class CoursesLTIAPITests(ComPAIRAPITestCase):
def setUp(self):
super(CoursesLTIAPITests, self).setUp()
self.data = SimpleAssignmentTestData()
self.lti_data = LTITestData()
def test_delete_course(self):
# test unlinking of lti contexts when course deleted
course = self.data.get_course()
url = '/api/courses/' + course.uuid
lti_consumer = self.lti_data.get_consumer()
lti_context1 = self.lti_data.create_context(
lti_consumer, compair_course_id=course.id)
lti_context2 = self.lti_data.create_context(
lti_consumer, compair_course_id=course.id)
lti_resource_link1 = self.lti_data.create_resource_link(
lti_consumer,
lti_context=lti_context2,
compair_assignment=self.data.assignments[0])
lti_resource_link2 = self.lti_data.create_resource_link(
lti_consumer,
lti_context=lti_context2,
compair_assignment=self.data.assignments[1])
with self.login(self.data.get_authorized_instructor().username):
rv = self.client.delete(url)
self.assert200(rv)
self.assertEqual(course.uuid, rv.json['id'])
self.assertIsNone(lti_context1.compair_course_id)
self.assertIsNone(lti_context2.compair_course_id)
self.assertIsNone(lti_resource_link1.compair_assignment_id)
self.assertIsNone(lti_resource_link2.compair_assignment_id)
class CoursesLTIAPITests(ComPAIRAPITestCase):
def setUp(self):
super(CoursesLTIAPITests, self).setUp()
self.data = SimpleAssignmentTestData()
self.lti_data = LTITestData()
def test_delete_course(self):
# test unlinking of lti contexts when course deleted
course = self.data.get_course()
url = '/api/courses/' + course.uuid
lti_consumer = self.lti_data.get_consumer()
lti_context1 = self.lti_data.create_context(
lti_consumer,
compair_course_id=course.id
)
lti_context2 = self.lti_data.create_context(
lti_consumer,
compair_course_id=course.id
)
lti_resource_link1 = self.lti_data.create_resource_link(
lti_consumer,
lti_context=lti_context2,
compair_assignment=self.data.assignments[0]
)
lti_resource_link2 = self.lti_data.create_resource_link(
lti_consumer,
lti_context=lti_context2,
compair_assignment=self.data.assignments[1]
)
with self.login(self.data.get_authorized_instructor().username):
rv = self.client.delete(url)
self.assert200(rv)
self.assertEqual(course.uuid, rv.json['id'])
self.assertIsNone(lti_context1.compair_course_id)
self.assertIsNone(lti_context2.compair_course_id)
self.assertIsNone(lti_resource_link1.compair_assignment_id)
self.assertIsNone(lti_resource_link2.compair_assignment_id)
class ImpersonationAPITests(ComPAIRAPITestCase):
def setUp(self):
super(ImpersonationAPITests, self).setUp()
self.data = SimpleAssignmentTestData()
self.course_base_url = '/api/courses'
self.assignment_base_url = self.course_base_url + '/' + self.data.get_course().uuid + '/assignments'
self.impersonate_base_url = '/api/impersonate'
self.profile_base_url = '/api/users'
self.session_base_url = '/api/session'
self.assignment_main_course = self.data.get_assignments()[0]
self.student_main_course = self.data.get_authorized_student();
self.student_second_course = self.data.get_unauthorized_student();
self.instructor_main_course = self.data.get_authorized_instructor();
self.instructor_second_course = self.data.get_unauthorized_instructor();
def _start_impersonation(self, pretending):
return self.client.post(self.impersonate_base_url + '/' + pretending.uuid)
def _end_impersonation(self):
return self.client.delete(self.impersonate_base_url)
def _verify_impersonation(self, original=None, pretending=None):
rv = self.client.get(self.impersonate_base_url)
self.assert200(rv)
self.assertEquals(rv.json.get('impersonating'), True)
if original:
self.assertEquals(rv.json.get('original_user').get('id'), original.uuid)
if pretending:
rv = self.client.get(self.session_base_url)
self.assert200(rv)
self.assertEqual(rv.json.get('id'), pretending.uuid)
def _is_not_impersonating(self):
rv = self.client.get(self.impersonate_base_url)
self.assert200(rv)
self.assertEquals(rv.json.get('impersonating'), False)
def test_impersonation_requires_login(self):
self.assert401(self._start_impersonation(self.instructor_main_course))
self.assert401(self._start_impersonation(self.student_main_course))
def test_student_cannot_impersonate(self):
with self.login(self.student_main_course.username):
self.assert403(self._start_impersonation(self.instructor_main_course))
self.assert403(self._start_impersonation(self.student_second_course))
def test_instructor_can_impersonate_own_students(self):
with self.impersonate(self.instructor_main_course, self.student_main_course):
self._verify_impersonation(original=self.instructor_main_course, pretending=self.student_main_course)
def test_instructor_cannot_impersonate_student_not_in_his_course(self):
with self.login(self.instructor_main_course.username):
self.assert403(self._start_impersonation(self.student_second_course))
with self.login(self.instructor_second_course.username):
self.assert403(self._start_impersonation(self.student_main_course))
def test_instructor_cannot_impersonate_admin(self):
with self.login(self.instructor_main_course.username):
self.assert403(self._start_impersonation(DefaultFixture.ROOT_USER))
def test_admin_can_impersonate_students_but_not_instructors(self):
with self.login(DefaultFixture.ROOT_USER.username):
self.assert200(self._start_impersonation(self.student_main_course))
self.assert403(self._start_impersonation(self.instructor_main_course))
def test_end_impersonation(self):
# Impersonation will block non-GET traffic, but should allow end impersonation (a DELETE call)
with self.login(self.instructor_main_course.username):
