From 5203125b39ec8db67efb51989a9fa8eae24b1a54 Mon Sep 17 00:00:00 2001 From: Josh Thoo Jen Sen <110712708+josh1248@users.noreply.github.com> Date: Sat, 16 Nov 2024 19:39:57 +0800 Subject: [PATCH] Transfer groundControl (and admin panel) from staff to admin route (#1180) * Create a new staff scope * Move Admin Panel requests into admin scope * Change appropriate routes into admin scope * Find-replace galore * Fix linting * Linting does not work :( * Revert "Find-replace galore" This reverts commit e77aa05059207f8b6be3efc0ad062f880f20981e. * Revert "Change appropriate routes into admin scope" This reverts commit 18dc689a4df4836fc6967bf0f74dc252964bd175. * Revert "Create a new staff scope" This reverts commit 6b7e54e981a0f9b148fab087cf6ebd3bbf159d95. * Move dangerous routes into a new scope * Fix linting * Linting works in mysterious ways * One more formatting change * Swap order of all-staff and admin-only routes This swap prevents the all-staff route, "/grading/:submissionid/:questionid", from pattern matching and overshadowing the admin-only route "/grading/:assessmentid/publish_all_grades". Thankfully, no admin routes overshadow staff routes, so a quick fix can be done here. * Update error message for grading routes * Update error messages for users * Add test cases for assets for staff Create test cases to indicate that non-admin staff can only read assets, but not create, modify, or delete them. * Update test auth to admin for assets * Update and add tests for course config routes Updates positive test auth from staff to admin, adds negative tests to ensure that non-admin staff are unable to read, update, create, or delete course configs. * Update and add tests for assessment-level routes Update the modification / deletion test auth from staff to admin, and create tests to ensure that non-admin staff are not able to delete / unpublish them * Fix sourcecast error * Revert "Fix sourcecast error" This reverts commit 831ca601dd8dd099167b591fd3bb30d2f71a2dad. * Transfer asset routes to admin * Revert accidental formatting changes --- lib/cadet_web/router.ex | 73 +++++++---- priv/repo/seeds.exs | 4 +- .../admin_assessments_controller_test.exs | 117 ++++++++++++++---- .../admin_assets_controller_test.exs | 58 ++++++--- .../admin_courses_controller_test.exs | 75 ++++++++--- .../admin_grading_controller_test.exs | 4 +- .../admin_user_controller_test.exs | 4 +- 7 files changed, 251 insertions(+), 84 deletions(-) diff --git a/lib/cadet_web/router.ex b/lib/cadet_web/router.ex index 949805c34..9c73f21da 100644 --- a/lib/cadet_web/router.ex +++ b/lib/cadet_web/router.ex @@ -28,6 +28,10 @@ defmodule CadetWeb.Router do plug(:ensure_role, [:staff, :admin]) end + pipeline :ensure_admin do + plug(:ensure_role, [:admin]) + end + scope "/", CadetWeb do get("/.well-known/jwks.json", JWKSController, :index) end @@ -119,11 +123,18 @@ defmodule CadetWeb.Router do get("/team/:assessmentid", TeamController, :index) end - # Admin pages - scope "/v2/courses/:course_id/admin", CadetWeb do - pipe_through([:api, :auth, :ensure_auth, :course, :ensure_staff]) + # Admin pages (Access: Course administrators only - these routes can cause substantial damage) + @doc """ + NOTE: This scope must come before the routes for all staff below. - resources("/sourcecast", AdminSourcecastController, only: [:create, :delete]) + This is due to the all-staff route "/grading/:submissionid/:questionid", which would pattern match + and overshadow "/grading/:assessmentid/publish_all_grades". + + If an admin route will overshadow an all-staff route as well, a suggested better solution would be a + per-route permission level check. + """ + scope "/v2/courses/:course_id/admin", CadetWeb do + pipe_through([:api, :auth, :ensure_auth, :course, :ensure_admin]) get("/assets/:foldername", AdminAssetsController, :index) post("/assets/:foldername/*filename", AdminAssetsController, :upload) @@ -133,6 +144,39 @@ defmodule CadetWeb.Router do