def get(self):
"""A GET REST method shared by all unit types."""
key = self.request.get('key')
if not roles.Roles.is_course_admin(self.app_context):
transforms.send_json_response(self, 401, 'Access denied.',
{'key': key})
return
course = courses.Course(self)
unit = course.find_unit_by_id(key)
if not unit:
transforms.send_json_response(self, 404, 'Object not found.',
{'key': key})
return
message = ['Success.']
if self.request.get('is_newly_created'):
message.append('New %s has been created and saved.' % self.NAME)
transforms.send_json_response(
self,
200,
'\n'.join(message),
payload_dict=self.unit_to_dict(course, unit),
xsrf_token=XsrfTokenManager.create_xsrf_token('put-unit'))
def get(self):
"""Get the data to populate the question editor form."""
key = self.request.get('key')
if not CourseOutlineRights.can_view(self):
transforms.send_json_response(self, 401, 'Access denied.',
{'key': key})
return
if key:
question = QuestionDAO.load(key)
payload_dict = question.dict
else:
payload_dict = {
'version':
self.SCHEMA_VERSION,
'question':
'',
'description':
'',
'graders': [{
'score': '1.0',
'matcher': 'case_insensitive',
'response': '',
'feedback': ''
}]
}
transforms.send_json_response(
self,
200,
'Success',
payload_dict=payload_dict,
xsrf_token=XsrfTokenManager.create_xsrf_token(self.XSRF_TOKEN))
def get(self):
"""A GET REST method shared by all unit types."""
key = self.request.get("key")
if not CourseOutlineRights.can_view(self):
transforms.send_json_response(self, 401, "Access denied.", {"key": key})
return
unit = courses.Course(self).find_unit_by_id(key)
if not unit:
transforms.send_json_response(self, 404, "Object not found.", {"key": key})
return
message = ["Success."]
if self.request.get("is_newly_created"):
unit_type = verify.UNIT_TYPE_NAMES[unit.type].lower()
message.append("New %s has been created and saved." % unit_type)
transforms.send_json_response(
self,
200,
"\n".join(message),
payload_dict=self.unit_to_dict(unit),
xsrf_token=XsrfTokenManager.create_xsrf_token("put-unit"),
)
def do_render(self, form):
self.template_value['navbar'] = {}
self.template_value['form'] = form
self.template_value['post_url'] = self.request.url
self.template_value['xsrf_token'] = (
XsrfTokenManager.create_xsrf_token('survey-post-' + self.name))
self.render(self.template)
def get(self):
"""Provides empty initial content for asset upload editor."""
# TODO(jorr): Pass base URI through as request param when generalized.
key = self.request.get('key')
base = asset_paths.AllowedBases.match_allowed_bases(key)
if not base:
transforms.send_json_response(self, 400, 'Malformed request.',
{'key': key})
return
json_payload = {
'key': key,
'base': base,
}
fs = self.app_context.fs.impl
if fs.isfile(fs.physical_to_logical(key)):
json_payload['asset_url'] = key
else:
json_payload['asset_url'] = asset_paths.relative_base(base)
transforms.send_json_response(
self,
200,
'Success.',
payload_dict=json_payload,
xsrf_token=XsrfTokenManager.create_xsrf_token(
self.XSRF_TOKEN_NAME))
def get(self):
"""Handles REST GET verb and returns an object as JSON payload."""
key = self.request.get('key')
if not ConfigPropertyRights.can_view():
transforms.send_json_response(
self, 401, 'Access denied.', {'key': key})
return
item = None
if key and key in config.Registry.registered.keys():
item = config.Registry.registered[key]
if not item:
self.redirect('/admin?action=settings')
try:
entity = config.ConfigPropertyEntity.get_by_key_name(key)
except db.BadKeyError:
entity = None
if not entity:
transforms.send_json_response(
self, 404, 'Object not found.', {'key': key})
else:
entity_dict = {'name': key, 'is_draft': entity.is_draft}
entity_dict['value'] = transforms.string_to_value(
entity.value, item.value_type)
json_payload = transforms.dict_to_json(
entity_dict,
transforms.loads(
ConfigPropertyEditor.get_schema_json(item)))
transforms.send_json_response(
self, 200, 'Success.',
payload_dict=json_payload,
xsrf_token=XsrfTokenManager.create_xsrf_token(
'config-property-put'))
def get(self):
"""Provides empty initial content for asset upload editor."""
# TODO(jorr): Pass base URI through as request param when generalized.
json_payload = {'file': '', 'base': ALLOWED_ASSET_UPLOAD_BASE}
transforms.send_json_response(
self, 200, 'Success.', payload_dict=json_payload,
xsrf_token=XsrfTokenManager.create_xsrf_token('asset-upload'))
def get_edit(self):
if not course_explorer.GCB_ENABLE_COURSE_EXPLORER_PAGE.value:
self.error(404)
return
user = self.initialize_page_and_get_user()
if not user:
self.redirect('/explorer')
return
profile = self.get_profile_for_user(user)
if not profile:
self.redirect('/explorer')
return
self.template_value['student'] = profile
self.fill_profile_data(profile)
self.fill_local_chapter_data()
self.template_value['xsrf_token'] = (
XsrfTokenManager.create_xsrf_token('save_profile'))
self.template_value['navbar'] = {'profile': True}
self.template_value['html_hooks'] = NullHtmlHooks()
self.template_value['submit_button_name'] = 'Update Profile'
self.template_value['force'] = self.request.get('force')
self.render('edit_profile.html')
def render(self, node, context):
"""Renders the submit button."""
