cafe-grader-web Commit - r756:aa79958f6521

cafe-grader-web

Commit `r756:aa79958f6521` public

parent | child

Description:

more test and clean up authorization

Commit status:

[Not Reviewed]

References:

algo

Diff options:

| | | |

Comments:

0 Commit comments 0 Inline Comments

Unresolved TODOs:

There are no unresolved TODOs

Add another comment

r756:aa79958f6521 - Mon, 08 Jul 2019 04:08:41 - 13 files changed: 53 inserted, 38 deleted

Gemfile.lock ¶ +19

                   bootstrap-toggle-rails (2.2.1.0)
                   bootstrap3-datetimepicker-rails (4.17.47)
                     momentjs-rails (>= 2.8.1)
                   builder (3.2.3)
                   byebug (11.0.1)
                   capybara (3.25.0)
                     addressable
                     mini_mime (>= 0.1.3)
                     nokogiri (~> 1.8)
                     rack (>= 1.6.0)
                     rack-test (>= 0.6.3)
                     regexp_parser (~> 1.5)
                     xpath (~> 3.2)
                   childprocess (1.0.1)
                     rake (< 13.0)
                   coffee-rails (4.2.2)
                     coffee-script (>= 2.2.0)
                     railties (>= 4.0.0)
                   coffee-script (2.4.1)
                     coffee-script-source
                     execjs
                   coffee-script-source (1.12.2)
                   concurrent-ruby (1.1.5)
                   crass (1.0.4)
+            +     diff-lcs (1.3)
                   dynamic_form (1.1.4)
                   erubi (1.8.0)
                   erubis (2.7.0)
                   execjs (2.7.0)
                   ffi (1.11.1)
                   fuzzy-string-match (1.0.1)
                     RubyInline (>= 3.8.6)
                   globalid (0.4.2)
                     activesupport (>= 4.2.0)
                   haml (5.1.0)
                     temple (>= 0.8.0)
                     tilt
                   haml-rails (1.0.0)
                     actionpack (>= 4.0.1)
                     activesupport (>= 4.0.1)
                     haml (>= 4.0.6, < 6.0)
                     html2haml (>= 1.0.1)
                     railties (>= 4.0.1)
                   html2haml (2.2.0)
                     erubis (~> 2.7.0)
                     haml (>= 4.0, < 6)
                     nokogiri (>= 1.6.0)
                     ruby_parser (~> 3.5)
                   i18n (1.6.0)
                   rails-controller-testing (1.0.4)
                     actionpack (>= 5.0.1.x)
                     actionview (>= 5.0.1.x)
                     activesupport (>= 5.0.1.x)
                   rails-dom-testing (2.0.3)
                     activesupport (>= 4.2.0)
                     nokogiri (>= 1.6)
                   rails-html-sanitizer (1.0.4)
                     loofah (~> 2.2, >= 2.2.2)
                   rails_bootstrap_sortable (2.0.6)
                     momentjs-rails (>= 2.8.3)
                   railties (5.2.3)
                     actionpack (= 5.2.3)
                     activesupport (= 5.2.3)
                     method_source
                     rake (>= 0.8.7)
                     thor (>= 0.19.0, < 2.0)
                   rake (12.3.2)
