER”] = “http://www.example.com”
@params = { user: { name: “Student30" } }
@session = { user: instructor }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student1
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end

</pre>

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-20T01:40:15Z

Skrish28: /* D. check_if_special_char */

This wiki page describes the work done under E2018 OSS Program for Spring 2021, in the CSC/ECE 517 course.

===About Expertiza===

[http://expertiza.ncsu.edu/ Expertiza] is an open-source project based on [http://rubyonrails.org/ Ruby on Rails] framework. Expertiza is a complete instructor-student usage website where the instructor can assign assignments, deadlines, grades, etc that is required for the course. Similarly, the students can use this website to perform the tasks required as part of the course like project or assignments submission, forming groups and collaborating with them, as well as reviewing projects and teammates.

This project focuses on a specific feature of expertiza which allows administrators, instructors or teaching assistants to impersonate another user (like a student) and access their account.
The demonstration for the feature is as shown below.

[[File:Impersonate guide.jpg|figure 1|frame|center]]

[[File:Non impersonate.jpg|figure 2|frame|center]]

[[File:Impersonated view.jpg|figure 3|frame|center]]

===Problem Statement===
Expertiza allows administrators, instructors and Teaching Assistants to impersonate other users like a student. This allows the impersonator to view assignments, deadlines and submissions of other students.
The rules to impersonating a user is, the impersonator has to be an ancestor of the impersonate.
The hierarchy of impersonation is as follow:
super administrator -> Administrator -> Instructor -> Teaching Assistant -> Student
Note: impersonation cannot happen within the same level of hierarchy.
For Example, a Super Administrator can impersonate any user apart from other Super Administrators, an Administrator can impersonate Instructors, TA, Students and not other Admins and so on.
The aim of the project is to refactor the impersonate controller. The pre-existing code had the following major issues.

*All functions related to impersonate controller were present in a single method which is 79 lines long.

*Presence of repetitive code (Around 40 repetitive lines)
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
# Revert to original account
else
if !session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
else
flash[:error] = "No original account was found. Please close your browser and start a new session."
redirect_back
return
end
end
end

</pre>

*Block nesting
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>

* Too many return statements
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
</pre>

*The impersonation can be done by using an impersonate bar which currently does not allow initial impersonation.
[[File:impersonate.jpg]]

This project is focused on resolving the issues mentioned above.

===Impersonate functionality navigation===
1. Instructor login: username -> instructor6, password -> password

when logged in as an instructor, under the manage option in the ribbon as in Figure 1, select impersonate user.
Upon redirected to impersonate page, enter the account which needs to be impersonated. It impersonates that user provided that user can be impersonated. Now a new button called revert appears on the ribbon as in figure 3, this can be used to revert the impersonation and return to the instructor profile.

===Problem Solution===
The above-mentioned issues have been tackled by refactoring the impersonate controller by splitting into many smaller methods which are later called by the main impersonate controller.

The following are the refactored new methods that help in tackling the issue1 apart from each being specifically for some issue rectification:
*check_if_user_impersonateable
*display_error_msg
*overwrite_session
*check_if_special_char
*do_main_operartion

=====A.check_if_user_impersonateable=====
This method plays the main role in tackling issue3 - 3 levels of block nesting apart from issue1.

'''Intial Code'''
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>
''' After recfactoring - Moved to separate method'''
<pre>
def check_if_user_impersonateable
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
if !@original_user.can_impersonate? user
@message = "You cannot impersonate '#{params[:user][:name]}'."
temp
AuthController.clear_user_info(session, nil)
else
overwrite_session
end
else
if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
overwrite_session
end
end
end
</pre>

=====B. display_error_msg=====
This method is used to tackle issues1, 2 and 4. All the error message related code is moved to this method.
<pre>
def display_error_msg
if params[:user]
@message = "No user exists with the name '#{params[:user][:name]}'."
elsif params[:impersonate]
@message = "No user exists with the name '#{params[:impersonate][:name]}'."
else
if params[:impersonate].nil?
@message = "You cannot impersonate '#{params[:user][:name]}'."
else
if !params[:impersonate][:name].empty?
@message = "You cannot impersonate '#{params[:impersonate][:name]}'."
else
@message = "No original account was found. Please close your browser and start a new session."
end
end
end
rescue Exception => e
flash[:error] = @message
redirect_to :back
end
</pre>

=====C.overwrite_session=====
This method reduces the number of return statements used in impersonate controller, apart from reducing the size of the controller.

'''Initial Code'''
<pre>
if params[:impersonate].nil?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:user][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:impersonate][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
</pre>
'''After Refactoring - Moved to a separate method and accessed through the adapter method do_main_operation'''
<pre>
def overwrite_session
#if not impersonatable, then original user's session remains
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = @original_user
session[:impersonate] = true
session[:user] = user
else
#if some user is to be impersonated, their session details are overwritten onto the current to impersonate

if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = @original_user
else
user = User.find_by(name: params[:user][:name])
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
end
end
end
</pre>

=====D. check_if_special_char=====
This code is used to reduce one functionality performed under the impersonate controller. This method checks to see if the given username is acceptable.
Older version consisted only of the following snippet of code.
<pre>
def check_if_special_char
if params[:user]
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
end
</pre>

In the current code, the following code is added to accomodate the navigation bar funcionality of impersonate.
<pre>
if params[:impersonate]
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
end
end
</pre>

=====E. do_main_operation=====
This like an adapter method that is used to interface the impersonate method with display_error_msg and check_if_user_impersonatable. One main purpose to do this is to make the methods flexible for change apart from reducing the number of lines from the impersonate controller.
<pre>
def do_main_operation(user)
if user
check_if_user_impersonateable
else
display_error_msg
end
end
</pre>

=====F. Changes made to implement Anonymized View=====
Initially, while using the anonymized view to impersonate the account: student8597, we received the following error.
[[File: anon_without_space_err.png|1000px]]
This occured as the following method was initially splitting the name using
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user_id = anonymized_name.split(' ’)[1]
user = User.find_by(id: user_id)
return user
end
</pre>
Thus while doing the above function, what happens is that the student’s name is searched for a space and the ID is obtained as the numerics after the space, which isn’t the case for our user’s names (eg: student8597). Thus we had to modify this method under app/models/user.rb to the following:
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user = User.find_by(name: anonymized_name)
return user
end
</pre>
In the above code snippet, what we are instead doing is, directly finding the user from the anonymized_name which in the errored case as in the figure above was ’’student8597'’.
Apart from these changes, we also had to include the following statements in various parts of the impersonate_controller.rb file to ensure the the previously written test for anonymous view doesn’t break anywhere.
<pre>
# E1991 : check whether instructor is currently in anonymized view
user = User.anonymized_view?(session[:ip]) ? User.real_user_from_anonymized_name(params[:impersonate][:name]) : user = user = User.find_by(name: params[:impersonate][:name])
</pre>