xsrf_token = XsrfTokenManager.create_xsrf_token(
QUESTIONNAIRE_XSRF_TOKEN_NAME)
form_id = node.attrib.get('form-id')
button_label = node.attrib.get('button-label')
disabled = (node.attrib.get('disabled') == 'true')
post_message = node.text
user = context.handler.get_user()
registered = False
if user and models.Student.get_enrolled_student_by_user(user):
registered = True
template_vals = {
'xsrf_token': xsrf_token,
'form_id': form_id,
'button_label': button_label,
'disabled': disabled,
'registered': registered,
'post_message': post_message,
}
template = jinja_utils.get_template(
'questionnaire.html', [TEMPLATES_DIR])
button = template.render(template_vals)
return tags.html_string_to_element_tree(button)
def get(self):
"""Provides empty initial content for asset upload editor."""
# TODO(jorr): Pass base URI through as request param when generalized.
key = self.request.get('key')
base = asset_paths.AllowedBases.match_allowed_bases(key)
if not base:
transforms.send_json_response(
self, 400, 'Malformed request.', {'key': key})
return
json_payload = {
'key': key,
'base': base,
}
fs = self.app_context.fs.impl
if fs.isfile(fs.physical_to_logical(key)):
json_payload['asset_url'] = key
# TODO(davyrisso): Remove when cached assets issues are solved.
# We add a random seed to the URL to force a reload, we also append
# the URL because oeditor expects it to end with the filename.
suffix = ('?seed=%s&url=%s' % (
str(random.randint(0, 100000)), json_payload['asset_url']))
json_payload['asset_url'] += suffix
else:
json_payload['asset_url'] = asset_paths.relative_base(base)
transforms.send_json_response(
self, 200, 'Success.', payload_dict=json_payload,
xsrf_token=XsrfTokenManager.create_xsrf_token(self.XSRF_TOKEN_NAME))
def get(self):
"""Handles REST GET verb and returns an object as JSON payload."""
if not CourseOutlineRights.can_view(self):
transforms.send_json_response(self, 401, "Access denied.", {})
return
course = courses.Course(self)
outline_data = []
for unit in course.get_units():
lesson_data = []
for lesson in course.get_lessons(unit.unit_id):
lesson_data.append({"title": lesson.title, "id": lesson.lesson_id})
unit_title = unit.title
if verify.UNIT_TYPE_UNIT == unit.type:
unit_title = "Unit %s - %s" % (unit.index, unit.title)
outline_data.append({"title": unit_title, "id": unit.unit_id, "lessons": lesson_data})
transforms.send_json_response(
self,
200,
"Success.",
payload_dict={"outline": outline_data},
xsrf_token=XsrfTokenManager.create_xsrf_token("unit-lesson-reorder"),
)
def get(self):
"""Handles REST GET verb and returns an object as JSON payload."""
key = self.request.get('key')
try:
entity = AnnouncementEntity.get(key)
except db.BadKeyError:
entity = None
if not entity:
transforms.send_json_response(
self, 404, 'Object not found.', {'key': key})
return
viewable = AnnouncementsRights.apply_rights(self, [entity])
if not viewable:
transforms.send_json_response(
self, 401, 'Access denied.', {'key': key})
return
entity = viewable[0]
json_payload = transforms.dict_to_json(transforms.entity_to_dict(
entity), AnnouncementsItemRESTHandler.SCHEMA_DICT)
transforms.send_json_response(
self, 200, 'Success.',
payload_dict=json_payload,
xsrf_token=XsrfTokenManager.create_xsrf_token(
'announcement-put'))
def get(self):
"""Respond to the REST GET verb with the contents of the group."""
key = self.request.get('key')
if not CourseOutlineRights.can_view(self):
transforms.send_json_response(
self, 401, 'Access denied.', {'key': key})
return
if key:
question_group = QuestionGroupDAO.load(key)
version = question_group.dict.get('version')
if self.SCHEMA_VERSION != version:
transforms.send_json_response(
self, 403, 'Cannot edit a Version %s group.' % version,
{'key': key})
return
payload_dict = question_group.dict
else:
payload_dict = {
'version': self.SCHEMA_VERSION,
'items': [{'weight': ''}, {'weight': ''}, {'weight': ''}]}
transforms.send_json_response(
self, 200, 'Success',
payload_dict=payload_dict,
xsrf_token=XsrfTokenManager.create_xsrf_token(self.XSRF_TOKEN))
def get(self):
"""Provides empty initial content for asset upload editor."""
# TODO(jorr): Pass base URI through as request param when generalized.
json_payload = {'file': '', 'base': ALLOWED_ASSET_UPLOAD_BASE}
transforms.send_json_response(
self, 200, 'Success.', payload_dict=json_payload,
xsrf_token=XsrfTokenManager.create_xsrf_token('asset-upload'))
def get(self):
"""Handles REST GET verb and returns an object as JSON payload."""
assert self.app_context.is_editable_fs()
key = self.request.get('key')
if not CourseSettingsRights.can_view(self):
transforms.send_json_response(
self, 401, 'Access denied.', {'key': key})
return
# Load data if possible.
fs = self.app_context.fs.impl
filename = fs.physical_to_logical('/course.yaml')
try:
stream = fs.get(filename)
except: # pylint: disable=bare-except
stream = None
if not stream:
transforms.send_json_response(
self, 404, 'Object not found.', {'key': key})
return
# Prepare data.
json_payload = self.process_get()
transforms.send_json_response(
self, 200, 'Success.',
payload_dict=json_payload,
xsrf_token=XsrfTokenManager.create_xsrf_token(self.XSRF_ACTION))
def get(self):
"""Handles REST GET verb and returns an object as JSON payload."""
