: Difference between revisions
No edit summary |
No edit summary |
||
| Line 5: | Line 5: | ||
__TOC__ | __TOC__ | ||
===Team Information=== | |||
Palash Gupta - pgupta25@ncsu.edu | |||
Sneha Kumar - skumar32@ncsu.edu | |||
Yen-An Jou - yjou@ncsu.edu | |||
===Issue 1412 - Problem Statement=== | ===Issue 1412 - Problem Statement=== | ||
| Line 59: | Line 63: | ||
'''What’s wrong with it:''' | '''What’s wrong with it:''' | ||
As there is no restriction on the files being uploaded, this is a security issue in Expertiza. Large files should be restricted. A student may also upload malware into the system affecting expertiza | As there is no restriction on the files being uploaded, this is a security issue in Expertiza. Large files should be restricted. A student may also upload malware into the system affecting expertiza | ||
===References=== | |||
Revision as of 03:18, 11 October 2020
E2057. Time travel Not Allowed..!!! Restrict TAs’ ability to change their own grade + limit file-size upload
This page provides a description of the Expertiza based OSS project.
Team Information
Palash Gupta - pgupta25@ncsu.edu Sneha Kumar - skumar32@ncsu.edu Yen-An Jou - yjou@ncsu.edu
Issue 1412 - Problem Statement
If a person is listed as a TA in one course and as a student in another course, then if they navigate to the "Your scores" page of one of the assignments in which they are participating as a student, they can see a TA's view of that page - effectively allowing them to assign their own grade!
The below screenshot shows the TA view for the course he is added as the TA:
As evident from the screenshot, the user, "student003" is assigned as a TA for CSC502.
The user, "student003" is also a student in the course, CSC501:
The issue here is that this user, "student003" who is a TA in one course is able to alter the grades for his assignments in other courses he is taking in the semester:
Solutions
Once TA clicks on Assignment > view scores, they will no longer be able to see the form to add/edit the grade and comment for the course in which they are participating as a student.
Files modified: view_team.html
We are rendering the TA view(to grade and comment) only if the TA ID has an entry in the ta_mapping table. This ensures that the TA will be able modify the grades for courses for which they are assigned as TA.
- Get the course ID for the course which the student is currently viewing.
- Get the user ID, which will be teacher ID as well
- Using these two fields we are restricting the access for the student to modify the grades.
Only for the courses for which a user is a TA, he will be able to see 'TA Grade-Comment:' section under Assignment > view scores
The green-highlighted lines indicate the changes.
Below is the screenshot which indicates the TA view for which the user is registered as a student:
RSpec test
Issue 1351 - Problem Statement
A student can upload files with their submission. In some cases, students upload long videos that might not be necessary for the submission.
What’s wrong with it: As there is no restriction on the files being uploaded, this is a security issue in Expertiza. Large files should be restricted. A student may also upload malware into the system affecting expertiza