                   rb-fsevent (0.10.3)
                   rb-inotify (0.10.0)
                     ffi (~> 1.0)
                   rdiscount (2.2.0.1)
                   regexp_parser (1.5.1)
                   rouge (3.3.0)
+            +     rspec-core (3.8.2)
+            +       rspec-support (~> 3.8.0)
+            +     rspec-expectations (3.8.4)
+            +       diff-lcs (>= 1.2.0, < 2.0)
+            +       rspec-support (~> 3.8.0)
+            +     rspec-mocks (3.8.1)
+            +       diff-lcs (>= 1.2.0, < 2.0)
+            +       rspec-support (~> 3.8.0)
+            +     rspec-rails (3.8.2)
+            +       actionpack (>= 3.0)
+            +       activesupport (>= 3.0)
+            +       railties (>= 3.0)
+            +       rspec-core (~> 3.8.0)
+            +       rspec-expectations (~> 3.8.0)
+            +       rspec-mocks (~> 3.8.0)
+            +       rspec-support (~> 3.8.0)
+            +     rspec-support (3.8.2)
                   ruby-progressbar (1.10.0)
                   ruby_dep (1.5.0)
                   ruby_parser (3.13.1)
                     sexp_processor (~> 4.9)
                   rubyzip (1.2.3)
                   sass (3.7.4)
                     sass-listen (~> 4.0.0)
                   sass-listen (4.0.0)
                     rb-fsevent (~> 0.9, >= 0.9.4)
                     rb-inotify (~> 0.9, >= 0.9.7)
                   sass-rails (5.0.7)
                     railties (>= 4.0.0, < 6)
                     sass (~> 3.1)
                     sprockets (>= 2.8, < 4.0)
                     sprockets-rails (>= 2.0, < 4.0)
                     tilt (>= 1.1, < 3)
                   sassc (2.0.1)
                     ffi (~> 1.9)
                     rake
                   sassc-rails (2.1.1)
                     railties (>= 4.0.0)
                     sassc (>= 2.0)
                     sprockets (> 3.0)
                     sprockets-rails
                 coffee-rails
                 dynamic_form
                 fuzzy-string-match
                 haml
                 haml-rails
                 in_place_editing
                 jbuilder (~> 2.5)
                 jquery-countdown-rails
                 jquery-datatables-rails
                 jquery-rails
                 jquery-tablesorter
                 jquery-timepicker-addon-rails
                 jquery-ui-rails
                 listen (>= 3.0.5, < 3.2)
                 mail
                 minitest-reporters
                 momentjs-rails
                 mysql2
                 puma
                 rails (~> 5.2)
                 rails-controller-testing
                 rails_bootstrap_sortable
                 rdiscount
                 rouge
+            +   rspec-rails
                 sassc-rails
                 select2-rails
                 selenium-webdriver
                 simple_form
                 spring
                 spring-watcher-listen (~> 2.0.0)
                 sqlite3
                 uglifier
                 web-console (>= 3.3.0)
                 webdriver
                 will_paginate (~> 3.0.7)
                 yaml_db
               BUNDLED WITH
 .17.2

