E1842 Issues Related To Participants: Difference between revisions
Line 114: | Line 114: | ||
In app/views/shared_scripts/_user_list.html.erb: | In app/views/shared_scripts/_user_list.html.erb: | ||
<table id="table_list" class="table table-striped" style="font-size: 15px"> | <table id="table_list" class="table table-striped" style="font-size: 15px"> | ||
In app/views/participants/add.js.erb | In app/views/participants/add.js.erb | ||
$("#table_list").find("tbody").append( | $("#table_list").find("tbody").append( |
Revision as of 21:38, 3 November 2018
Introduction
Problem Statement
In Expertiza, an instructor is responsible for adding a participant to his course or assignment. This makes the course material available to the participant (or student per se). Since the instructor has admin rights, he is capable of impersonating the participant. This creates a few problems. This project addresses those issues.
Issues to be fixed
Issues as described by the problem statement:
Issue #536
Once the instructor impersonates the participant, he/she is capable of accessing all of participant’s work, irrespective of the course or the assignment. This raises serious security concerns. Suggested solution is to restrict the instructor to view only his coursework.
Issue #1185
After adding a participant, the page has to be manually refreshed to show the name of the participant on the list. This creates a bad user experience and needs to be fixed.
Modified Files
1) app/controllers/auth_controller.rb
2) app/controllers/impersonate_controller.rb
3) app/controllers/student_task_controller.rb
4) app/views/participants/add.js.erb
5) app/views/participants/_participant.html.erb
6) app/views/shared_scripts/_user_list.html.erb
Approach taken to resolve the issues
Issue #536
Once the instructor or teaching assistant impersonates the participant, he/she is capable of accessing all the assignments of this participant irrespective of the course and this raises serious security concerns. Ideally, when this happened, the system should have displayed only those assignments to which he/she is assigned as an instructor or teaching assistant.
This issue has been fixed by modifying the current implementations of data filtering and session/role handling features.
1. Impersonation and Session Handling:
Setting and resetting of all the session data associated with impersonation are handled in auth_controller.rb file.
i] After login, session[:impersonate] value is set to false by default.
session[:impersonate] = false
ii] Once the Instructor tries to impersonate any student, the following actions are performed.
a) Assign the instructor/TA data to a session variable and use this data when instructor/TA tries to switch back to their original role.
This data is used during data filtering also. original_user = session[:super_user] || session[:user] session[:original_user] = original_user
b) Impersonate flag is set to true and the session's user variable is set to the user data of impersonated student.
session[:impersonate] = true session[:user] = user
iii] All the session data is cleared off when the user logs out.
session[:original_user] = nil session[:impersonate] = nil
2. Data Filtering:
Logged in user's role data and impersonation status is used to filter the data for populating the assignments list.
This is implemented in student_task_controller.rb file:
// check if the user is impersonating as TA def impersonating_as_ta? original_user = session[:original_user] ta_role = Role.where(name:['Teaching Assistant']).pluck(:id) ta_role.include? original_user.role_id end
// Filter and populate all the relevant data def list redirect_to(controller: 'eula', action: 'display') if current_user.is_new_user session[:user] = User.find_by(id: current_user.id) @student_tasks = StudentTask.from_user current_user if session[:impersonate] && !impersonating_as_admin? @student_tasks = @student_tasks.select {|t| session[:original_user].id == t.assignment.instructor_id } if impersonating_as_ta? ta_course_ids = TaMapping.where(:ta_id => session[:original_user].id).pluck(:course_id) @student_tasks = @student_tasks.select {|t| ta_course_ids.include?t.assignment.course_id } else @student_tasks = @student_tasks.select {|t| session[:original_user].id == t.assignment.course.instructor_id } end end
Issue #1185
The user (instructor, TA or admin) has to click the Add button on the course or assignment page to add a new participant to the course or assignment. On click of the button, the browser makes an AJAX request is initiated and gets HTML representing success or failure of the action. The failure case was already handled - an error message appears at the top of the page. On success, it was observed that, though the HTML for a new table row (representing the just added participant) was part of the response, it was not being appended properly to the page's DOM. This is fixed by giving an id to the table HTML element, and appending the new row to its tbody element. After appending, we must also ensure that the "Submit" button which is part of the new HTML must be functional. So, an onchange listener is added to the button element (in the file add.js.erb).