assert is_editable_fs(self.app_context)
key = self.request.get("key")
if not FilesRights.can_view(self):
transforms.send_json_response(self, 401, "Access denied.", {"key": key})
return
# Load data if possible.
fs = self.app_context.fs.impl
filename = fs.physical_to_logical(key)
try:
stream = fs.get(filename)
except: # pylint: disable=bare-except
stream = None
if not stream:
transforms.send_json_response(self, 404, "Object not found.", {"key": key})
return
# Prepare data.
entity = {"key": key}
if self.is_text_file(key):
entity["encoding"] = self.FILE_ENCODING_TEXT
entity["content"] = vfs.stream_to_string(stream)
else:
entity["encoding"] = self.FILE_ENCODING_BINARY
entity["content"] = base64.b64encode(stream.read())
# Render JSON response.
json_payload = transforms.dict_to_json(entity, FilesItemRESTHandler.SCHEMA_DICT)
transforms.send_json_response(
self, 200, "Success.", payload_dict=json_payload, xsrf_token=XsrfTokenManager.create_xsrf_token("file-put")
)
def test_attempt_activity_event(self):
"""Test activity attempt generates event."""
email = '*****@*****.**'
name = 'Test Attempt Activity Event'
actions.login(email)
actions.register(self, name)
# Enable event recording.
config.Registry.db_overrides[
lessons.CAN_PERSIST_ACTIVITY_EVENTS.name] = True
# Prepare event.
request = {}
request['source'] = 'test-source'
request['payload'] = json.dumps({'Alice': 'Bob'})
# Check XSRF token is required.
response = self.post('rest/events?%s' % urllib.urlencode(
{'request': json.dumps(request)}), {})
assert_equals(response.status_int, 200)
assert_contains('"status": 403', response.body)
# Check PUT works.
request['xsrf_token'] = XsrfTokenManager.create_xsrf_token(
'event-post')
response = self.post('rest/events?%s' % urllib.urlencode(
{'request': json.dumps(request)}), {})
assert_equals(response.status_int, 200)
assert not response.body
# Clean up.
config.Registry.db_overrides = {}
def get(self):
"""A GET REST method shared by all unit types."""
key = self.request.get('key')
if not CourseOutlineRights.can_view(self):
transforms.send_json_response(self, 401, 'Access denied.',
{'key': key})
return
unit = courses.Course(self).find_unit_by_id(key)
if not unit:
transforms.send_json_response(self, 404, 'Object not found.',
{'key': key})
return
message = ['Success.']
if self.request.get('is_newly_created'):
unit_type = verify.UNIT_TYPE_NAMES[unit.type].lower()
message.append('New %s has been created and saved.' % unit_type)
transforms.send_json_response(
self,
200,
'\n'.join(message),
payload_dict=self.unit_to_dict(unit),
xsrf_token=XsrfTokenManager.create_xsrf_token('put-unit'))
def get(self):
"""Handles REST GET verb and returns an object as JSON payload."""
key = self.request.get('key')
try:
entity = AnnouncementEntity.get(key)
except db.BadKeyError:
entity = None
if not entity:
transforms.send_json_response(self, 404, 'Object not found.',
{'key': key})
return
viewable = AnnouncementsRights.apply_rights(self, [entity])
if not viewable:
transforms.send_json_response(self, 401, 'Access denied.',
{'key': key})
return
entity = viewable[0]
json_payload = transforms.dict_to_json(
transforms.entity_to_dict(entity),
AnnouncementsItemRESTHandler.SCHEMA_DICT)
transforms.send_json_response(
self,
200,
'Success.',
payload_dict=json_payload,
xsrf_token=XsrfTokenManager.create_xsrf_token('announcement-put'))
def post(self):
if not users.is_current_user_admin():
self.abort(403)
if not XsrfTokenManager.is_xsrf_token_valid(self.request.POST.get('xsrf_token', ''), 'post'):
self.abort(403, 'XSRF token failed.')
form = self.Form(self.request.POST)
if not form.validate():
self.response.write('<br>'.join(form.errors))
return
student = Student.get_by_key_name(form.email.data)
report = PartReport.on(student, course=self.get_course(),
part=form.part.data,
force_re_run=form.re_run.data,
put=form.really_save.data)
badge_version = choose_badge_version(part_config[form.part.data]['slug'], report.completion())
if badge_version:
badge = Badge.get_by_key_name(badge_version)
if not badge:
self.response.write(' There is no badge with key_name %s (so I cannot issue a badge)' % badge_version)
if form.really_save.data and badge:
b = Badge.issue(badge, student, put=False)
b.evidence = self.request.host_url + '/badges/evidence?id=%d' % report.key().id()
b.put()
self.response.write('Issued badge %s!' % badge_version)
else:
self.response.write('Would have issued badge %s!' % badge_version)
else:
self.response.write('Not issuing because at least one of: %s' % (', '.join(report.incomplete_reasons)))
def get(self):
"""Handles GET requests."""