======G. Changes to fix the broken impersonate Navigation Bar======
The broken part of this refactoring project, as compared to the previous year’s, was the Navigation bar on the top right part of the screen. As mentioned earlier, in order to impersonate we have two methods:
Using the Manage --> Impersonate User
Using the Navigation Bar.
However, as far as the previous submission goes, the Navigation bar’s functionality wasn’t complete. The aim of this refactoring is to also fix this and enable the impersonate functionality to work from there as well.
The previous submission broke while trying to use the Navigation bar for impersonation because of the wrong passage of params between the views and controllers. In order to make the impersonate from the Manage --> Impersonate User work, the form that was rendered was the expertiza/app/views/impersonate/start.html.erb. Here, the field filled was :user. And was then checkd for in the impersonate_controller.rb.
However, the Navigation Bar makes use of the :impersonate symbol to pass the impersonated user’s name and other details to the controller, for which no check was included earlier. Thus, there was no way to procure a user from the navigation bar. In the current submission this is fixed by including the following check in the impersonate_controller.rb/check_if_special_char:

The check_if_special_char is a function which checks if the Username entered is valid or not.
<pre>
def check_if_special_char
if params[:user]
if warn_for_special_chars(params[:user][:name], “Username”)
redirect_back
return
end
end
if params[:impersonate]
if warn_for_special_chars(params[:impersonate][:name], “Username”)
redirect_back
return
end
end
end
</pre>
As you can see, in the above code snippet, there is a check for the :impersonate’s params, which earlier was missing(Refer [[#D. check_if_special_char|D. check_if_special_char]])

=== Test Plan ===
The UI testing of this project can be performed on three fronts:

#The normal impersonate functionality from the Manage tab and Revert functionality.
#The impersonate functionality using the navigation bar.
#The anonymized view's impersonate functionality(both from the Manage bar as well as the navigation bar).

You can use the following details of various users to test the heirarchies and the impersonations between them.
{| class="wikitable"
|+ User details
! Hierarchy of user
! User Name to enter

|-
! Super Administrator
| super_administrator2
|-
! Instructor
| intructor6
|-
|-
! TA
| teaching_assistant6753
|-
! Student
| student5890
|-
! Student
| student7609
|-
! Student
| student7610, 7603
|}

To test out the three fronts follow the steps mentioned below under each sub-heading:

======A. Testing Impersonate functionality from the Manage tab and Revert functionality:======

Checking if impersonating a user is working
1. Input: User that can be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "student5890"
Now you will be able to see that user "student5890" has been impersonated.

[[File:imp test 1.jpg| figure 7| frame|center]]
[[File:imp test 2.jpg| figure 8| frame|center]]

[[File:imp test 4.jpg| figure 9| frame|center]]

2. Input: Reverting from impersonated account

We will have the user "student5890" impersonated.
- Press the blue revert button at the top of the window
Now you will have returned to the instructor profile

[[File:imp test 4.jpg| figure 10| frame|center]]
[[File:imp test 8.jpg| figure 11| frame|center]]

3. Input: User that cannot be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "super_administrator2"
Now you will be able to see a message being displayed on the screen, that tells that the given user cannot be impersonated.
[[File:imp test 6.jpg| figure 12| frame|center]]
[[File:imp test 5.jpg| figure 13| frame|center]]

4. Input: User that does not exist
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "studentstudent"
Now you will be able to see a message being displayed on the screen, that tells that the given user does not exist.
[[File:imp test 7.jpg| figure 14| frame|center]]
[[File:imp test 3.jpg| figure 15| frame|center]]

======B. Testing the impersonate functionality from the Navigation Bar:======

In order to perform the following testing:

1. Login as instructor using username: instructor6 and password: password.
2. Go on to the navigation bar on top right of the screen and enter student8598 and click on impersonate.
[[File: nav_bar1.png |1000px|]]

note: The above screenshot was captured after instructor6 impersonated student8597, you can also try to impersonate student8597

[[File: nav_bar2.png |1000px|]]

======C. Testing Anonymized View======
1.Login as instructor using username: instructor6 and password: password.
2.Go to Manage --> Anonymized view

[[File: Enter_anonymized_view.png |1000px|]]

3.Check for impersonate functionality using Manage --> Impersonate User with user account: student8597.

[[File: Manage_impersonate_anon.png |1000px|]]

[[File: manage_impersonated_user-anon.png |1000px|]]

4.Check for impersonate functionality using navigation bar on top right, with user account: student8598.

[[File: bar_anon.png |1000px|]]

[[File: bar_user_pg_anon.png |1000px|]]

=== Testing Functionalities ===

======A. Testing Navigation Bar======
Instructor should be able to impersonate a user while already impersonating a user but from navigation bar.
This test is to ascertain the functionality of the user being able to impersonate another user(obeying hierarchy) through the navigation bar on the top right hand corner. This is to test the rectification of the previous issue, where this functionality was broken. Here, we test the functionality by first logging in as the instructor(id:2) and then first impersonating a student1 using the main menu’s Manage tab. This redirects us to the student1’s page. Now, from the navigation bar, we try to impersonate another student, student2. This test finally checks if the session is true and the parameters are correct.
<pre>
it 'instructor should be able to impersonate a user while already impersonating a user but from nav bar' do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(User).to receive(:find_by).with(name: student2.name).and_return(student2)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(instructor).to receive(:can_impersonate?).with(student2).and_return(true)
request.env["HTTP_REFERER"] = "http://www.example.com"
@params = { user: { name: student1.name } }
@session = { user: instructor }
post :impersonate, @params, @session
# nav bar uses the :impersonate as the param name, so let make sure it always works from there too.
@params = { impersonate: { name: student2.name } }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student2
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end
</pre>

======B. Testing Anonymized User======

<pre>
it ‘instructor should be able to impersonate a user with their anonymized name’ do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(User).to receive(:anonymized_view?).and_return(true)
allow(User).to receive(:real_user_from_anonymized_name).with(“Student30”).and_return(student1)
request.env[“HTTP_REFERER”] = “http://www.example.com”
@params = { user: { name: “Student30" } }
@session = { user: instructor }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student1
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end

</pre>

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-20T01:34:49Z

Skrish28: /* G. Changes to fix the broken impersonate Navigation Bar */

This wiki page describes the work done under E2018 OSS Program for Spring 2021, in the CSC/ECE 517 course.

===About Expertiza===

[http://expertiza.ncsu.edu/ Expertiza] is an open-source project based on [http://rubyonrails.org/ Ruby on Rails] framework. Expertiza is a complete instructor-student usage website where the instructor can assign assignments, deadlines, grades, etc that is required for the course. Similarly, the students can use this website to perform the tasks required as part of the course like project or assignments submission, forming groups and collaborating with them, as well as reviewing projects and teammates.

This project focuses on a specific feature of expertiza which allows administrators, instructors or teaching assistants to impersonate another user (like a student) and access their account.
The demonstration for the feature is as shown below.

