Exemplo n.º 1
0
class CoursesLTIAPITests(ComPAIRAPITestCase):
    def setUp(self):
        super(CoursesLTIAPITests, self).setUp()
        self.data = SimpleAssignmentTestData()
        self.lti_data = LTITestData()

    def test_delete_course(self):
        # test unlinking of lti contexts when course deleted
        course = self.data.get_course()
        url = '/api/courses/' + course.uuid

        lti_consumer = self.lti_data.get_consumer()
        lti_context1 = self.lti_data.create_context(
            lti_consumer, compair_course_id=course.id)
        lti_context2 = self.lti_data.create_context(
            lti_consumer, compair_course_id=course.id)
        lti_resource_link1 = self.lti_data.create_resource_link(
            lti_consumer,
            lti_context=lti_context2,
            compair_assignment=self.data.assignments[0])
        lti_resource_link2 = self.lti_data.create_resource_link(
            lti_consumer,
            lti_context=lti_context2,
            compair_assignment=self.data.assignments[1])

        with self.login(self.data.get_authorized_instructor().username):
            rv = self.client.delete(url)
            self.assert200(rv)
            self.assertEqual(course.uuid, rv.json['id'])

            self.assertIsNone(lti_context1.compair_course_id)
            self.assertIsNone(lti_context2.compair_course_id)
            self.assertIsNone(lti_resource_link1.compair_assignment_id)
            self.assertIsNone(lti_resource_link2.compair_assignment_id)
Exemplo n.º 2
0
class CoursesLTIAPITests(ComPAIRAPITestCase):
    def setUp(self):
        super(CoursesLTIAPITests, self).setUp()
        self.data = SimpleAssignmentTestData()
        self.lti_data = LTITestData()

    def test_delete_course(self):
        # test unlinking of lti contexts when course deleted
        course = self.data.get_course()
        url = '/api/courses/' + course.uuid

        lti_consumer = self.lti_data.get_consumer()
        lti_context1 = self.lti_data.create_context(
            lti_consumer,
            compair_course_id=course.id
        )
        lti_context2 = self.lti_data.create_context(
            lti_consumer,
            compair_course_id=course.id
        )
        lti_resource_link1 = self.lti_data.create_resource_link(
            lti_consumer,
            lti_context=lti_context2,
            compair_assignment=self.data.assignments[0]
        )
        lti_resource_link2 = self.lti_data.create_resource_link(
            lti_consumer,
            lti_context=lti_context2,
            compair_assignment=self.data.assignments[1]
        )

        with self.login(self.data.get_authorized_instructor().username):
            rv = self.client.delete(url)
            self.assert200(rv)
            self.assertEqual(course.uuid, rv.json['id'])

            self.assertIsNone(lti_context1.compair_course_id)
            self.assertIsNone(lti_context2.compair_course_id)
            self.assertIsNone(lti_resource_link1.compair_assignment_id)
            self.assertIsNone(lti_resource_link2.compair_assignment_id)
Exemplo n.º 3
0
class ImpersonationAPITests(ComPAIRAPITestCase):

    def setUp(self):
        super(ImpersonationAPITests, self).setUp()
        self.data = SimpleAssignmentTestData()
        self.course_base_url = '/api/courses'
        self.assignment_base_url = self.course_base_url + '/' + self.data.get_course().uuid + '/assignments'
        self.impersonate_base_url = '/api/impersonate'
        self.profile_base_url = '/api/users'
        self.session_base_url = '/api/session'

        self.assignment_main_course = self.data.get_assignments()[0]
        self.student_main_course = self.data.get_authorized_student();
        self.student_second_course = self.data.get_unauthorized_student();
        self.instructor_main_course = self.data.get_authorized_instructor();
        self.instructor_second_course = self.data.get_unauthorized_instructor();

    def _start_impersonation(self, pretending):
        return self.client.post(self.impersonate_base_url + '/' + pretending.uuid)