if not course_explorer.GCB_ENABLE_COURSE_EXPLORER_PAGE.value:
self.error(404)
return
user = self.initialize_page_and_get_user()
if not user:
self.redirect('/explorer')
return
courses = self.get_public_courses()
self.template_values['student'] = (
StudentProfileDAO.get_profile_by_user_id(user.user_id()))
self.template_values['navbar'] = {'profile': True}
self.template_values['courses'] = self.get_enrolled_courses(courses)
self.template_values['student_edit_xsrf_token'] = (
XsrfTokenManager.create_xsrf_token(
STUDENT_RENAME_GLOBAL_XSRF_TOKEN_ID))
self.template_values['html_hooks'] = NullHtmlHooks()
self.template_values['student_preferences'] = {}
template = jinja_utils.get_template(
'/modules/course_explorer/views/profile.html', DIR)
self.response.write(template.render(self.template_values))
def get(self):
"""Handles REST GET verb and returns an object as JSON payload."""
if not CourseOutlineRights.can_view(self):
transforms.send_json_response(self, 401, 'Access denied.', {})
return
course = courses.Course(self)
outline_data = []
for unit in course.get_units():
lesson_data = []
for lesson in course.get_lessons(unit.unit_id):
lesson_data.append({
'title': lesson.title,
'id': lesson.lesson_id
})
unit_title = unit.title
if verify.UNIT_TYPE_UNIT == unit.type:
unit_title = 'Unit %s - %s' % (unit.index, unit.title)
outline_data.append({
'title': unit_title,
'id': unit.unit_id,
'lessons': lesson_data
})
transforms.send_json_response(
self,
200,
'Success.',
payload_dict={'outline': outline_data},
xsrf_token=XsrfTokenManager.create_xsrf_token(
'unit-lesson-reorder'))
def get(self):
"""Get the data to populate the question editor form."""
key = self.request.get('key')
if not CourseOutlineRights.can_view(self):
transforms.send_json_response(
self, 401, 'Access denied.', {'key': key})
return
if key:
question = QuestionDAO.load(key)
payload_dict = question.dict
else:
payload_dict = {
'version': self.SCHEMA_VERSION,
'question': '',
'description': '',
'graders': [
{
'score': '1.0',
'matcher': 'case_insensitive',
'response': '',
'feedback': ''}]}
transforms.send_json_response(
self, 200, 'Success',
payload_dict=payload_dict,
xsrf_token=XsrfTokenManager.create_xsrf_token(self.XSRF_TOKEN))
def get(self):
"""Handles GET requests."""
if not course_explorer.GCB_ENABLE_COURSE_EXPLORER_PAGE.value:
self.error(404)
return
user = self.initialize_page_and_get_user()
if not user:
self.redirect('/explorer')
return
courses = self.get_public_courses()
self.template_values['student'] = (
StudentProfileDAO.get_profile_by_user_id(user.user_id()))
self.template_values['navbar'] = {'profile': True}
self.template_values['courses'] = self.get_enrolled_courses(courses)
self.template_values['student_edit_xsrf_token'] = (
XsrfTokenManager.create_xsrf_token(
STUDENT_RENAME_GLOBAL_XSRF_TOKEN_ID))
self.template_values['html_hooks'] = NullHtmlHooks()
self.template_values['student_preferences'] = {}
template = jinja_utils.get_template(
'/modules/course_explorer/views/profile.html', DIR)
self.response.write(template.render(self.template_values))
def get(self):
"""Handles REST GET verb and returns an object as JSON payload."""
if not CourseOutlineRights.can_view(self):
transforms.send_json_response(self, 401, 'Access denied.', {})
return
course = courses.Course(self)
outline_data = []
for unit in course.get_units():
lesson_data = []
for lesson in course.get_lessons(unit.unit_id):
lesson_data.append({
'title': lesson.title,
'id': lesson.lesson_id})
unit_title = unit.title
if verify.UNIT_TYPE_UNIT == unit.type:
unit_title = 'Unit %s - %s' % (unit.index, unit.title)
outline_data.append({
'title': unit_title,
'id': unit.unit_id,
'lessons': lesson_data})
transforms.send_json_response(
self, 200, None,
payload_dict={'outline': outline_data},
xsrf_token=XsrfTokenManager.create_xsrf_token(
'unit-lesson-reorder'))
def get(self):
"""Handles the get verb."""
assert FilesRights.can_edit(self)
filename = self.request.get('key')
assert filename
asset = self.app_context.fs.impl.get(
os.path.join(appengine_config.BUNDLE_ROOT, filename))
assert asset
contents = asset.read()
is_text = is_text_payload(contents)
if not is_text:
contents = self.ERROR_MESSAGE_UNEDITABLE
json_message = 'Success.' if is_text else self.ERROR_MESSAGE_UNEDITABLE
json_payload = {
'contents': contents,
'is_text': is_text,
'readonly': is_readonly_asset(asset),
}
transforms.send_json_response(
self,
200,
json_message,
payload_dict=json_payload,
xsrf_token=XsrfTokenManager.create_xsrf_token(
self.XSRF_TOKEN_NAME))
def get(self):
"""Handles REST GET verb and returns an object as JSON payload."""