[[File:Impersonate guide.jpg|figure 1|frame|center]]

[[File:Non impersonate.jpg|figure 2|frame|center]]

[[File:Impersonated view.jpg|figure 3|frame|center]]

===Problem Statement===
Expertiza allows administrators, instructors and Teaching Assistants to impersonate other users like a student. This allows the impersonator to view assignments, deadlines and submissions of other students.
The rules to impersonating a user is, the impersonator has to be an ancestor of the impersonate.
The hierarchy of impersonation is as follow:
super administrator -> Administrator -> Instructor -> Teaching Assistant -> Student
Note: impersonation cannot happen within the same level of hierarchy.
For Example, a Super Administrator can impersonate any user apart from other Super Administrators, an Administrator can impersonate Instructors, TA, Students and not other Admins and so on.
The aim of the project is to refactor the impersonate controller. The pre-existing code had the following major issues.

*All functions related to impersonate controller were present in a single method which is 79 lines long.

*Presence of repetitive code (Around 40 repetitive lines)
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
# Revert to original account
else
if !session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
else
flash[:error] = "No original account was found. Please close your browser and start a new session."
redirect_back
return
end
end
end

</pre>

*Block nesting
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>

* Too many return statements
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
</pre>

*The impersonation can be done by using an impersonate bar which currently does not allow initial impersonation.
[[File:impersonate.jpg]]

This project is focused on resolving the issues mentioned above.

===Impersonate functionality navigation===
1. Instructor login: username -> instructor6, password -> password

when logged in as an instructor, under the manage option in the ribbon as in Figure 1, select impersonate user.
Upon redirected to impersonate page, enter the account which needs to be impersonated. It impersonates that user provided that user can be impersonated. Now a new button called revert appears on the ribbon as in figure 3, this can be used to revert the impersonation and return to the instructor profile.

===Problem Solution===
The above-mentioned issues have been tackled by refactoring the impersonate controller by splitting into many smaller methods which are later called by the main impersonate controller.

The following are the refactored new methods that help in tackling the issue1 apart from each being specifically for some issue rectification:
*check_if_user_impersonateable
*display_error_msg
*overwrite_session
*check_if_special_char
*do_main_operartion

=====A.check_if_user_impersonateable=====
This method plays the main role in tackling issue3 - 3 levels of block nesting apart from issue1.

'''Intial Code'''
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>
''' After recfactoring - Moved to separate method'''
<pre>
def check_if_user_impersonateable
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
if !@original_user.can_impersonate? user
@message = "You cannot impersonate '#{params[:user][:name]}'."
temp
AuthController.clear_user_info(session, nil)
else
overwrite_session
end
else
if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
overwrite_session
end
end
end
</pre>

=====B. display_error_msg=====
This method is used to tackle issues1, 2 and 4. All the error message related code is moved to this method.
<pre>
def display_error_msg
if params[:user]
@message = "No user exists with the name '#{params[:user][:name]}'."
elsif params[:impersonate]
@message = "No user exists with the name '#{params[:impersonate][:name]}'."
else
if params[:impersonate].nil?
@message = "You cannot impersonate '#{params[:user][:name]}'."
else
if !params[:impersonate][:name].empty?
@message = "You cannot impersonate '#{params[:impersonate][:name]}'."
else
@message = "No original account was found. Please close your browser and start a new session."
end
end
end
rescue Exception => e
flash[:error] = @message
redirect_to :back
end
</pre>

=====C.overwrite_session=====
This method reduces the number of return statements used in impersonate controller, apart from reducing the size of the controller.

'''Initial Code'''
<pre>
if params[:impersonate].nil?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:user][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:impersonate][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
</pre>
'''After Refactoring - Moved to a separate method and accessed through the adapter method do_main_operation'''
<pre>
def overwrite_session
#if not impersonatable, then original user's session remains
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = @original_user
session[:impersonate] = true
session[:user] = user
else
#if some user is to be impersonated, their session details are overwritten onto the current to impersonate

if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = @original_user
else
user = User.find_by(name: params[:user][:name])
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
end
end
end
</pre>

=====D. check_if_special_char=====
This code is used to reduce one functionality performed under the impersonate controller. This method checks to see if the given username is acceptable.
<pre>
def check_if_special_char
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
end
</pre>

=====E. do_main_operation=====
This like an adapter method that is used to interface the impersonate method with display_error_msg and check_if_user_impersonatable. One main purpose to do this is to make the methods flexible for change apart from reducing the number of lines from the impersonate controller.
<pre>
def do_main_operation(user)
if user
check_if_user_impersonateable
else
display_error_msg
end
end
</pre>

=====F. Changes made to implement Anonymized View=====
Initially, while using the anonymized view to impersonate the account: student8597, we received the following error.
[[File: anon_without_space_err.png|1000px]]
This occured as the following method was initially splitting the name using
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user_id = anonymized_name.split(' ’)[1]
user = User.find_by(id: user_id)
return user
end
</pre>
Thus while doing the above function, what happens is that the student’s name is searched for a space and the ID is obtained as the numerics after the space, which isn’t the case for our user’s names (eg: student8597). Thus we had to modify this method under app/models/user.rb to the following:
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user = User.find_by(name: anonymized_name)
return user
end
</pre>
In the above code snippet, what we are instead doing is, directly finding the user from the anonymized_name which in the errored case as in the figure above was ’’student8597'’.
Apart from these changes, we also had to include the following statements in various parts of the impersonate_controller.rb file to ensure the the previously written test for anonymous view doesn’t break anywhere.
<pre>
# E1991 : check whether instructor is currently in anonymized view
user = User.anonymized_view?(session[:ip]) ? User.real_user_from_anonymized_name(params[:impersonate][:name]) : user = user = User.find_by(name: params[:impersonate][:name])
</pre>

======G. Changes to fix the broken impersonate Navigation Bar======
The broken part of this refactoring project, as compared to the previous year’s, was the Navigation bar on the top right part of the screen. As mentioned earlier, in order to impersonate we have two methods:
Using the Manage --> Impersonate User
Using the Navigation Bar.
However, as far as the previous submission goes, the Navigation bar’s functionality wasn’t complete. The aim of this refactoring is to also fix this and enable the impersonate functionality to work from there as well.
The previous submission broke while trying to use the Navigation bar for impersonation because of the wrong passage of params between the views and controllers. In order to make the impersonate from the Manage --> Impersonate User work, the form that was rendered was the expertiza/app/views/impersonate/start.html.erb. Here, the field filled was :user. And was then checkd for in the impersonate_controller.rb.
However, the Navigation Bar makes use of the :impersonate symbol to pass the impersonated user’s name and other details to the controller, for which no check was included earlier. Thus, there was no way to procure a user from the navigation bar. In the current submission this is fixed by including the following check in the impersonate_controller.rb/check_if_special_char:

The check_if_special_char is a function which checks if the Username entered is valid or not.
<pre>
def check_if_special_char
if params[:user]
if warn_for_special_chars(params[:user][:name], “Username”)
redirect_back
return
end
end
if params[:impersonate]
if warn_for_special_chars(params[:impersonate][:name], “Username”)
redirect_back
return
end
end
end
</pre>
As you can see, in the above code snippet, there is a check for the :impersonate’s params, which earlier was missing(Refer [[#D. check_if_special_char|D. check_if_special_char]])

=== Test Plan ===
The UI testing of this project can be performed on three fronts:

#The normal impersonate functionality from the Manage tab and Revert functionality.
#The impersonate functionality using the navigation bar.
#The anonymized view's impersonate functionality(both from the Manage bar as well as the navigation bar).

