CSC/ECE 517 Fall 2019 - E1957. Time travel Not Allowed..!!! Restrict TAs’ ability to change their own grade + limit file-size upload: Difference between revisions

From Expertiza_Wiki
Jump to navigation Jump to search
No edit summary
Line 61: Line 61:
</pre>
</pre>
The function in GradesController that should be modified is ''save_grade_and_comment_for_submission''. A condition is added to see a user's role. The grade and submission can be saved only if the user is a TA of an instructor of such course. Otherwise, there should be an error and the page will be redirected to the view_team page.
The function in GradesController that should be modified is ''save_grade_and_comment_for_submission''. A condition is added to see a user's role. The grade and submission can be saved only if the user is a TA of an instructor of such course. Otherwise, there should be an error and the page will be redirected to the view_team page.
==TA's time travel not allowed==
[[File:Student7126 View His Score.png]]


==Limit file-size/type upload==
==Limit file-size/type upload==

Revision as of 17:01, 27 October 2019

This wiki page is for the description of the Expertiza based OSS project - E1957

Introduction

Background

  • In Expertiza, If a user is listed as a TA in one course and as a student in another course, then if they navigate to the "Your scores" page of one of the assignments in which they are participating as a student, they can see a TA's view of that page. This would allow them to assign their own grades! However, TAs should not be able to change their grades from the course that they participated in as a student before.
  • A student can upload files with their submission. In some cases, students upload long videos that might not be necessary for the submission. As there is no restriction on the files being uploaded, this is a security issue in Expertiza. Uploaded file's size and type should be restricted since a student may also upload malware into the system affecting Expertiza.

Description

Account: student7126 Password: 123456

Spring 2017 Course:517 Role: student Fall 2017 Course:517 Role: TA

Must log in as student7126, impersonate user via instructor will not work since impersonate will not change current user id to student user-id!

Design Pattern

design pattern

Restrict TAs’ ability to change their own grade

Solution

When a TA is added to a certain course, a TaMapping is created to connect the TA's id to the course's id. Therefore, we can use TaMapping.where to find a TaMapping with user's id and course's id then use .empty? method to see if such user is a TA of the course. If he/she is a TA of this certain course, he/she should be able to change the score. Otherwise, the changing score area should be hidden from the front end and the permission to change scores should be restricted on the back end.

Files modified

  • view_team.html.erb
<%if TaMapping.where(ta_id:current_user.id, course_id:@assignment.course.id).empty? && current_user.role.name != 'Instructor' %>
  Grade: <%= label_tag 'grade_for_submission', @team.try(:grade_for_submission) %><br/>
  Comment: <%= label_tag 'comment_for_submission', @team.try(:comment_for_submission) %>
<% else %>
  <%= form_tag 'save_grade_and_comment_for_submission' do %>
    <%= hidden_field_tag :participant_id, params[:id] %>
    <%= number_field_tag 'grade_for_submission', @team.try(:grade_for_submission) ,min: 0, max: 100, maxlength: 3, size: 3, class: "form-control width-150", placeholder: 'Grade' %><br/>
    <%= text_area_tag 'comment_for_submission', @team.try(:comment_for_submission), size: '75x10', placeholder: 'Comment', class: "form-control width-500" %><br>
    <%= submit_tag 'Save' ,class: "btn btn-default" %>
  <% end %>
<% end %>

A condition is added to decide what the view should look like. If a user is a TA of this course or a instructor, he/she can change the score. Otherwise, he/she doesn't have the permission to change the score.

  • grades_controller.rb
if TaMapping.where(ta_id:current_user.id,course_id:@assignment.course.id).empty?&&current_user.role.name !='Instructor'
      flash[:error] = 'Unauthorized action!'
      redirect_to controller: 'grades', action: 'view_team', id: participant.id
    else
    participant = AssignmentParticipant.find_by(id: params[:participant_id])
    @team = participant.team
    @team.grade_for_submission = params[:grade_for_submission]
    @team.comment_for_submission = params[:comment_for_submission]
    begin
      @team.save
      flash[:success] = 'Grade and comment for submission successfully saved.'
    rescue StandardError
      flash[:error] = $ERROR_INFO
    end
    redirect_to controller: 'grades', action: 'view_team', id: participant.id
end

The function in GradesController that should be modified is save_grade_and_comment_for_submission. A condition is added to see a user's role. The grade and submission can be saved only if the user is a TA of an instructor of such course. Otherwise, there should be an error and the page will be redirected to the view_team page.

TA's time travel not allowed


Limit file-size/type upload

File:File size.jpg


Solution

Files modified

Testing using RSPEC