key = self.request.get('key')
if not ConfigPropertyRights.can_view():
transforms.send_json_response(
self, 401, 'Access denied.', {'key': key})
return
item = None
if key and key in config.Registry.registered.keys():
item = config.Registry.registered[key]
if not item:
self.redirect('/admin?action=settings')
try:
entity = config.ConfigPropertyEntity.get_by_key_name(key)
except db.BadKeyError:
entity = None
if not entity:
transforms.send_json_response(
self, 404, 'Object not found.', {'key': key})
else:
entity_dict = {'name': key, 'is_draft': entity.is_draft}
entity_dict['value'] = transforms.string_to_value(
entity.value, item.value_type)
json_payload = transforms.dict_to_json(
entity_dict,
json.loads(ConfigPropertyEditor.get_schema_json(item)))
transforms.send_json_response(
self, 200, 'Success.',
payload_dict=json_payload,
xsrf_token=XsrfTokenManager.create_xsrf_token(
'config-property-put'))
def get(self):
"""Handles REST GET verb and returns an object as JSON payload."""
assert self.app_context.is_editable_fs()
key = self.request.get('key')
if not CourseSettingsRights.can_view(self):
transforms.send_json_response(
self, 401, 'Access denied.', {'key': key})
return
# Load data if possible.
fs = self.app_context.fs.impl
filename = fs.physical_to_logical('/course.yaml')
try:
stream = fs.get(filename)
except: # pylint: disable=bare-except
stream = None
if not stream:
transforms.send_json_response(
self, 404, 'Object not found.', {'key': key})
return
# Prepare data.
json_payload = self.process_get()
transforms.send_json_response(
self, 200, 'Success.',
payload_dict=json_payload,
xsrf_token=XsrfTokenManager.create_xsrf_token(self.XSRF_ACTION))
def test_non_admin_has_no_access(self):
"""Test non admin has no access to pages or REST endpoints."""
email = '*****@*****.**'
actions.login(email)
# Add datastore override.
prop = config.ConfigPropertyEntity(
key_name='gcb_config_update_interval_sec')
prop.value = '5'
prop.is_draft = False
prop.put()
# Check user has no access to specific pages and actions.
response = self.testapp.get('/admin?action=settings')
assert_equals(response.status_int, 302)
response = self.testapp.get(
'/admin?action=config_edit&name=gcb_admin_user_emails')
assert_equals(response.status_int, 302)
response = self.testapp.post(
'/admin?action=config_reset&name=gcb_admin_user_emails')
assert_equals(response.status_int, 302)
# Check user has no rights to GET verb.
response = self.testapp.get(
'/rest/config/item?key=gcb_config_update_interval_sec')
assert_equals(response.status_int, 200)
json_dict = json.loads(response.body)
assert json_dict['status'] == 401
assert json_dict['message'] == 'Access denied.'
# Check user has no rights to PUT verb.
payload_dict = {}
payload_dict['value'] = '666'
payload_dict['is_draft'] = False
request = {}
request['key'] = 'gcb_config_update_interval_sec'
request['payload'] = json.dumps(payload_dict)
# Check XSRF token is required.
response = self.testapp.put('/rest/config/item?%s' % urllib.urlencode(
{'request': json.dumps(request)}), {})
assert_equals(response.status_int, 200)
assert_contains('"status": 403', response.body)
# Check user still has no rights to PUT verb even if he somehow
# obtained a valid XSRF token.
request['xsrf_token'] = XsrfTokenManager.create_xsrf_token(
'config-property-put')
response = self.testapp.put('/rest/config/item?%s' % urllib.urlencode(
{'request': json.dumps(request)}), {})
assert_equals(response.status_int, 200)
json_dict = json.loads(response.body)
assert json_dict['status'] == 401
assert json_dict['message'] == 'Access denied.'
def get(self):
if not users.is_current_user_admin():
self.abort(403)
form = self.Form()
self.template_value['form'] = form
self.template_value['xsrf_token'] = XsrfTokenManager.create_xsrf_token('post')
self.template_value['action_url'] = self.request.url
self.template_value['title'] = 'Reconsider a single participant'
self.render('badge_bulk_issue.html')
def test_non_admin_has_no_access(self):
"""Test non admin has no access to pages or REST endpoints."""
email = '*****@*****.**'
actions.login(email)
# Add datastore override.
prop = config.ConfigPropertyEntity(
key_name='gcb_config_update_interval_sec')
prop.value = '5'
prop.is_draft = False
prop.put()
# Check user has no access to specific pages and actions.
response = self.testapp.get('/admin?action=settings')
assert_equals(response.status_int, 302)
response = self.testapp.get(
'/admin?action=config_edit&name=gcb_admin_user_emails')
assert_equals(response.status_int, 302)
response = self.testapp.post(
'/admin?action=config_reset&name=gcb_admin_user_emails')
assert_equals(response.status_int, 302)
# Check user has no rights to GET verb.
response = self.testapp.get(
'/rest/config/item?key=gcb_config_update_interval_sec')
assert_equals(response.status_int, 200)
json_dict = json.loads(response.body)
assert json_dict['status'] == 401
assert json_dict['message'] == 'Access denied.'