You can use the following details of various users to test the heirarchies and the impersonations between them.
{| class="wikitable"
|+ User details
! Hierarchy of user
! User Name to enter

|-
! Super Administrator
| super_administrator2
|-
! Instructor
| intructor6
|-
|-
! TA
| teaching_assistant6753
|-
! Student
| student5890
|-
! Student
| student7609
|-
! Student
| student7610, 7603
|}

To test out the three fronts follow the steps mentioned below under each sub-heading:

======A. Testing Impersonate functionality from the Manage tab and Revert functionality:======

Checking if impersonating a user is working
1. Input: User that can be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "student5890"
Now you will be able to see that user "student5890" has been impersonated.

[[File:imp test 1.jpg| figure 7| frame|center]]
[[File:imp test 2.jpg| figure 8| frame|center]]

[[File:imp test 4.jpg| figure 9| frame|center]]

2. Input: Reverting from impersonated account

We will have the user "student5890" impersonated.
- Press the blue revert button at the top of the window
Now you will have returned to the instructor profile

[[File:imp test 4.jpg| figure 10| frame|center]]
[[File:imp test 8.jpg| figure 11| frame|center]]

3. Input: User that cannot be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "super_administrator2"
Now you will be able to see a message being displayed on the screen, that tells that the given user cannot be impersonated.
[[File:imp test 6.jpg| figure 12| frame|center]]
[[File:imp test 5.jpg| figure 13| frame|center]]

4. Input: User that does not exist
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "studentstudent"
Now you will be able to see a message being displayed on the screen, that tells that the given user does not exist.
[[File:imp test 7.jpg| figure 14| frame|center]]
[[File:imp test 3.jpg| figure 15| frame|center]]

======B. Testing the impersonate functionality from the Navigation Bar:======

In order to perform the following testing:

1. Login as instructor using username: instructor6 and password: password.
2. Go on to the navigation bar on top right of the screen and enter student8598 and click on impersonate.
[[File: nav_bar1.png |1000px|]]

note: The above screenshot was captured after instructor6 impersonated student8597, you can also try to impersonate student8597

[[File: nav_bar2.png |1000px|]]

======C. Testing Anonymized View======
1.Login as instructor using username: instructor6 and password: password.
2.Go to Manage --> Anonymized view

[[File: Enter_anonymized_view.png |1000px|]]

3.Check for impersonate functionality using Manage --> Impersonate User with user account: student8597.

[[File: Manage_impersonate_anon.png |1000px|]]

[[File: manage_impersonated_user-anon.png |1000px|]]

4.Check for impersonate functionality using navigation bar on top right, with user account: student8598.

[[File: bar_anon.png |1000px|]]

[[File: bar_user_pg_anon.png |1000px|]]

=== Testing Functionalities ===

======A. Testing Navigation Bar======
Instructor should be able to impersonate a user while already impersonating a user but from navigation bar.
This test is to ascertain the functionality of the user being able to impersonate another user(obeying hierarchy) through the navigation bar on the top right hand corner. This is to test the rectification of the previous issue, where this functionality was broken. Here, we test the functionality by first logging in as the instructor(id:2) and then first impersonating a student1 using the main menu’s Manage tab. This redirects us to the student1’s page. Now, from the navigation bar, we try to impersonate another student, student2. This test finally checks if the session is true and the parameters are correct.
<pre>
it 'instructor should be able to impersonate a user while already impersonating a user but from nav bar' do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(User).to receive(:find_by).with(name: student2.name).and_return(student2)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(instructor).to receive(:can_impersonate?).with(student2).and_return(true)
request.env["HTTP_REFERER"] = "http://www.example.com"
@params = { user: { name: student1.name } }
@session = { user: instructor }
post :impersonate, @params, @session
# nav bar uses the :impersonate as the param name, so let make sure it always works from there too.
@params = { impersonate: { name: student2.name } }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student2
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end
</pre>

======B. Testing Anonymized User======

<pre>
it ‘instructor should be able to impersonate a user with their anonymized name’ do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(User).to receive(:anonymized_view?).and_return(true)
allow(User).to receive(:real_user_from_anonymized_name).with(“Student30”).and_return(student1)
request.env[“HTTP_REFERER”] = “http://www.example.com”
@params = { user: { name: “Student30" } }
@session = { user: instructor }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student1
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end

</pre>

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-20T01:33:58Z

Skrish28: /* F. Changes made to implement Anonymized View */

This wiki page describes the work done under E2018 OSS Program for Spring 2021, in the CSC/ECE 517 course.

===About Expertiza===

[http://expertiza.ncsu.edu/ Expertiza] is an open-source project based on [http://rubyonrails.org/ Ruby on Rails] framework. Expertiza is a complete instructor-student usage website where the instructor can assign assignments, deadlines, grades, etc that is required for the course. Similarly, the students can use this website to perform the tasks required as part of the course like project or assignments submission, forming groups and collaborating with them, as well as reviewing projects and teammates.

This project focuses on a specific feature of expertiza which allows administrators, instructors or teaching assistants to impersonate another user (like a student) and access their account.
The demonstration for the feature is as shown below.

[[File:Impersonate guide.jpg|figure 1|frame|center]]

[[File:Non impersonate.jpg|figure 2|frame|center]]

[[File:Impersonated view.jpg|figure 3|frame|center]]

===Problem Statement===
Expertiza allows administrators, instructors and Teaching Assistants to impersonate other users like a student. This allows the impersonator to view assignments, deadlines and submissions of other students.
The rules to impersonating a user is, the impersonator has to be an ancestor of the impersonate.
The hierarchy of impersonation is as follow:
super administrator -> Administrator -> Instructor -> Teaching Assistant -> Student
Note: impersonation cannot happen within the same level of hierarchy.
For Example, a Super Administrator can impersonate any user apart from other Super Administrators, an Administrator can impersonate Instructors, TA, Students and not other Admins and so on.
The aim of the project is to refactor the impersonate controller. The pre-existing code had the following major issues.

*All functions related to impersonate controller were present in a single method which is 79 lines long.

*Presence of repetitive code (Around 40 repetitive lines)
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
# Revert to original account
else
if !session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
else
flash[:error] = "No original account was found. Please close your browser and start a new session."
redirect_back
return
end
end
end

</pre>

*Block nesting
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>

* Too many return statements
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
</pre>

*The impersonation can be done by using an impersonate bar which currently does not allow initial impersonation.
[[File:impersonate.jpg]]

This project is focused on resolving the issues mentioned above.