    def _end_impersonation(self):
        return self.client.delete(self.impersonate_base_url)

    def _verify_impersonation(self, original=None, pretending=None):
        rv = self.client.get(self.impersonate_base_url)
        self.assert200(rv)
        self.assertEquals(rv.json.get('impersonating'), True)
        if original:
            self.assertEquals(rv.json.get('original_user').get('id'), original.uuid)
        if pretending:
            rv = self.client.get(self.session_base_url)
            self.assert200(rv)
            self.assertEqual(rv.json.get('id'), pretending.uuid)

    def _is_not_impersonating(self):
        rv = self.client.get(self.impersonate_base_url)
        self.assert200(rv)
        self.assertEquals(rv.json.get('impersonating'), False)

    def test_impersonation_requires_login(self):
        self.assert401(self._start_impersonation(self.instructor_main_course))
        self.assert401(self._start_impersonation(self.student_main_course))

    def test_student_cannot_impersonate(self):
        with self.login(self.student_main_course.username):
            self.assert403(self._start_impersonation(self.instructor_main_course))
            self.assert403(self._start_impersonation(self.student_second_course))

    def test_instructor_can_impersonate_own_students(self):
        with self.impersonate(self.instructor_main_course, self.student_main_course):
            self._verify_impersonation(original=self.instructor_main_course, pretending=self.student_main_course)

    def test_instructor_cannot_impersonate_student_not_in_his_course(self):
        with self.login(self.instructor_main_course.username):
            self.assert403(self._start_impersonation(self.student_second_course))
        with self.login(self.instructor_second_course.username):
            self.assert403(self._start_impersonation(self.student_main_course))

    def test_instructor_cannot_impersonate_admin(self):
        with self.login(self.instructor_main_course.username):
            self.assert403(self._start_impersonation(DefaultFixture.ROOT_USER))

    def test_admin_can_impersonate_students_but_not_instructors(self):
        with self.login(DefaultFixture.ROOT_USER.username):
            self.assert200(self._start_impersonation(self.student_main_course))
            self.assert403(self._start_impersonation(self.instructor_main_course))

    def test_end_impersonation(self):
        # Impersonation will block non-GET traffic, but should allow end impersonation (a DELETE call)
        with self.login(self.instructor_main_course.username):
            self.assert200(self._start_impersonation(self.student_main_course))
            self._verify_impersonation(original=self.instructor_main_course, pretending=self.student_main_course)

            self.assert200(self._end_impersonation())
            self._is_not_impersonating()

    def test_cannot_logout_during_impersonation(self):
        with self.impersonate(self.instructor_main_course, self.student_main_course):
            # explicit logout should fail
            self.assert403(self.client.delete('/api/logout', follow_redirects=True))
            # still logged in and impersonating
            self._verify_impersonation(original=self.instructor_main_course, pretending=self.student_main_course)

    def test_access_right_after_impersonation(self):
        comparisons_of_main_course_assignment_url = \
            self.assignment_base_url + '/' + self.assignment_main_course.uuid + '/users/comparisons?page=1&perPage=5'

        with self.login(self.instructor_main_course.username):
            self.assert200(self._start_impersonation(self.student_main_course))
            # no access when impersonating as student
            self.assert403(self.client.get(comparisons_of_main_course_assignment_url))
            self._end_impersonation()
            # resume access after impersonation
            self.assert200(self.client.get(comparisons_of_main_course_assignment_url))
Exemplo n.º 4
0
class ImpersonationAPITests(ComPAIRAPITestCase):
    def setUp(self):
        super(ImpersonationAPITests, self).setUp()
        self.data = SimpleAssignmentTestData()
        self.course_base_url = '/api/courses'
        self.assignment_base_url = self.course_base_url + '/' + self.data.get_course(
        ).uuid + '/assignments'
        self.impersonate_base_url = '/api/impersonate'
        self.profile_base_url = '/api/users'
        self.session_base_url = '/api/session'