# Check user has no rights to PUT verb.
payload_dict = {}
payload_dict['value'] = '666'
payload_dict['is_draft'] = False
request = {}
request['key'] = 'gcb_config_update_interval_sec'
request['payload'] = json.dumps(payload_dict)
# Check XSRF token is required.
response = self.testapp.put('/rest/config/item?%s' % urllib.urlencode(
{'request': json.dumps(request)}), {})
assert_equals(response.status_int, 200)
assert_contains('"status": 403', response.body)
# Check user still has no rights to PUT verb even if he somehow
# obtained a valid XSRF token.
request['xsrf_token'] = XsrfTokenManager.create_xsrf_token(
'config-property-put')
response = self.testapp.put('/rest/config/item?%s' % urllib.urlencode(
{'request': json.dumps(request)}), {})
assert_equals(response.status_int, 200)
json_dict = json.loads(response.body)
assert json_dict['status'] == 401
assert json_dict['message'] == 'Access denied.'
def do_render(self, form, template):
self.template_value['navbar'] = {'registration': True}
self.template_value['form'] = form
self.template_value['list'] = list
self.template_value['max_student_count'] = MAXIMUM_PARTICIPANTS
self.template_value['student_count'] = get_student_count()
self.template_value['xsrf_token'] = (
XsrfTokenManager.create_xsrf_token('register-conf-post-' +
self._page()))
self.render(template)
def get(self):
"""Handles REST GET verb and returns an object as JSON payload."""
if not CourseOutlineRights.can_view(self):
transforms.send_json_response(self, 401, 'Access denied.', {})
return
transforms.send_json_response(
self, 200, 'Success.',
payload_dict={'course': None},
xsrf_token=XsrfTokenManager.create_xsrf_token(
'unit-lesson-reorder'))
def get(self):
"""Get the data to populate the question editor form."""
def export(q_dict):
p_dict = copy.deepcopy(q_dict)
# InputEx does not correctly roundtrip booleans, so pass strings
p_dict['multiple_selections'] = (
'true' if q_dict.get('multiple_selections') else 'false')
return p_dict
key = self.request.get('key')
if not CourseOutlineRights.can_view(self):
transforms.send_json_response(self, 401, 'Access denied.',
{'key': key})
return
if key:
question = QuestionDAO.load(key)
payload_dict = export(question.dict)
else:
payload_dict = {
'version':
self.SCHEMA_VERSION,
'question':
'',
'description':
'',
'multiple_selections':
'false',
'choices': [{
'score': '1',
'text': '',
'feedback': ''
}, {
'score': '0',
'text': '',
'feedback': ''
}, {
'score': '0',
'text': '',
'feedback': ''
}, {
'score': '0',
'text': '',
'feedback': ''
}]
}
transforms.send_json_response(
self,
200,
'Success',
payload_dict=payload_dict,
xsrf_token=XsrfTokenManager.create_xsrf_token(self.XSRF_TOKEN))
def get(self):
"""A GET REST method shared by all unit types."""
if not roles.Roles.is_super_admin():
transforms.send_json_response(
self, 401, 'Access denied.', {'key': key})
return
message = ['Success.']
transforms.send_json_response(
self, 200, '\n'.join(message),
payload_dict=self.to_dict(),
xsrf_token=XsrfTokenManager.create_xsrf_token('add-new-category'))
def get(self):
"""Provides empty initial content for asset upload editor."""
# TODO(jorr): Pass base URI through as request param when generalized.
base = self.request.get("key")
assert base in ALLOWED_ASSET_UPLOAD_BASES
json_payload = {"file": "", "base": base}
transforms.send_json_response(
self,
200,
"Success.",
payload_dict=json_payload,
xsrf_token=XsrfTokenManager.create_xsrf_token("asset-upload"),
)
def get(self):
"""Handles HTTP GET verb."""
if not CoursesPropertyRights.can_add():
transforms.send_json_response(self, 401, "Access denied.")
return
transforms.send_json_response(
self,
200,
"Success.",
payload_dict={"name": "new_course", "title": "My New Course", "admin_email": self.get_user().email()},
xsrf_token=XsrfTokenManager.create_xsrf_token("add-course-put"),
)
def get(self):
"""Handles REST GET verb and returns an object as JSON payload."""
if not CourseOutlineRights.can_view(self):
transforms.send_json_response(self, 401, 'Access denied.', {})
return
transforms.send_json_response(
self,
200,
'Success.',
payload_dict={'course': None},
xsrf_token=XsrfTokenManager.create_xsrf_token(
'unit-lesson-reorder'))
def get(self):
"""Handles REST GET verb and returns an object as JSON payload."""
if not CourseOutlineRights.can_view(self):
transforms.send_json_response(self, 401, 'Access denied.', {})
return
first_course_in_dropdown = self._get_course_list()[0]['value']
transforms.send_json_response(
self, 200, None,
payload_dict={'course': first_course_in_dropdown},
xsrf_token=XsrfTokenManager.create_xsrf_token(
'import-course'))
def get(self):
"""Handles REST GET verb and returns an object as JSON payload."""
if not CourseOutlineRights.can_view(self):
transforms.send_json_response(self, 401, 'Access denied.', {})
return
first_course_in_dropdown = self._get_course_list()[0]['value']
transforms.send_json_response(
self, 200, None,
payload_dict={'course': first_course_in_dropdown},
xsrf_token=XsrfTokenManager.create_xsrf_token(
'import-course'))
def get(self):
"""Handles REST GET verb and returns the uri of the asset."""
uri = self.request.get('key')
if not FilesRights.can_view(self):
transforms.send_json_response(
self, 401, 'Access denied.', {'key': uri})
return
transforms.send_json_response(
self, 200, 'Success.',
payload_dict={'uri': uri},
xsrf_token=XsrfTokenManager.create_xsrf_token('asset-delete'))
def get(self):
"""Handles HTTP GET verb."""
if not CoursesPropertyRights.can_add():
transforms.send_json_response(
self, 401, 'Access denied.')