===Impersonate functionality navigation===
1. Instructor login: username -> instructor6, password -> password

when logged in as an instructor, under the manage option in the ribbon as in Figure 1, select impersonate user.
Upon redirected to impersonate page, enter the account which needs to be impersonated. It impersonates that user provided that user can be impersonated. Now a new button called revert appears on the ribbon as in figure 3, this can be used to revert the impersonation and return to the instructor profile.

===Problem Solution===
The above-mentioned issues have been tackled by refactoring the impersonate controller by splitting into many smaller methods which are later called by the main impersonate controller.

The following are the refactored new methods that help in tackling the issue1 apart from each being specifically for some issue rectification:
*check_if_user_impersonateable
*display_error_msg
*overwrite_session
*check_if_special_char
*do_main_operartion

=====A.check_if_user_impersonateable=====
This method plays the main role in tackling issue3 - 3 levels of block nesting apart from issue1.

'''Intial Code'''
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>
''' After recfactoring - Moved to separate method'''
<pre>
def check_if_user_impersonateable
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
if !@original_user.can_impersonate? user
@message = "You cannot impersonate '#{params[:user][:name]}'."
temp
AuthController.clear_user_info(session, nil)
else
overwrite_session
end
else
if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
overwrite_session
end
end
end
</pre>

=====B. display_error_msg=====
This method is used to tackle issues1, 2 and 4. All the error message related code is moved to this method.
<pre>
def display_error_msg
if params[:user]
@message = "No user exists with the name '#{params[:user][:name]}'."
elsif params[:impersonate]
@message = "No user exists with the name '#{params[:impersonate][:name]}'."
else
if params[:impersonate].nil?
@message = "You cannot impersonate '#{params[:user][:name]}'."
else
if !params[:impersonate][:name].empty?
@message = "You cannot impersonate '#{params[:impersonate][:name]}'."
else
@message = "No original account was found. Please close your browser and start a new session."
end
end
end
rescue Exception => e
flash[:error] = @message
redirect_to :back
end
</pre>

=====C.overwrite_session=====
This method reduces the number of return statements used in impersonate controller, apart from reducing the size of the controller.

'''Initial Code'''
<pre>
if params[:impersonate].nil?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:user][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:impersonate][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
</pre>
'''After Refactoring - Moved to a separate method and accessed through the adapter method do_main_operation'''
<pre>
def overwrite_session
#if not impersonatable, then original user's session remains
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = @original_user
session[:impersonate] = true
session[:user] = user
else
#if some user is to be impersonated, their session details are overwritten onto the current to impersonate

if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = @original_user
else
user = User.find_by(name: params[:user][:name])
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
end
end
end
</pre>

=====D. check_if_special_char=====
This code is used to reduce one functionality performed under the impersonate controller. This method checks to see if the given username is acceptable.
<pre>
def check_if_special_char
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
end
</pre>

=====E. do_main_operation=====
This like an adapter method that is used to interface the impersonate method with display_error_msg and check_if_user_impersonatable. One main purpose to do this is to make the methods flexible for change apart from reducing the number of lines from the impersonate controller.
<pre>
def do_main_operation(user)
if user
check_if_user_impersonateable
else
display_error_msg
end
end
</pre>

=====F. Changes made to implement Anonymized View=====
Initially, while using the anonymized view to impersonate the account: student8597, we received the following error.
[[File: anon_without_space_err.png|1000px]]
This occured as the following method was initially splitting the name using
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user_id = anonymized_name.split(' ’)[1]
user = User.find_by(id: user_id)
return user
end
</pre>
Thus while doing the above function, what happens is that the student’s name is searched for a space and the ID is obtained as the numerics after the space, which isn’t the case for our user’s names (eg: student8597). Thus we had to modify this method under app/models/user.rb to the following:
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user = User.find_by(name: anonymized_name)
return user
end
</pre>
In the above code snippet, what we are instead doing is, directly finding the user from the anonymized_name which in the errored case as in the figure above was ’’student8597'’.
Apart from these changes, we also had to include the following statements in various parts of the impersonate_controller.rb file to ensure the the previously written test for anonymous view doesn’t break anywhere.
<pre>
# E1991 : check whether instructor is currently in anonymized view
user = User.anonymized_view?(session[:ip]) ? User.real_user_from_anonymized_name(params[:impersonate][:name]) : user = user = User.find_by(name: params[:impersonate][:name])
</pre>

======G. Changes to fix the broken impersonate Navigation Bar======
The broken part of this refactoring project, as compared to the previous year’s, was the Navigation bar on the top right part of the screen. As mentioned earlier, in order to impersonate we have two methods:
Using the Manage --> Impersonate User
Using the Navigation Bar.
However, as far as the previous submission goes, the Navigation bar’s functionality wasn’t complete. The aim of this refactoring is to also fix this and enable the impersonate functionality to work from there as well.
The previous submission broke while trying to use the Navigation bar for impersonation because of the wrong passage of params between the views and controllers. In order to make the impersonate from the Manage --> Impersonate User work, the form that was rendered was the expertiza/app/views/impersonate/start.html.erb. Here, the field filled was :user. And was then checkd for in the impersonate_controller.rb.
However, the Navigation Bar makes use of the :impersonate symbol to pass the impersonated user’s name and other details to the controller, for which no check was included earlier. Thus, there was no way to procure a user from the navigation bar. In the current submission this is fixed by including the following check in the impersonate_controller.rb/check_if_special_char:

The check_if_special_char is a function which checks if the Username entered is valid or not.
<pre>
def check_if_special_char
if params[:user]
if warn_for_special_chars(params[:user][:name], “Username”)
redirect_back
return
end
end
if params[:impersonate]
if warn_for_special_chars(params[:impersonate][:name], “Username”)
redirect_back
return
end
end
end
</pre>
As you can see, in the above code snippet, there is a check for the :impersonate’s params, which earlier was missing(Refer [[#Section D

=== Test Plan ===
The UI testing of this project can be performed on three fronts:

#The normal impersonate functionality from the Manage tab and Revert functionality.
#The impersonate functionality using the navigation bar.
#The anonymized view's impersonate functionality(both from the Manage bar as well as the navigation bar).

You can use the following details of various users to test the heirarchies and the impersonations between them.
{| class="wikitable"
|+ User details
! Hierarchy of user
! User Name to enter

|-
! Super Administrator
| super_administrator2
|-
! Instructor
| intructor6
|-
|-
! TA
| teaching_assistant6753
|-
! Student
| student5890
|-
! Student
| student7609
|-
! Student
| student7610, 7603
|}

To test out the three fronts follow the steps mentioned below under each sub-heading:

======A. Testing Impersonate functionality from the Manage tab and Revert functionality:======

Checking if impersonating a user is working
1. Input: User that can be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "student5890"
Now you will be able to see that user "student5890" has been impersonated.