post("/assessments/:assessmentid", AdminAssessmentsController, :update) delete("/assessments/:assessmentid", AdminAssessmentsController, :delete) + post( + "/grading/:assessmentid/publish_all_grades", + AdminGradingController, + :publish_all_grades + ) + + post( + "/grading/:assessmentid/unpublish_all_grades", + AdminGradingController, + :unpublish_all_grades + ) + + put("/users/:course_reg_id/role", AdminUserController, :update_role) + delete("/users/:course_reg_id", AdminUserController, :delete_user) + + put("/config", AdminCoursesController, :update_course_config) + # TODO: Missing corresponding Swagger path entry + get("/config/assessment_configs", AdminCoursesController, :get_assessment_configs) + put("/config/assessment_configs", AdminCoursesController, :update_assessment_configs) + # TODO: Missing corresponding Swagger path entry + delete( + "/config/assessment_config/:assessment_config_id", + AdminCoursesController, + :delete_assessment_config + ) + end + + # Admin pages (Access: All staff) + scope "/v2/courses/:course_id/admin", CadetWeb do + pipe_through([:api, :auth, :ensure_auth, :course, :ensure_staff]) + + resources("/sourcecast", AdminSourcecastController, only: [:create, :delete]) + get( "/assessments/:assessmentid/popularVoteLeaderboard", AdminAssessmentsController, @@ -148,14 +192,6 @@ defmodule CadetWeb.Router do get("/grading", AdminGradingController, :index) get("/grading/summary", AdminGradingController, :grading_summary) - post("/grading/:assessmentid/publish_all_grades", AdminGradingController, :publish_all_grades) - - post( - "/grading/:assessmentid/unpublish_all_grades", - AdminGradingController, - :unpublish_all_grades - ) - get("/grading/:submissionid", AdminGradingController, :show) post("/grading/:submissionid/unsubmit", AdminGradingController, :unsubmit) post("/grading/:submissionid/unpublish_grades", AdminGradingController, :unpublish_grades) @@ -184,8 +220,6 @@ defmodule CadetWeb.Router do # The admin route for getting total xp of a specific user get("/users/:course_reg_id/total_xp", AdminUserController, :combined_total_xp) - put("/users/:course_reg_id/role", AdminUserController, :update_role) - delete("/users/:course_reg_id", AdminUserController, :delete_user) get("/users/:course_reg_id/goals", AdminGoalsController, :index_goals_with_progress) post("/users/:course_reg_id/goals/:uuid/progress", AdminGoalsController, :update_progress) @@ -202,17 +236,6 @@ defmodule CadetWeb.Router do delete("/stories/:storyid", AdminStoriesController, :delete) post("/stories/:storyid", AdminStoriesController, :update) - put("/config", AdminCoursesController, :update_course_config) - # TODO: Missing corresponding Swagger path entry - get("/config/assessment_configs", AdminCoursesController, :get_assessment_configs) - put("/config/assessment_configs", AdminCoursesController, :update_assessment_configs) - # TODO: Missing corresponding Swagger path entry - delete( - "/config/assessment_config/:assessment_config_id", - AdminCoursesController, - :delete_assessment_config - ) - get("/teams", AdminTeamsController, :index) post("/teams", AdminTeamsController, :create) delete("/teams/:teamid", AdminTeamsController, :delete) diff --git a/priv/repo/seeds.exs b/priv/repo/seeds.exs index 37be60527..57173cea0 100644 --- a/priv/repo/seeds.exs +++ b/priv/repo/seeds.exs @@ -26,9 +26,9 @@ alias Cadet.Accounts.{ # Cadet.Repo.insert!(%Cadet.Settings.Sublanguage{chapter: 1, variant: "default"}) if Cadet.Env.env() == :dev do - number_of_students = 10 + number_of_students = 100_000 number_of_assessments = 5 - number_of_questions = 3 + number_of_questions = 13 # Course admin_course = diff --git a/test/cadet_web/admin_controllers/admin_assessments_controller_test.exs b/test/cadet_web/admin_controllers/admin_assessments_controller_test.exs index 10e9c3331..cfd590925 100644 --- a/test/cadet_web/admin_controllers/admin_assessments_controller_test.exs +++ b/test/cadet_web/admin_controllers/admin_assessments_controller_test.exs @@ -370,8 +370,34 @@ defmodule CadetWeb.AdminAssessmentsControllerTest