return
transforms.send_json_response(
self, 200, 'Success.',
payload_dict={
'name': 'new_course',
'title': 'My New Course',
'admin_email': self.get_user().email()},
xsrf_token=XsrfTokenManager.create_xsrf_token(
'add-course-put'))
def get(self):
"""Handles GET requests."""
user = self.initialize_page_and_get_user()
courses = self.get_public_courses()
self.template_values['student'] = (
StudentProfileDAO.get_profile_by_user_id(user.user_id()))
self.template_values['navbar'] = {'profile': True}
self.template_values['courses'] = self.get_enrolled_courses(courses)
self.template_values['student_edit_xsrf_token'] = (
XsrfTokenManager.create_xsrf_token(
STUDENT_RENAME_GLOBAL_XSRF_TOKEN_ID))
template = jinja_utils.get_template(
'/modules/course_explorer/views/profile.html', DIR, LOCALE)
self.response.write(template.render(self.template_values))
def get(self):
"""Handles HTTP GET verb."""
if not CoursesPropertyRights.can_add():
transforms.send_json_response(
self, 401, 'Access denied.')
return
transforms.send_json_response(
self, 200, 'Success.',
payload_dict={
'name': 'new_course',
'title': 'My New Course',
'admin_email': self.get_user().email()},
xsrf_token=XsrfTokenManager.create_xsrf_token(
'add-course-put'))
def get(self):
"""Handles GET requests."""
user = self.initialize_page_and_get_user()
courses = self.get_public_courses()
self.template_values['student'] = (
StudentProfileDAO.get_profile_by_user_id(user.user_id()))
self.template_values['navbar'] = {'profile': True}
self.template_values['courses'] = self.get_enrolled_courses(courses)
self.template_values['student_edit_xsrf_token'] = (
XsrfTokenManager.create_xsrf_token(
STUDENT_RENAME_GLOBAL_XSRF_TOKEN_ID))
template = jinja_utils.get_template(
'/modules/course_explorer/views/profile.html', DIR, LOCALE)
self.response.write(template.render(self.template_values))
def get(self):
"""A GET REST method shared by all unit types."""
if not roles.Roles.is_super_admin():
transforms.send_json_response(self, 403, 'Access denied.', {})
return
message = ['Success.']
transforms.send_json_response(
self,
200,
'\n'.join(message),
payload_dict=self.to_dict(),
xsrf_token=XsrfTokenManager.create_xsrf_token(
'bulk_score_offline_assignment'))
def get(self):
"""Handles REST GET verb and returns the uri of the asset."""
uri = self.request.get("key")
if not FilesRights.can_view(self):
transforms.send_json_response(self, 401, "Access denied.", {"key": uri})
return
transforms.send_json_response(
self,
200,
"Success.",
payload_dict={"uri": uri},
xsrf_token=XsrfTokenManager.create_xsrf_token("asset-delete"),
)
def get_settings(self):
user = self.personalize_page_and_get_enrolled()
if not user:
return
try:
report = PartReport.get_by_id(int(self.request.GET.get('id', -1)))
except ValueError:
report = None
if not report:
self.abort(404, "That evidence report was not found.")
if not self.can_edit(user, report):
self.abort(403)
form = self.SettingsForm(
report_id=report.key().id(),
units_are_public=report.units_are_public,
exam_display=report.exam_display,
review_is_public=report.review_is_public)
#if report.part != 4:
#del form.review_is_public
display_field_params = {
'choices': [('blank', '(Blank)')],
'default': 'blank'
}
if report.assessment_scores:
if len(report.assessment_scores) > 1:
logging.warning("Evidence page settings assuming there's just one exam per part, but there is more than one")
display_field_params = exam_display_choices(
report.assessment_scores[0])
form.exam_display.choices = display_field_params['choices']
form.exam_display.default = display_field_params['default']
self.template_value['report'] = report
self.template_value['form'] = form
self.template_value['xsrf_token'] = XsrfTokenManager.create_xsrf_token('save_settings')
self.template_value['navbar'] = {}
self.template_value['action_url'] = '/badges/evidence?action=save_settings'
self.template_value['badge_name'] = report._config['name']
self.render('wf_evidence_settings.html')
def test_attempt_activity_event(self):
"""Test activity attempt generates event."""
email = '*****@*****.**'
name = 'Test Attempt Activity Event'
actions.login(email)
actions.register(self, name)
# Enable event recording.
config.Registry.db_overrides[
lessons.CAN_PERSIST_ACTIVITY_EVENTS.name] = True
# Prepare event.
request = {}
request['source'] = 'test-source'
request['payload'] = json.dumps({'Alice': u'Bob (тест данные)'})
# Check XSRF token is required.
response = self.post('rest/events?%s' % urllib.urlencode(
{'request': json.dumps(request)}), {})
assert_equals(response.status_int, 200)
assert_contains('"status": 403', response.body)
# Check PUT works.
request['xsrf_token'] = XsrfTokenManager.create_xsrf_token(
'event-post')
response = self.post('rest/events?%s' % urllib.urlencode(
{'request': json.dumps(request)}), {})
assert_equals(response.status_int, 200)
assert not response.body
# Check event is properly recorded.
old_namespace = namespace_manager.get_namespace()
namespace_manager.set_namespace(self.namespace)
try:
events = models.EventEntity.all().fetch(1000)
assert 1 == len(events)
assert_contains(
u'Bob (тест данные)', json.loads(events[0].data)['Alice'])
finally:
namespace_manager.set_namespace(old_namespace)
# Clean up.
config.Registry.db_overrides = {}
def get(self):
"""A GET REST method"""
if not roles.Roles.is_super_admin():
transforms.send_json_response(self, 401, 'Access denied.',
{'key': ''})
return
errors = []
payload_dict = self.to_dict(errors)
if errors:
transforms.send_json_response(self, 412, '\n'.join(errors))
return
message = ['Success.']