[[File:imp test 1.jpg| figure 7| frame|center]]
[[File:imp test 2.jpg| figure 8| frame|center]]

[[File:imp test 4.jpg| figure 9| frame|center]]

2. Input: Reverting from impersonated account

We will have the user "student5890" impersonated.
- Press the blue revert button at the top of the window
Now you will have returned to the instructor profile

[[File:imp test 4.jpg| figure 10| frame|center]]
[[File:imp test 8.jpg| figure 11| frame|center]]

3. Input: User that cannot be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "super_administrator2"
Now you will be able to see a message being displayed on the screen, that tells that the given user cannot be impersonated.
[[File:imp test 6.jpg| figure 12| frame|center]]
[[File:imp test 5.jpg| figure 13| frame|center]]

4. Input: User that does not exist
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "studentstudent"
Now you will be able to see a message being displayed on the screen, that tells that the given user does not exist.
[[File:imp test 7.jpg| figure 14| frame|center]]
[[File:imp test 3.jpg| figure 15| frame|center]]

======B. Testing the impersonate functionality from the Navigation Bar:======

In order to perform the following testing:

1. Login as instructor using username: instructor6 and password: password.
2. Go on to the navigation bar on top right of the screen and enter student8598 and click on impersonate.
[[File: nav_bar1.png |1000px|]]

note: The above screenshot was captured after instructor6 impersonated student8597, you can also try to impersonate student8597

[[File: nav_bar2.png |1000px|]]

======C. Testing Anonymized View======
1.Login as instructor using username: instructor6 and password: password.
2.Go to Manage --> Anonymized view

[[File: Enter_anonymized_view.png |1000px|]]

3.Check for impersonate functionality using Manage --> Impersonate User with user account: student8597.

[[File: Manage_impersonate_anon.png |1000px|]]

[[File: manage_impersonated_user-anon.png |1000px|]]

4.Check for impersonate functionality using navigation bar on top right, with user account: student8598.

[[File: bar_anon.png |1000px|]]

[[File: bar_user_pg_anon.png |1000px|]]

=== Testing Functionalities ===

======A. Testing Navigation Bar======
Instructor should be able to impersonate a user while already impersonating a user but from navigation bar.
This test is to ascertain the functionality of the user being able to impersonate another user(obeying hierarchy) through the navigation bar on the top right hand corner. This is to test the rectification of the previous issue, where this functionality was broken. Here, we test the functionality by first logging in as the instructor(id:2) and then first impersonating a student1 using the main menu’s Manage tab. This redirects us to the student1’s page. Now, from the navigation bar, we try to impersonate another student, student2. This test finally checks if the session is true and the parameters are correct.
<pre>
it 'instructor should be able to impersonate a user while already impersonating a user but from nav bar' do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(User).to receive(:find_by).with(name: student2.name).and_return(student2)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(instructor).to receive(:can_impersonate?).with(student2).and_return(true)
request.env["HTTP_REFERER"] = "http://www.example.com"
@params = { user: { name: student1.name } }
@session = { user: instructor }
post :impersonate, @params, @session
# nav bar uses the :impersonate as the param name, so let make sure it always works from there too.
@params = { impersonate: { name: student2.name } }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student2
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end
</pre>

======B. Testing Anonymized User======

<pre>
it ‘instructor should be able to impersonate a user with their anonymized name’ do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(User).to receive(:anonymized_view?).and_return(true)
allow(User).to receive(:real_user_from_anonymized_name).with(“Student30”).and_return(student1)
request.env[“HTTP_REFERER”] = “http://www.example.com”
@params = { user: { name: “Student30" } }
@session = { user: instructor }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student1
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end

</pre>

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-20T01:30:15Z

Skrish28: /* F. Changes made to implement Anonymized View */

This wiki page describes the work done under E2018 OSS Program for Spring 2021, in the CSC/ECE 517 course.

===About Expertiza===

[http://expertiza.ncsu.edu/ Expertiza] is an open-source project based on [http://rubyonrails.org/ Ruby on Rails] framework. Expertiza is a complete instructor-student usage website where the instructor can assign assignments, deadlines, grades, etc that is required for the course. Similarly, the students can use this website to perform the tasks required as part of the course like project or assignments submission, forming groups and collaborating with them, as well as reviewing projects and teammates.

This project focuses on a specific feature of expertiza which allows administrators, instructors or teaching assistants to impersonate another user (like a student) and access their account.
The demonstration for the feature is as shown below.

[[File:Impersonate guide.jpg|figure 1|frame|center]]

[[File:Non impersonate.jpg|figure 2|frame|center]]

[[File:Impersonated view.jpg|figure 3|frame|center]]

===Problem Statement===
Expertiza allows administrators, instructors and Teaching Assistants to impersonate other users like a student. This allows the impersonator to view assignments, deadlines and submissions of other students.
The rules to impersonating a user is, the impersonator has to be an ancestor of the impersonate.
The hierarchy of impersonation is as follow:
super administrator -> Administrator -> Instructor -> Teaching Assistant -> Student
Note: impersonation cannot happen within the same level of hierarchy.
For Example, a Super Administrator can impersonate any user apart from other Super Administrators, an Administrator can impersonate Instructors, TA, Students and not other Admins and so on.
The aim of the project is to refactor the impersonate controller. The pre-existing code had the following major issues.

*All functions related to impersonate controller were present in a single method which is 79 lines long.

*Presence of repetitive code (Around 40 repetitive lines)
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
# Revert to original account
else
if !session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
else
flash[:error] = "No original account was found. Please close your browser and start a new session."
redirect_back
return
end
end
end

</pre>

*Block nesting
<pre>
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
# E1991 : check whether instructor is currently in anonymized view
if User.anonymized_view?(session[:ip])
# get real name when instructor is in anonymized view
user = User.real_user_from_anonymized_name(params[:impersonate][:name])
else
user = User.find_by(name: params[:impersonate][:name])
end
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>

* Too many return statements
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
</pre>

*The impersonation can be done by using an impersonate bar which currently does not allow initial impersonation.
[[File:impersonate.jpg]]

This project is focused on resolving the issues mentioned above.

===Impersonate functionality navigation===
1. Instructor login: username -> instructor6, password -> password

when logged in as an instructor, under the manage option in the ribbon as in Figure 1, select impersonate user.
Upon redirected to impersonate page, enter the account which needs to be impersonated. It impersonates that user provided that user can be impersonated. Now a new button called revert appears on the ribbon as in figure 3, this can be used to revert the impersonation and return to the instructor profile.

===Problem Solution===
The above-mentioned issues have been tackled by refactoring the impersonate controller by splitting into many smaller methods which are later called by the main impersonate controller.

The following are the refactored new methods that help in tackling the issue1 apart from each being specifically for some issue rectification:
*check_if_user_impersonateable
*display_error_msg
*overwrite_session
*check_if_special_char
*do_main_operartion

=====A.check_if_user_impersonateable=====
This method plays the main role in tackling issue3 - 3 levels of block nesting apart from issue1.