do end end - describe "POST /, staff only" do + describe "POST /, non-admin staff only" do @tag authenticate: :staff + test "unauthorized", %{conn: conn} do + test_cr = conn.assigns.test_cr + course = test_cr.course + config = insert(:assessment_config, %{course: course}) + + assessment = + build(:assessment, + course: course, + course_id: course.id, + config: config, + config_id: config.id, + is_published: true + ) + + questions = build_list(5, :question, assessment: nil) + + xml = XMLGenerator.generate_xml_for(assessment, questions) + force_update = "false" + body = %{assessment: xml, forceUpdate: force_update, assessmentConfigId: config.id} + conn = post(conn, build_url(course.id), body) + assert response(conn, 403) == "Forbidden" + end + end + + describe "POST /, admin only" do + @tag authenticate: :admin test "successful", %{conn: conn} do test_cr = conn.assigns.test_cr course = test_cr.course @@ -429,7 +455,7 @@ defmodule CadetWeb.AdminAssessmentsControllerTest do assert expected_assessment != nil end - @tag authenticate: :staff + @tag authenticate: :admin test "upload empty xml", %{conn: conn} do test_cr = conn.assigns.test_cr course = test_cr.course @@ -487,6 +513,18 @@ defmodule CadetWeb.AdminAssessmentsControllerTest do describe "DELETE /:assessment_id, staff only" do @tag authenticate: :staff + test "unauthorized", %{conn: conn} do + test_cr = conn.assigns.test_cr + course = test_cr.course + config = insert(:assessment_config, %{course: course}) + assessment = insert(:assessment, %{course: course, config: config}) + conn = delete(conn, build_url(course.id, assessment.id)) + assert response(conn, 403) == "Forbidden" + end + end + + describe "DELETE /:assessment_id, admin only" do + @tag authenticate: :admin test "successful", %{conn: conn} do test_cr = conn.assigns.test_cr course = test_cr.course @@ -497,7 +535,7 @@ defmodule CadetWeb.AdminAssessmentsControllerTest do assert is_nil(Repo.get(Assessment, assessment.id)) end - @tag authenticate: :staff + @tag authenticate: :admin test "error due to different course", %{conn: conn} do test_cr = conn.assigns.test_cr course = test_cr.course @@ -509,19 +547,6 @@ defmodule CadetWeb.AdminAssessmentsControllerTest do assert response(conn, 403) == "User not allow to delete assessments from another course" refute is_nil(Repo.get(Assessment, assessment.id)) end - - # @tag authenticate: :staff - # test "error due to different course", %{conn: conn} do - # test_cr = conn.assigns.test_cr - # course = test_cr.course - # another_course = insert(:course) - # config = insert(:assessment_config, %{course: another_course}) - # assessment = insert(:assessment, %{course: another_course, config: config}) - - # conn = delete(conn, build_url(course.id, assessment.id)) - # assert response(conn, 403) == "User not allow to delete assessments from another course" - # refute is_nil(Repo.get(Assessment, assessment.id)) - # end end describe "POST /:assessment_id, unauthenticated, publish" do @@ -544,8 +569,20 @@ defmodule CadetWeb.AdminAssessmentsControllerTest do end end - describe "POST /:assessment_id, staff only, publish" do + describe "POST /:assessment_id, non-admin staff only, publish" do @tag authenticate: :staff + test "forbidden", %{conn: conn} do + test_cr = conn.assigns.test_cr + course = test_cr.course + config = insert(:assessment_config, %{course: course}) + assessment = insert(:assessment, %{course: course, config: config}) + conn = post(conn, build_url(course.id, assessment.id), %{isPublished: true}) + assert response(conn, 403) == "Forbidden" + end + end + + describe "POST /:assessment_id, admin only, publish" do + @tag authenticate: :admin test "successful toggle from published to unpublished", %{conn: conn} do test_cr = conn.assigns.test_cr course = test_cr.course @@ -557,7 +594,7 @@ defmodule CadetWeb.AdminAssessmentsControllerTest do refute expected end - @tag authenticate: :staff + @tag authenticate: :admin test "successful toggle from unpublished to published", %{conn: conn} do test_cr = conn.assigns.test_cr course = test_cr.course @@ -608,8 +645,38 @@ defmodule CadetWeb.AdminAssessmentsControllerTest do end end - describe "POST /:assessment_id, staff only" do + describe "POST /:assessment_id, non-admin staff only" do @tag authenticate: :staff + test "forbidden", %{conn: conn} do + test_cr = conn.assigns.test_cr + course = test_cr.course + config = insert(:assessment_config, %{course: course}) + assessment = insert(:assessment, %{course: course, config: config}) + + new_open_at = + Timex.now() + |> Timex.beginning_of_day() + |> Timex.shift(days: 3) + |> Timex.shift(hours: 4) + + new_open_at_string = + new_open_at + |> Timex.format!("{ISO:Extended}") + + new_close_at = Timex.shift(new_open_at, days: 7) + + new_close_at_string = + new_close_at + |> Timex.format!("{ISO:Extended}") + + new_dates = %{openAt: new_open_at_string, closeAt: new_close_at_string} + conn = post(conn, build_url(course.id, assessment.id), new_dates) + assert response(conn, 403) == "Forbidden" + end + end + + describe "POST /:assessment_id, admin only" do + @tag authenticate: :admin test "successful", %{conn: conn} do test_cr = conn.assigns.test_cr course = test_cr.course @@ -658,7 +725,7 @@ defmodule CadetWeb.AdminAssessmentsControllerTest do assert [assessment.open_at, assessment.close_at] == [new_open_at, new_close_at] end - @tag authenticate: :staff + @tag authenticate: :admin test "allowed to change open time of opened assessments", %{conn: conn} do test_cr = conn.assigns.test_cr course = test_cr.course @@ -703,7 +770,7 @@ defmodule CadetWeb.AdminAssessmentsControllerTest do assert [assessment.open_at, assessment.close_at] == [new_open_at, close_at] end - @tag authenticate: :staff + @tag authenticate: :admin test "not allowed to set close time to before open time", %{conn: conn} do test_cr = conn.assigns.test_cr course = test_cr.course @@ -748,7 +815,7 @@ defmodule CadetWeb.AdminAssessmentsControllerTest do assert [assessment.open_at, assessment.close_at] == [open_at, close_at] end - @tag authenticate: :staff + @tag authenticate: :admin test "successful, set close time to before current time", %{conn: conn} do test_cr = conn.assigns.test_cr course = test_cr.course @@ -793,7 +860,7 @@ defmodule CadetWeb.AdminAssessmentsControllerTest do assert [assessment.open_at, assessment.close_at] == [open_at, new_close_at] end - @tag authenticate: :staff + @tag authenticate: :admin test "successful, set open time to before current time", %{conn: conn} do test_cr = conn.assigns.test_cr course = test_cr.course @@ -838,7 +905,7 @@ defmodule CadetWeb.AdminAssessmentsControllerTest do assert [assessment.open_at, assessment.close_at] == [new_open_at, close_at] end - @tag authenticate: :staff + @tag authenticate: :admin test "successful, set hasTokenCounter and hasVotingFeatures to true", %{conn: conn} do test_cr = conn.assigns.test_cr course = test_cr.course @@ -873,7 +940,7 @@ defmodule CadetWeb.AdminAssessmentsControllerTest do ] end - @tag authenticate: :staff + @tag authenticate: :admin test "successful, set hasTokenCounter and hasVotingFeatures to false", %{conn: conn} do test_cr = conn.assigns.test_cr course = test_cr.course diff --git a/test/cadet_web/admin_controllers/admin_assets_controller_test.exs b/test/cadet_web/admin_controllers/admin_assets_controller_test.exs index d2d422361..95c689cba 100644 --- a/test/cadet_web/admin_controllers/admin_assets_controller_test.exs +++ b/test/cadet_web/admin_controllers/admin_assets_controller_test.exs @@ -68,15 +68,45 @@ defmodule CadetWeb.AdminAssetsControllerTest do end end - describe "inaccessible folder name" do + describe "non-admin staff permission, forbidden" do + @tag authenticate: :staff + test "GET /assets/:foldername", %{conn: conn} do + course_id = conn.assigns.course_id + conn = get(conn, build_url(course_id, "testFolder"), %{}) + + assert response(conn, 403) =~ "Forbidden" + end + @tag authenticate: :staff + test "DELETE /assets/:foldername/*filename", %{conn: conn} do + course_id = conn.assigns.course_id + conn = delete(conn, build_url(course_id, "testFolder/testFile.png")) + + assert response(conn, 403) =~ "Forbidden" + end + + @tag authenticate: :staff + test "POST /assets/:foldername/*filename", %{conn: conn} do + course_id = conn.assigns.course_id + + conn = + post(conn, build_url(course_id, "testFolder/testFile.png"), %{ + :upload => build_upload("test/fixtures/upload.png") + }) + + assert response(conn, 403) =~ "Forbidden" + end + end + + describe "inaccessible folder name" do + @tag authenticate: :admin test "index files", %{conn: conn} do course_id = conn.assigns.course_id conn = get(conn, build_url(course_id, "wrongFolder")) assert response(conn, 400) =~ "Invalid top-level folder name" end - @tag authenticate: :staff + @tag authenticate: :admin test "delete file", %{conn: conn} do course_id = conn.assigns.course_id conn = delete(conn, build_url(course_id, "wrongFolder/randomFile")) @@ -84,7 +114,7 @@ defmodule CadetWeb.AdminAssetsControllerTest do assert response(conn, 400) =~ "Invalid top-level folder name" end - @tag authenticate: :staff + @tag authenticate: :admin test "upload file", %{conn: conn} do course_id = conn.assigns.course_id @@ -98,7 +128,7 @@ defmodule CadetWeb.AdminAssetsControllerTest do end describe "ok request" do - @tag authenticate: :staff, course_id: 117 + @tag authenticate: :admin, course_id: 117 test "index file", %{conn: conn} do course_id = conn.assigns.course_id @@ -110,7 +140,7 @@ defmodule CadetWeb.AdminAssetsControllerTest do end end - @tag authenticate: :staff, course_id: 117 + @tag authenticate: :admin, course_id: 117 test "delete file", %{conn: conn} do course_id = conn.assigns.course_id @@ -121,7 +151,7 @@ defmodule CadetWeb.AdminAssetsControllerTest do end end - @tag authenticate: :staff, course_id: 117 + @tag authenticate: :admin, course_id: 117 test "upload file", %{conn: conn} do course_id = conn.assigns.course_id @@ -138,7 +168,7 @@ defmodule CadetWeb.AdminAssetsControllerTest do end describe "wrong file type" do - @tag authenticate: :staff + @tag authenticate: :admin test "upload file", %{conn: conn} do course_id = conn.assigns.course_id @@ -152,7 +182,7 @@ defmodule CadetWeb.AdminAssetsControllerTest do end describe "empty file name" do - @tag authenticate: :staff + @tag authenticate: :admin test "upload file", %{conn: conn} do course_id = conn.assigns.course_id @@ -164,7 +194,7 @@ defmodule CadetWeb.AdminAssetsControllerTest do assert response(conn, 400) =~ "Empty file name" end - @tag authenticate: :staff + @tag authenticate: :admin test "delete file", %{conn: conn} do course_id = conn.assigns.course_id conn = delete(conn, build_url(course_id, "testFolder")) @@ -173,7 +203,7 @@ defmodule CadetWeb.AdminAssetsControllerTest do end describe "nested filename request" do - @tag authenticate: :staff, course_id: 117 + @tag authenticate: :admin, course_id: 117 test "delete file", %{conn: conn} do course_id = conn.assigns.course_id @@ -184,7 +214,7 @@ defmodule CadetWeb.AdminAssetsControllerTest do end end - @tag authenticate: :staff, course_id: 117 + @tag authenticate: :admin, course_id: 117 test "upload file", %{conn: conn} do course_id = conn.assigns.course_id @@ -201,7 +231,7 @@ defmodule CadetWeb.AdminAssetsControllerTest do end describe "course with custom assets_prefix" do - @tag authenticate: :staff, course_id: 117 + @tag authenticate: :admin, course_id: 117 test "index file", %{conn: conn} do course_id = conn.assigns.course_id @@ -215,7 +245,7 @@ defmodule CadetWeb.AdminAssetsControllerTest do end end - @tag authenticate: :staff, course_id: 117 + @tag authenticate: :admin, course_id: 117 test "delete file", %{conn: conn} do course_id = conn.assigns.course_id @@ -228,7 +258,7 @@ defmodule CadetWeb.AdminAssetsControllerTest do end end - @tag authenticate: :staff, course_id: 117 + @tag authenticate: :admin, course_id: 117 test "upload file", %{conn: conn} do course_id = conn.assigns.course_id diff --git a/test/cadet_web/admin_controllers/admin_courses_controller_test.exs