transforms.send_json_response(
self,
200,
'\n'.join(message),
payload_dict=payload_dict,
xsrf_token=XsrfTokenManager.create_xsrf_token(
'update-service_account'))
def get(self):
"""Handles GET REST verb and returns lesson object as JSON payload."""
if not CourseOutlineRights.can_view(self):
transforms.send_json_response(self, 401, 'Access denied.', {})
return
key = self.request.get('key')
course = courses.Course(self)
lesson = course.find_lesson_by_id(None, key)
assert lesson
fs = self.app_context.fs
path = fs.impl.physical_to_logical(
course.get_activity_filename(lesson.unit_id, lesson.lesson_id))
if lesson.has_activity and fs.isfile(path):
activity = fs.get(path)
else:
activity = ''
payload_dict = {
'key': key,
'title': lesson.title,
'unit_id': lesson.unit_id,
'objectives': lesson.objectives,
'video': lesson.video,
'notes': lesson.notes,
'activity_title': lesson.activity_title,
'activity_listed': lesson.activity_listed,
'activity': activity,
'is_draft': not lesson.now_available
}
message = ['Success.']
if self.request.get('is_newly_created'):
message.append('New lesson has been created and saved.')
transforms.send_json_response(
self,
200,
'\n'.join(message),
payload_dict=payload_dict,
xsrf_token=XsrfTokenManager.create_xsrf_token('lesson-edit'))
def get(self):
"""A GET REST method shared by all unit types."""
if not roles.Roles.is_super_admin():
transforms.send_json_response(
self, 401, 'Access denied.', {'key': key})
return
key = self.request.get('key')
errors = []
payload_dict = self.to_dict(key, errors)
if errors:
transforms.send_json_response(self, 412, '\n'.join(errors))
return
message = ['Success.']
transforms.send_json_response(
self, 200, '\n'.join(message),
payload_dict=payload_dict,
xsrf_token=XsrfTokenManager.create_xsrf_token('update-category'))
def get(self):
"""Handles GET REST verb and returns lesson object as JSON payload."""
if not CourseOutlineRights.can_view(self):
transforms.send_json_response(self, 401, "Access denied.", {})
return
key = self.request.get("key")
course = courses.Course(self)
lesson = course.find_lesson_by_id(None, key)
assert lesson
fs = self.app_context.fs
path = fs.impl.physical_to_logical(course.get_activity_filename(lesson.unit_id, lesson.lesson_id))
if lesson.has_activity and fs.isfile(path):
activity = fs.get(path)
else:
activity = ""
payload_dict = {
"key": key,
"title": lesson.title,
"unit_id": lesson.unit_id,
"objectives": lesson.objectives,
"video": lesson.video,
"notes": lesson.notes,
"activity_title": lesson.activity_title,
"activity": activity,
"is_draft": not lesson.now_available,
}
message = ["Success."]
if self.request.get("is_newly_created"):
message.append("New lesson has been created and saved.")
transforms.send_json_response(
self,
200,
"\n".join(message),
payload_dict=payload_dict,
xsrf_token=XsrfTokenManager.create_xsrf_token("lesson-edit"),
)
def get(self):
"""Provides empty initial content for asset upload editor."""
# TODO(jorr): Pass base URI through as request param when generalized.
key = self.request.get('key')
base = _match_allowed_bases(key)
if not base:
transforms.send_json_response(
self, 400, 'Malformed request.', {'key': key})
return
json_payload = {
'key': key,
'base': base,
}
fs = self.app_context.fs.impl
if fs.isfile(fs.physical_to_logical(key)):
json_payload['asset_url'] = key
transforms.send_json_response(
self, 200, 'Success.', payload_dict=json_payload,
xsrf_token=XsrfTokenManager.create_xsrf_token(self.XSRF_TOKEN_NAME))
def get(self):
"""Handles GET REST verb and returns lesson object as JSON payload."""
if not CourseOutlineRights.can_view(self):
transforms.send_json_response(self, 401, 'Access denied.', {})
return
key = self.request.get('key')
course = courses.Course(self)
lesson = course.find_lesson_by_id(None, key)
assert lesson
fs = self.app_context.fs
path = fs.impl.physical_to_logical(course.get_activity_filename(
lesson.unit_id, lesson.lesson_id))
if lesson.has_activity and fs.isfile(path):
activity = fs.get(path)
else:
activity = ''
payload_dict = {
'key': key,
'title': lesson.title,
'unit_id': lesson.unit_id,
'objectives': lesson.objectives,
'video': lesson.video,
'notes': lesson.notes,
'activity_title': lesson.activity_title,
'activity_listed': lesson.activity_listed,
'activity': activity,
'is_draft': not lesson.now_available
}
message = ['Success.']
if self.request.get('is_newly_created'):
message.append('New lesson has been created and saved.')
transforms.send_json_response(
self, 200, '\n'.join(message),
payload_dict=payload_dict,
xsrf_token=XsrfTokenManager.create_xsrf_token('lesson-edit'))