'''Intial Code'''
<pre>
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
</pre>
''' After recfactoring - Moved to separate method'''
<pre>
def check_if_user_impersonateable
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
if !@original_user.can_impersonate? user
@message = "You cannot impersonate '#{params[:user][:name]}'."
temp
AuthController.clear_user_info(session, nil)
else
overwrite_session
end
else
if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
overwrite_session
end
end
end
</pre>

=====B. display_error_msg=====
This method is used to tackle issues1, 2 and 4. All the error message related code is moved to this method.
<pre>
def display_error_msg
if params[:user]
@message = "No user exists with the name '#{params[:user][:name]}'."
elsif params[:impersonate]
@message = "No user exists with the name '#{params[:impersonate][:name]}'."
else
if params[:impersonate].nil?
@message = "You cannot impersonate '#{params[:user][:name]}'."
else
if !params[:impersonate][:name].empty?
@message = "You cannot impersonate '#{params[:impersonate][:name]}'."
else
@message = "No original account was found. Please close your browser and start a new session."
end
end
end
rescue Exception => e
flash[:error] = @message
redirect_to :back
end
</pre>

=====C.overwrite_session=====
This method reduces the number of return statements used in impersonate controller, apart from reducing the size of the controller.

'''Initial Code'''
<pre>
if params[:impersonate].nil?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:user][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = original_user
session[:impersonate] = true
session[:user] = user
else
flash[:error] = message
redirect_back
return
end
else
# Impersonate a new account
if !params[:impersonate][:name].empty?
# check if special chars /\?<>|&$# are used to avoid html tags or system command
if warn_for_special_chars(params[:impersonate][:name], "Username")
redirect_back
return
end
user = User.find_by(name: params[:impersonate][:name])
if user
unless original_user.can_impersonate? user
flash[:error] = "You cannot impersonate #{params[:user][:name]}."
redirect_back
return
end
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = original_user
else
flash[:error] = message
redirect_back
return
end
</pre>
'''After Refactoring - Moved to a separate method and accessed through the adapter method do_main_operation'''
<pre>
def overwrite_session
#if not impersonatable, then original user's session remains
if params[:impersonate].nil?
user = User.find_by(name: params[:user][:name])
session[:super_user] = session[:user] if session[:super_user].nil?
AuthController.clear_user_info(session, nil)
session[:original_user] = @original_user
session[:impersonate] = true
session[:user] = user
else
#if some user is to be impersonated, their session details are overwritten onto the current to impersonate

if !params[:impersonate][:name].empty?
user = User.find_by(name: params[:impersonate][:name])
AuthController.clear_user_info(session, nil)
session[:user] = user
session[:impersonate] = true
session[:original_user] = @original_user
else
user = User.find_by(name: params[:user][:name])
AuthController.clear_user_info(session, nil)
session[:user] = session[:super_user]
user = session[:user]
session[:super_user] = nil
end
end
end
</pre>

=====D. check_if_special_char=====
This code is used to reduce one functionality performed under the impersonate controller. This method checks to see if the given username is acceptable.
<pre>
def check_if_special_char
if warn_for_special_chars(params[:user][:name], "Username")
redirect_back
return
end
end
</pre>

=====E. do_main_operation=====
This like an adapter method that is used to interface the impersonate method with display_error_msg and check_if_user_impersonatable. One main purpose to do this is to make the methods flexible for change apart from reducing the number of lines from the impersonate controller.
<pre>
def do_main_operation(user)
if user
check_if_user_impersonateable
else
display_error_msg
end
end
</pre>

=====F. Changes made to implement Anonymized View=====
Initially, while using the anonymized view to impersonate the account: student8597, we received the following error.
[[File: anon_without_space_err.png|1000px]]
This occured as the following method was initially splitting the name using
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user_id = anonymized_name.split(' ’)[1]
user = User.find_by(id: user_id)
return user
end
</pre>
Thus while doing the above function, what happens is that the student’s name is searched for a space and the ID is obtained as the numerics after the space, which isn’t the case for our user’s names (eg: student8597). Thus we had to modify this method under app/models/user.rb to the following:
<pre>
def self.real_user_from_anonymized_name(anonymized_name)
user = User.find_by(name: anonymized_name)
return user
end
</pre>
In the above code snippet, what we are instead doing is, directly finding the user from the anonymized_name which in the errored case as in the figure above was ’’student8597'’.
Apart from these changes, we also had to include the following statements in various parts of the impersonate_controller.rb file to ensure the the previously written test for anonymous view doesn’t break anywhere.
<pre>
# E1991 : check whether instructor is currently in anonymized view
user = User.anonymized_view?(session[:ip]) ? User.real_user_from_anonymized_name(params[:impersonate][:name]) : user = user = User.find_by(name: params[:impersonate][:name])
</pre>

======G. Changes to fix the broken impersonate Navigation Bar======
The broken part of this refactoring project, as compared to the previous year’s, was the Navigation bar on the top right part of the screen. As mentioned earlier, in order to impersonate we have two methods:
Using the Manage --> Impersonate User
Using the Navigation Bar.
However, as far as the previous submission goes, the Navigation bar’s functionality wasn’t complete. The aim of this refactoring is to also fix this and enable the impersonate functionality to work from there as well.
The previous submission broke while trying to use the Navigation bar for impersonation because of the wrong passage of params between the views and controllers. In order to make the impersonate from the Manage --> Impersonate User work, the form that was rendered was the expertiza/app/views/impersonate/start.html.erb. Here, the field filled was :user. And was then checkd for in the impersonate_controller.rb.
However, the Navigation Bar makes use of the :impersonate symbol to pass the impersonated user’s name and other details to the controller, for which no check was included earlier. Thus, there was no way to procure a user from the navigation bar. In the current submission this is fixed by including the following check in the impersonate_controller.rb/check_if_special_char:

The check_if_special_char is a function which checks if the Username entered is valid or not.
<pre>
def check_if_special_char
if params[:user]
if warn_for_special_chars(params[:user][:name], “Username”)
redirect_back
return
end
end
if params[:impersonate]
if warn_for_special_chars(params[:impersonate][:name], “Username”)
redirect_back
return
end
end
end
</pre>
As you can see, in the above code snippet, there is a check for the :impersonate’s params, which earlier was missing(Refer part C of this section).

=== Test Plan ===
The UI testing of this project can be performed on three fronts:

#The normal impersonate functionality from the Manage tab and Revert functionality.
#The impersonate functionality using the navigation bar.
#The anonymized view's impersonate functionality(both from the Manage bar as well as the navigation bar).