In app/views/shared_scripts/_user_list.html.erb:In app/views/participants/add.js.erb $("#table_list").find("tbody").append( "<%= j render :partial => 'participant', :locals => {participant: @participant, :userid => @participant.user_id, :controller => 'participants'} %>"); ) $('#'.concat(student_id.toString())).change(function(){ $('#button'.concat(student_id.toString())).css("opacity",1); });
Test Plan
Issue #536
1) Login as Instructor4. Add a new assignment Assignment_Instructor4 under the course Course 617, Spring 2016.
2) Make student6400 as the participant of that assignment and logout.
3) Login as Instructor6. Add a new assignment Assignment_Instructor6 under the course Course 517, Spring 2016.
4) Make student6400 as the participant of that assignment and logout.
5) Click on Manage -> Impersonate User and enter student6400 as the user to be impersonated.
6) After impersonation, Instructor6 will be able to see only his/her assignment details and not of any other instructors.
7) We need to login as Instructor4 and verify that Instructor4 is not able to see other assignment details of the other instructors.
8) Login as Instructor4. Click on Manage -> Impersonate user. Enter student6400 as the user to be impersonated.
9) After impersonation, Instructor4 will be able to see only his/her assignment details and not of any other instructors.
10) Login as TeachingAssistant1274 who is a TA for the Course 517, Spring 2016, who is a TA under Instructor6.
11) Create an assignment TA_Assignment and make student6400 as a participant.
12) Click on Manage->Impersonate user and enter student6400 as the student to be impersonated.
13) After impersonation, TeachingAssistant1274 will be able to see all the assignment details of all courses for which (s)he is the TA and not the details of the other assignments.
14) Next, login as student6400 and click on assignments. The student will be able to see all the assignments of all the courses to which he/she is assigned to.
15) This verifies that the bugs have been fixed.
Issue #1185
1) Login as an Instructor or Admin or Super-Admin or TA.
2) Click on Manage -> Assignments. In the Actions column click on Add Participant.
3) After the list of all the participants you will be able to see Enter a user login text box.
4) Enter the user login in the text box (Ex: student9000) and click on Add button.
5) After clicking on the Add button, you will see the participant added at end of the list.
6) This verifies the bug has been fixed.
Screenshots of the flow
1) Login as Instructor4. Add a new assignment Assignment_Instructor4 under the course Course 617, Spring 2016.
2) Make student6400 as the participant of that assignment and logout.
3) Login as Instructor6. Add a new assignment Assignment_Instructor6 under the course Course 517, Spring 2016.
4) Make student6400 as the participant of that assignment and logout.
5) Click on Manage -> Impersonate User and enter student6400 as the user to be impersonated.
6) After impersonation, Instructor6 will be able to see only his/her assignment details and not of any other instructors.
7) We need to login as Instructor4 and verify that Instructor4 is not able to see other assignment details of the other instructors.
8) Login as Instructor4. Click on Manage -> Impersonate user. Enter student6400 as the user to be impersonated.
9) After impersonation, Instructor4 will be able to see only his/her assignment details and not of any other instructors.
10) Login as TeachingAssistant1274 who is a TA for the Course 517, Spring 2016, who is a TA under Instructor6.
11) Create an assignment TA_Assignment and make student6400 as a participant.
12) Click on Manage->Impersonate user and enter student6400 as the student to be impersonated.
13) After impersonation, TeachingAssistant1274 will be able to see all the assignment details of all courses for which (s)he is the TA and not the details of the other assignments.
14) Next, login as student6400 and click on assignments. The student will be able to see all the assignments of all the courses to which he/she is assigned to.
15) This verifies that the bugs have been fixed.
Issue #1185
1) Login as an Instructor or Admin or Super-Admin or TA.
2) Click on Manage -> Assignments. In the Actions column click on Add Participant.
3) After the list of all the participants you will be able to see Enter a user login text box.
4) Enter the user login in the text box (Ex: student9000) and click on Add button.
5) After clicking on the Add button, you will see the participant added at end of the list.
6) This verifies the bug has been fixed.