self.assert200(self._start_impersonation(self.student_main_course))
self._verify_impersonation(original=self.instructor_main_course, pretending=self.student_main_course)
self.assert200(self._end_impersonation())
self._is_not_impersonating()
def test_cannot_logout_during_impersonation(self):
with self.impersonate(self.instructor_main_course, self.student_main_course):
# explicit logout should fail
self.assert403(self.client.delete('/api/logout', follow_redirects=True))
# still logged in and impersonating
self._verify_impersonation(original=self.instructor_main_course, pretending=self.student_main_course)
def test_access_right_after_impersonation(self):
comparisons_of_main_course_assignment_url = \
self.assignment_base_url + '/' + self.assignment_main_course.uuid + '/users/comparisons?page=1&perPage=5'
with self.login(self.instructor_main_course.username):
self.assert200(self._start_impersonation(self.student_main_course))
# no access when impersonating as student
self.assert403(self.client.get(comparisons_of_main_course_assignment_url))
self._end_impersonation()
# resume access after impersonation
self.assert200(self.client.get(comparisons_of_main_course_assignment_url))
class ImpersonationAPITests(ComPAIRAPITestCase):
def setUp(self):
super(ImpersonationAPITests, self).setUp()
self.data = SimpleAssignmentTestData()
self.course_base_url = '/api/courses'
self.assignment_base_url = self.course_base_url + '/' + self.data.get_course(
).uuid + '/assignments'
self.impersonate_base_url = '/api/impersonate'
self.profile_base_url = '/api/users'
self.session_base_url = '/api/session'
self.assignment_main_course = self.data.get_assignments()[0]
self.student_main_course = self.data.get_authorized_student()
self.student_second_course = self.data.get_unauthorized_student()
self.instructor_main_course = self.data.get_authorized_instructor()
self.instructor_second_course = self.data.get_unauthorized_instructor(
)
def _start_impersonation(self, pretending):
return self.client.post(self.impersonate_base_url + '/' +
pretending.uuid)
def _end_impersonation(self):
return self.client.delete(self.impersonate_base_url)
def _verify_impersonation(self, original=None, pretending=None):
rv = self.client.get(self.impersonate_base_url)
self.assert200(rv)
self.assertEquals(rv.json.get('impersonating'), True)
if original:
self.assertEquals(
rv.json.get('original_user').get('id'), original.uuid)
if pretending:
rv = self.client.get(self.session_base_url)
self.assert200(rv)
self.assertEqual(rv.json.get('id'), pretending.uuid)
def _is_not_impersonating(self):
rv = self.client.get(self.impersonate_base_url)
self.assert200(rv)
self.assertEquals(rv.json.get('impersonating'), False)
def test_impersonation_requires_login(self):
self.assert401(self._start_impersonation(self.instructor_main_course))
self.assert401(self._start_impersonation(self.student_main_course))
def test_student_cannot_impersonate(self):
with self.login(self.student_main_course.username):
self.assert403(
self._start_impersonation(self.instructor_main_course))
self.assert403(
self._start_impersonation(self.student_second_course))
def test_instructor_can_impersonate_own_students(self):
with self.impersonate(self.instructor_main_course,
self.student_main_course):
self._verify_impersonation(original=self.instructor_main_course,
pretending=self.student_main_course)
def test_instructor_cannot_impersonate_student_not_in_his_course(self):
with self.login(self.instructor_main_course.username):
self.assert403(
self._start_impersonation(self.student_second_course))
with self.login(self.instructor_second_course.username):
self.assert403(self._start_impersonation(self.student_main_course))
def test_instructor_cannot_impersonate_admin(self):
with self.login(self.instructor_main_course.username):
self.assert403(self._start_impersonation(DefaultFixture.ROOT_USER))
def test_admin_can_impersonate_students_but_not_instructors(self):
with self.login(DefaultFixture.ROOT_USER.username):
self.assert200(self._start_impersonation(self.student_main_course))
self.assert403(
self._start_impersonation(self.instructor_main_course))
def test_end_impersonation(self):
# Impersonation will block non-GET traffic, but should allow end impersonation (a DELETE call)
with self.login(self.instructor_main_course.username):
self.assert200(self._start_impersonation(self.student_main_course))
self._verify_impersonation(original=self.instructor_main_course,
pretending=self.student_main_course)
self.assert200(self._end_impersonation())
self._is_not_impersonating()
def test_cannot_logout_during_impersonation(self):
with self.impersonate(self.instructor_main_course,
self.student_main_course):
# explicit logout should fail
self.assert403(
self.client.delete('/api/logout', follow_redirects=True))
# still logged in and impersonating
self._verify_impersonation(original=self.instructor_main_course,
pretending=self.student_main_course)
def test_access_right_after_impersonation(self):
comparisons_of_main_course_assignment_url = \
self.assignment_base_url + '/' + self.assignment_main_course.uuid + '/users/comparisons?page=1&perPage=5'
with self.login(self.instructor_main_course.username):
self.assert200(self._start_impersonation(self.student_main_course))
# no access when impersonating as student
self.assert403(
self.client.get(comparisons_of_main_course_assignment_url))
self._end_impersonation()
# resume access after impersonation
self.assert200(
self.client.get(comparisons_of_main_course_assignment_url))