You can use the following details of various users to test the heirarchies and the impersonations between them.
{| class="wikitable"
|+ User details
! Hierarchy of user
! User Name to enter

|-
! Super Administrator
| super_administrator2
|-
! Instructor
| intructor6
|-
|-
! TA
| teaching_assistant6753
|-
! Student
| student5890
|-
! Student
| student7609
|-
! Student
| student7610, 7603
|}

To test out the three fronts follow the steps mentioned below under each sub-heading:

======A. Testing Impersonate functionality from the Manage tab and Revert functionality:======

Checking if impersonating a user is working
1. Input: User that can be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "student5890"
Now you will be able to see that user "student5890" has been impersonated.

[[File:imp test 1.jpg| figure 7| frame|center]]
[[File:imp test 2.jpg| figure 8| frame|center]]

[[File:imp test 4.jpg| figure 9| frame|center]]

2. Input: Reverting from impersonated account

We will have the user "student5890" impersonated.
- Press the blue revert button at the top of the window
Now you will have returned to the instructor profile

[[File:imp test 4.jpg| figure 10| frame|center]]
[[File:imp test 8.jpg| figure 11| frame|center]]

3. Input: User that cannot be impersonated
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "super_administrator2"
Now you will be able to see a message being displayed on the screen, that tells that the given user cannot be impersonated.
[[File:imp test 6.jpg| figure 12| frame|center]]
[[File:imp test 5.jpg| figure 13| frame|center]]

4. Input: User that does not exist
- Login as the instructor (username -> instructor6 , password -> password
- Under "Manage" tab, select "impersonate user" option
- In the form, give the user ID as "studentstudent"
Now you will be able to see a message being displayed on the screen, that tells that the given user does not exist.
[[File:imp test 7.jpg| figure 14| frame|center]]
[[File:imp test 3.jpg| figure 15| frame|center]]

======B. Testing the impersonate functionality from the Navigation Bar:======

In order to perform the following testing:

1. Login as instructor using username: instructor6 and password: password.
2. Go on to the navigation bar on top right of the screen and enter student8598 and click on impersonate.
[[File: nav_bar1.png |1000px|]]

note: The above screenshot was captured after instructor6 impersonated student8597, you can also try to impersonate student8597

[[File: nav_bar2.png |1000px|]]

======C. Testing Anonymized View======
1.Login as instructor using username: instructor6 and password: password.
2.Go to Manage --> Anonymized view

[[File: Enter_anonymized_view.png |1000px|]]

3.Check for impersonate functionality using Manage --> Impersonate User with user account: student8597.

[[File: Manage_impersonate_anon.png |1000px|]]

[[File: manage_impersonated_user-anon.png |1000px|]]

4.Check for impersonate functionality using navigation bar on top right, with user account: student8598.

[[File: bar_anon.png |1000px|]]

[[File: bar_user_pg_anon.png |1000px|]]

=== Testing Functionalities ===

======A. Testing Navigation Bar======
Instructor should be able to impersonate a user while already impersonating a user but from navigation bar.
This test is to ascertain the functionality of the user being able to impersonate another user(obeying hierarchy) through the navigation bar on the top right hand corner. This is to test the rectification of the previous issue, where this functionality was broken. Here, we test the functionality by first logging in as the instructor(id:2) and then first impersonating a student1 using the main menu’s Manage tab. This redirects us to the student1’s page. Now, from the navigation bar, we try to impersonate another student, student2. This test finally checks if the session is true and the parameters are correct.
<pre>
it 'instructor should be able to impersonate a user while already impersonating a user but from nav bar' do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(User).to receive(:find_by).with(name: student2.name).and_return(student2)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(instructor).to receive(:can_impersonate?).with(student2).and_return(true)
request.env["HTTP_REFERER"] = "http://www.example.com"
@params = { user: { name: student1.name } }
@session = { user: instructor }
post :impersonate, @params, @session
# nav bar uses the :impersonate as the param name, so let make sure it always works from there too.
@params = { impersonate: { name: student2.name } }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student2
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end
</pre>

======B. Testing Anonymized User======

<pre>
it ‘instructor should be able to impersonate a user with their anonymized name’ do
allow(User).to receive(:find_by).with(name: student1.name).and_return(student1)
allow(instructor).to receive(:can_impersonate?).with(student1).and_return(true)
allow(User).to receive(:anonymized_view?).and_return(true)
allow(User).to receive(:real_user_from_anonymized_name).with(“Student30”).and_return(student1)
request.env[“HTTP_REFERER”] = “http://www.example.com”
@params = { user: { name: “Student30" } }
@session = { user: instructor }
post :impersonate, @params, @session
expect(session[:super_user]).to eq instructor
expect(session[:user]).to eq student1
expect(session[:original_user]).to eq instructor
expect(session[:impersonate]).to be true
end

</pre>

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-19T23:41:57Z

Skrish28: /* Test Plan */

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-19T23:40:11Z

Skrish28: /* Test Plan */

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-19T23:39:53Z

Skrish28: /* Test Plan */

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-19T23:39:36Z

Skrish28: /* Test Plan */

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-19T23:36:55Z

Skrish28: /* Test Plan */

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-19T23:35:41Z

Skrish28: /* Test Plan */

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-19T23:19:40Z

Skrish28: /* Test Plan */

CSE/ECE 517 Spring 2021 - E2108. Impersonate controller.rb

2021-03-19T22:50:30Z

Skrish28: /* Test Plan */

CSC/ECE 517 Spring 2021/E2108.Impersonate controller.rb

2021-03-19T15:22:40Z

Skrish28:

Hi, '''Bold''' we are creating this!
<pre>
<blockquote>
print('Hi!')
</blockquote>
</pre>

CSC/ECE 517 Spring 2021/E2108.Impersonate controller.rb

2021-03-19T15:22:18Z

Skrish28:

Hi, '''Bold''' we are creating this!
<pre>
'''print('Hi!')'''
</pre>

CSC/ECE 517 Spring 2021/E2108.Impersonate controller.rb

2021-03-19T15:22:05Z

Skrish28:

Hi, '''Bold''' we are creating this!
<pre>
print('Hi!')
</pre>

CSC/ECE 517 Spring 2021/E2108.Impersonate controller.rb

2021-03-19T15:21:42Z

Skrish28:

Hi, '''Bold''' we are creating this!

CSC/ECE 517 Spring 2021

2021-03-19T14:14:09Z

Skrish28: /* OSS Projects */

== OSS Projects ==
* [[CSC/ECE 517 Spring 2021 - E2100. Tagging report for students]]
* [[CSC/ECE 517 Spring 2021 - E2106. Fix view in student_task/list page]]
* [[CSC/ECE 517 Spring 2021 - E2103. Refactor response_controller.rb]]
* [[CSC/ECE 517 Spring 2021 - E2107. Refactor grades_controller.rb]]
* [[CSC/ECE 517 Spring 2021 - E2102. Refactor quiz_questionnaires_controller.rb]]
* [[CSE/ECE 517 Spring 2021 - E2108. Impersonate_controller.rb]]

CSC/ECE 517 Spring 2021/E2108.Impersonate controller.rb

2021-03-19T14:09:59Z

Skrish28: Created page with "Hi, we are creating this!"

Hi, we are creating this!