E1845 Issues Related to Security

From Expertiza_Wiki
Revision as of 00:41, 3 November 2018 by Jbcolli8 (talk | contribs)
Jump to navigation Jump to search

The scope of this project was to sort out issues related to roles and user accounts on the Expertiza system.


Testing

In order to test all functionality, a super-administrator account is needed. The following account can be used in a standard Expertiza deployment:

- Super_administrator2 : password

User Deletion

The majority of the project was related to solving issues regarding the deletion of Administrator and Instructor accounts. Administrator and Instructor both inherit behavior from User but are handled and deleted in different codepaths. Furthermore, properties are used on a User that aren't on an Administrator, such as team ids or course associations.

The first step towards fixing the deletion functionality was to sort out the routing issues. No listing in the routing table existed for administrator deletion, and no controller method existed for neither administrator nor instructor deletion. With both of those in place, the only issue left was the deletion functionality.

In order to maintain DRY principles and support future code maintenance, a helper method was created for use with deleting Users, Administrator, and Instructor. By using a static class method, both UserController and AdminController could use the same underlying functionality for deleting User objects while customizing the flash message and the redirect url. The changes made to both controllers is visible in the UML diagram below and the before and after code segments.

Before: (users_controller.rb)

 def destroy
   begin
     @user = User.find(params[:id])
     AssignmentParticipant.where(user_id: @user.id).each(&:delete)
     TeamsUser.where(user_id: @user.id).each(&:delete)
     AssignmentQuestionnaire.where(user_id: @user.id).each(&:destroy)
     # Participant.delete(true)
     @user.destroy
     flash[:note] = undo_link("The user \"#{@user.name}\" has been successfully deleted.")
   rescue StandardError
     flash[:error] = $ERROR_INFO
   end
   redirect_to action: 'list'
 end

After: (users_controller.rb)

 def destroy
   begin
   flash[:note] = undo_link(UsersController.destroy_helper(params, 'user'))
   rescue StandardError
     flash[:error] = $ERROR_INFO
   end
   redirect_to action: 'list'
 end
 def self.destroy_helper(params, position)
   begin
     @user = User.find(params[:id])
     AssignmentParticipant.where(user_id: @user.id).each(&:delete)
     TeamsUser.where(user_id: @user.id).each(&:delete)
     AssignmentQuestionnaire.where(user_id: @user.id).each(&:destroy)
     # Participant.delete(true)
     @user.destroy
     "The #{position} \"#{@user.name}\" has been successfully deleted."
   rescue StandardError
     raise
   end
 end

New Roles

One other focus of the project was to remove the ability to add new roles to the expertiza system. This simply involved removing the New button from the Roles list view and preventing any new functionality in the Role controller.

 def new
   @role = Role.new
   foreign
 end

In the controller, the above was changed to the following in order to prevent the functionality on the GUI side.

 def new
   flash[:error] = 'New Roles cannot be created.'
   redirect_to roles_path
 end

Tests