        self.assignment_main_course = self.data.get_assignments()[0]
        self.student_main_course = self.data.get_authorized_student()
        self.student_second_course = self.data.get_unauthorized_student()
        self.instructor_main_course = self.data.get_authorized_instructor()
        self.instructor_second_course = self.data.get_unauthorized_instructor(
        )

    def _start_impersonation(self, pretending):
        return self.client.post(self.impersonate_base_url + '/' +
                                pretending.uuid)

    def _end_impersonation(self):
        return self.client.delete(self.impersonate_base_url)

    def _verify_impersonation(self, original=None, pretending=None):
        rv = self.client.get(self.impersonate_base_url)
        self.assert200(rv)
        self.assertEquals(rv.json.get('impersonating'), True)
        if original:
            self.assertEquals(
                rv.json.get('original_user').get('id'), original.uuid)
        if pretending:
            rv = self.client.get(self.session_base_url)
            self.assert200(rv)
            self.assertEqual(rv.json.get('id'), pretending.uuid)

    def _is_not_impersonating(self):
        rv = self.client.get(self.impersonate_base_url)
        self.assert200(rv)
        self.assertEquals(rv.json.get('impersonating'), False)

    def test_impersonation_requires_login(self):
        self.assert401(self._start_impersonation(self.instructor_main_course))
        self.assert401(self._start_impersonation(self.student_main_course))

    def test_student_cannot_impersonate(self):
        with self.login(self.student_main_course.username):
            self.assert403(
                self._start_impersonation(self.instructor_main_course))
            self.assert403(
                self._start_impersonation(self.student_second_course))

    def test_instructor_can_impersonate_own_students(self):
        with self.impersonate(self.instructor_main_course,
                              self.student_main_course):
            self._verify_impersonation(original=self.instructor_main_course,
                                       pretending=self.student_main_course)

    def test_instructor_cannot_impersonate_student_not_in_his_course(self):
        with self.login(self.instructor_main_course.username):
            self.assert403(
                self._start_impersonation(self.student_second_course))
        with self.login(self.instructor_second_course.username):
            self.assert403(self._start_impersonation(self.student_main_course))

    def test_instructor_cannot_impersonate_admin(self):
        with self.login(self.instructor_main_course.username):
            self.assert403(self._start_impersonation(DefaultFixture.ROOT_USER))

    def test_admin_can_impersonate_students_but_not_instructors(self):
        with self.login(DefaultFixture.ROOT_USER.username):
            self.assert200(self._start_impersonation(self.student_main_course))
            self.assert403(
                self._start_impersonation(self.instructor_main_course))

    def test_end_impersonation(self):
        # Impersonation will block non-GET traffic, but should allow end impersonation (a DELETE call)
        with self.login(self.instructor_main_course.username):
            self.assert200(self._start_impersonation(self.student_main_course))
            self._verify_impersonation(original=self.instructor_main_course,
                                       pretending=self.student_main_course)

            self.assert200(self._end_impersonation())
            self._is_not_impersonating()

    def test_cannot_logout_during_impersonation(self):
        with self.impersonate(self.instructor_main_course,
                              self.student_main_course):
            # explicit logout should fail
            self.assert403(
                self.client.delete('/api/logout', follow_redirects=True))
            # still logged in and impersonating
            self._verify_impersonation(original=self.instructor_main_course,
                                       pretending=self.student_main_course)

    def test_access_right_after_impersonation(self):
        comparisons_of_main_course_assignment_url = \
            self.assignment_base_url + '/' + self.assignment_main_course.uuid + '/users/comparisons?page=1&perPage=5'

        with self.login(self.instructor_main_course.username):
            self.assert200(self._start_impersonation(self.student_main_course))
            # no access when impersonating as student
            self.assert403(
                self.client.get(comparisons_of_main_course_assignment_url))
            self._end_impersonation()
            # resume access after impersonation
            self.assert200(
                self.client.get(comparisons_of_main_course_assignment_url))