b/test/cadet_web/admin_controllers/admin_courses_controller_test.exs index cb4c1e30f..78cc915b0 100644 --- a/test/cadet_web/admin_controllers/admin_courses_controller_test.exs +++ b/test/cadet_web/admin_controllers/admin_courses_controller_test.exs @@ -81,7 +81,7 @@ defmodule CadetWeb.AdminCoursesControllerTest do end @tag authenticate: :student - test "rejects forbidden request for non-staff users", %{conn: conn} do + test "rejects forbidden request for students", %{conn: conn} do course_id = conn.assigns[:course_id] old_course = Repo.get(Course, course_id) @@ -98,6 +98,23 @@ defmodule CadetWeb.AdminCoursesControllerTest do end @tag authenticate: :staff + test "rejects forbidden request for non-admin staff", %{conn: conn} do + course_id = conn.assigns[:course_id] + old_course = Repo.get(Course, course_id) + + conn = + put(conn, build_url_course_config(course_id), %{ + "sourceChapter" => 3, + "sourceVariant" => "concurrent" + }) + + same_course = Repo.get(Course, course_id) + + assert response(conn, 403) == "Forbidden" + assert old_course == same_course + end + + @tag authenticate: :admin test "rejects requests if user does not belong to the specified course", %{conn: conn} do course_id = conn.assigns[:course_id] @@ -110,7 +127,7 @@ defmodule CadetWeb.AdminCoursesControllerTest do assert response(conn, 403) == "Forbidden" end - @tag authenticate: :staff + @tag authenticate: :admin test "rejects requests with invalid params", %{conn: conn} do course_id = conn.assigns[:course_id] @@ -123,7 +140,7 @@ defmodule CadetWeb.AdminCoursesControllerTest do assert response(conn, 400) == "Invalid parameter(s)" end - @tag authenticate: :staff + @tag authenticate: :admin test "rejects requests with missing params", %{conn: conn} do course_id = conn.assigns[:course_id] @@ -145,7 +162,7 @@ defmodule CadetWeb.AdminCoursesControllerTest do describe "GET /v2/courses/{course_id}/admin/configs/assessment_configs" do @tag authenticate: :admin - test "succeeds", %{conn: conn} do + test "succeeds for admins", %{conn: conn} do course_id = conn.assigns[:course_id] course = Repo.get(Course, course_id) config1 = insert(:assessment_config, %{order: 1, type: "Mission1", course: course}) @@ -206,8 +223,17 @@ defmodule CadetWeb.AdminCoursesControllerTest do assert expected == resp end + @tag authenticate: :staff + test "rejects forbidden request for non-admin staff", %{conn: conn} do + course_id = conn.assigns[:course_id] + + resp = get(conn, build_url_assessment_configs(course_id)) + + assert response(resp, 403) == "Forbidden" + end + @tag authenticate: :student - test "rejects forbidden request for non-staff users", %{conn: conn} do + test "rejects forbidden request for students", %{conn: conn} do course_id = conn.assigns[:course_id] resp = get(conn, build_url_assessment_configs(course_id)) @@ -257,8 +283,20 @@ defmodule CadetWeb.AdminCoursesControllerTest do assert new_configs == ["Missions", "Paths"] end + @tag authenticate: :staff + test "rejects forbidden request for non-admin staff", %{conn: conn} do + course_id = conn.assigns[:course_id] + + conn = + put(conn, build_url_assessment_configs(course_id), %{ + "assessmentConfigs" => [] + }) + + assert response(conn, 403) == "Forbidden" + end + @tag authenticate: :student - test "rejects forbidden request for non-staff users", %{conn: conn} do + test "rejects forbidden request for students", %{conn: conn} do course_id = conn.assigns[:course_id] conn = @@ -269,7 +307,7 @@ defmodule CadetWeb.AdminCoursesControllerTest do assert response(conn, 403) == "Forbidden" end - @tag authenticate: :staff + @tag authenticate: :admin test "rejects request if user is not in specified course", %{conn: conn} do course_id = conn.assigns[:course_id] @@ -281,7 +319,7 @@ defmodule CadetWeb.AdminCoursesControllerTest do assert response(conn, 403) == "Forbidden" end - @tag authenticate: :staff + @tag authenticate: :admin test "rejects requests with invalid params 1", %{conn: conn} do course_id = conn.assigns[:course_id] @@ -293,7 +331,7 @@ defmodule CadetWeb.AdminCoursesControllerTest do assert response(conn, 400) == "missing assessmentConfig" end - @tag authenticate: :staff + @tag authenticate: :admin test "rejects requests with invalid params 2", %{conn: conn} do course_id = conn.assigns[:course_id] @@ -306,7 +344,7 @@ defmodule CadetWeb.AdminCoursesControllerTest do "assessmentConfigs should be a list of assessment configuration objects" end - @tag authenticate: :staff + @tag authenticate: :admin test "rejects requests with invalid params: more than 8", %{conn: conn} do course_id = conn.assigns[:course_id] @@ -318,7 +356,7 @@ defmodule CadetWeb.AdminCoursesControllerTest do assert response(conn, 400) == "Invalid parameter(s)" end - @tag authenticate: :staff + @tag authenticate: :admin test "rejects requests with missing params", %{conn: conn} do course_id = conn.assigns[:course_id] @@ -350,8 +388,17 @@ defmodule CadetWeb.AdminCoursesControllerTest do assert new_configs == ["Paths"] end + @tag authenticate: :staff + test "rejects forbidden request for non-admin staff", %{conn: conn} do + course_id = conn.assigns[:course_id] + + conn = delete(conn, build_url_assessment_config(course_id, 1)) + + assert response(conn, 403) == "Forbidden" + end + @tag authenticate: :student - test "rejects forbidden request for non-staff users", %{conn: conn} do + test "rejects forbidden request for students", %{conn: conn} do course_id = conn.assigns[:course_id] conn = delete(conn, build_url_assessment_config(course_id, 1)) @@ -359,7 +406,7 @@ defmodule CadetWeb.AdminCoursesControllerTest do assert response(conn, 403) == "Forbidden" end - @tag authenticate: :staff + @tag authenticate: :admin test "rejects request if user is not in specified course", %{conn: conn} do course_id = conn.assigns[:course_id] @@ -368,7 +415,7 @@ defmodule CadetWeb.AdminCoursesControllerTest do assert response(conn, 403) == "Forbidden" end - @tag authenticate: :staff + @tag authenticate: :admin test "fails if config does not exist", %{conn: conn} do course_id = conn.assigns[:course_id] diff --git a/test/cadet_web/admin_controllers/admin_grading_controller_test.exs b/test/cadet_web/admin_controllers/admin_grading_controller_test.exs index 11d8df0f0..87ac65e28 100644 --- a/test/cadet_web/admin_controllers/admin_grading_controller_test.exs +++ b/test/cadet_web/admin_controllers/admin_grading_controller_test.exs @@ -1099,7 +1099,7 @@ defmodule CadetWeb.AdminGradingControllerTest do |> sign_in(staff.user) |> post(build_url_unpublish_all(course.id, assessment_id)) - assert response(conn, 403) == "Only Admin is permitted to unpublish all grades" + assert response(conn, 403) == "Forbidden" end end @@ -1135,7 +1135,7 @@ defmodule CadetWeb.AdminGradingControllerTest do |> sign_in(staff.user) |> post(build_url_publish_all(course.id, assessment_id)) - assert response(conn, 403) == "Only Admin is permitted to publish all grades" + assert response(conn, 403) == "Forbidden" end end diff --git a/test/cadet_web/admin_controllers/admin_user_controller_test.exs b/test/cadet_web/admin_controllers/admin_user_controller_test.exs index bd134876c..7b5a15393 100644 --- a/test/cadet_web/admin_controllers/admin_user_controller_test.exs +++ b/test/cadet_web/admin_controllers/admin_user_controller_test.exs @@ -450,7 +450,7 @@ defmodule CadetWeb.AdminUserControllerTest do conn = put(conn, build_url_users_role(course_id, user_course_reg.id), params) - assert response(conn, 403) == "User is not permitted to change others' roles" + assert response(conn, 403) == "Forbidden" unchanged_course_reg = Repo.get(CourseRegistration, user_course_reg.id) assert unchanged_course_reg.role == :student end @@ -512,7 +512,7 @@ defmodule CadetWeb.AdminUserControllerTest do conn = delete(conn, build_url_users(course_id, user_course_reg.id)) - assert response(conn, 403) == "User is not permitted to delete other users" + assert response(conn, 403) == "Forbidden" assert Repo.get(CourseRegistration, user_course_reg.id) != nil end