app/controllers/application_controller.rb ¶ +15 -16

               require 'ipaddr'
               class ApplicationController < ActionController::Base
                 protect_from_forgery
                 before_action :current_user
                 SINGLE_USER_MODE_CONF_KEY = 'system.single_user_mode'
                 MULTIPLE_IP_LOGIN_CONF_KEY = 'right.multiple_ip_login'
                 ALLOW_WHITELIST_IP_ONLY_CONF_KEY = 'right.allow_whitelist_ip_only'
                 WHITELIST_IP_CONF_KEY = 'right.whitelist_ip'
                 #report and redirect for unauthorized activities
-            -   def unauthorized_redirect
+            +   def unauthorized_redirect(notice = 'You are not authorized to view the page you requested')
-            -     flash[:notice] = 'You are not authorized to view the page you requested'
+            +     flash[:notice] = notice
-            -     redirect_to :controller => 'main', :action => 'login'
+            +     redirect_to login_main_path
                 end
                 # Returns the current logged-in user (if any).
                 def current_user
                   return nil unless session[:user_id]
                   @current_user ||= User.find(session[:user_id])
                 end
                 def admin_authorization
-            -     return false unless authenticate
+            +     return false unless check_valid_login
                   user = User.includes(:roles).find(session[:user_id])
                   unless user.admin?
                     unauthorized_redirect
                     return false
                   end
                   return true
                 end
                 def authorization_by_roles(allowed_roles)
-            -     return false unless authenticate
+            +     return false unless check_valid_login
                   user = User.find(session[:user_id])
                   unless user.roles.detect { |role| allowed_roles.member?(role.name) }
                     unauthorized_redirect
                     return false
                   end
                 end
                 def testcase_authorization
                   #admin always has privileged
                   if @current_user.admin?
                     return true
                   end
                   unauthorized_redirect unless GraderConfiguration["right.view_testcase"]
                 end
                 protected
                 #redirect to root (and also force logout)
                 #if the user is not logged_in or the system is in "ADMIN ONLY" mode
-            -   def authenticate
+            +   def check_valid_login
+            +     #check if logged in
                   unless session[:user_id]
-            -       flash[:notice] = 'You need to login'
                     if GraderConfiguration[SINGLE_USER_MODE_CONF_KEY]
-            -         flash[:notice] = 'You need to login but you cannot log in at this time'
+            +         unauthorized_redirect('You need to login but you cannot log in at this time')
+            +       else
+            +         unauthorized_redirect('You need to login')
                     end
-            -       redirect_to :controller => 'main', :action => 'login'
                     return false
                   end
                   # check if run in single user mode
                   if GraderConfiguration[SINGLE_USER_MODE_CONF_KEY]
                     if @current_user==nil || (not @current_user.admin?)
-            -         flash[:notice] = 'You cannot log in at this time'
+            +         unauthorized_redirect('You cannot log in at this time')
-            -         redirect_to :controller => 'main', :action => 'login'
                       return false
                     end
                   end
                   # check if the user is enabled
                   unless @current_user.enabled? || @current_user.admin?
-            -       flash[:notice] = 'Your account is disabled'
+            +       unauthorized_redirect 'Your account is disabled'
-            -       redirect_to :controller => 'main', :action => 'login'
                     return false
                   end
                   # check if user ip is allowed
                   unless @current_user.admin? || !GraderConfiguration[ALLOW_WHITELIST_IP_ONLY_CONF_KEY]
                     unless is_request_ip_allowed?
-            -         flash[:notice] = 'Your IP is not allowed'
+            +         unauthorized_redirect 'Your IP is not allowed'
-            -         redirect_to root_path
+            +         return false
                     end
                   end
                   if GraderConfiguration.multicontests?
                     return true if @current_user.admin?
                     begin
                       if @current_user.contest_stat(true).forced_logout
                         flash[:notice] = 'You have been automatically logged out.'
                         redirect_to :controller => 'main', :action => 'index'
                       end
                     rescue
                     end
                   end
                   return true
                 end
                 #redirect to root (and also force logout)
                 #if the user use different ip from the previous connection
                 #  only applicable when MULTIPLE_IP_LOGIN options is false only
                 def authenticate_by_ip_address
                   #this assume that we have already authenticate normally
                   unless GraderConfiguration[MULTIPLE_IP_LOGIN_CONF_KEY]
                     user = User.find(session[:user_id])
                     if (not @current_user.admin? && user.last_ip && user.last_ip != request.remote_ip)
                       flash[:notice] = "You cannot use the system from #{request.remote_ip}. Your last ip is #{user.last_ip}"
                       redirect_to :controller => 'main', :action => 'login'
                       puts "CHEAT: user #{user.login} tried to login from '#{request.remote_ip}' while last ip is '#{user.last_ip}' at #{Time.zone.now}"
                       return false
                     end
                     unless user.last_ip
                       user.last_ip = request.remote_ip
                       user.save
                     end
                   end
                   return true
                 end
                 def authorization
-            -     return false unless authenticate
+            +     return false unless check_valid_login
                   user = User.find(session[:user_id])
                   unless user.roles.detect { |role|
                       role.rights.detect{ |right|
                         right.controller == self.class.controller_name and
                           (right.action == 'all' || right.action == action_name)
                       }
                     }
                     flash[:notice] = 'You are not authorized to view the page you requested'
                     #request.env['HTTP_REFERER'] ? (redirect_to :back) : (redirect_to :controller => 'login')
                     redirect_to :controller => 'main', :action => 'login'
                     return false
                   end
                 end
                 def verify_time_limit
                   return true if session[:user_id]==nil
                   user = User.find(session[:user_id], :include => :site)
                   return true if user==nil || user.site == nil
                   if user.contest_finished?
                     flash[:notice] = 'Error: the contest you are participating is over.'
                     redirect_to :back
                     return false
                   end
                   return true

app/controllers/configurations_controller.rb ¶ +1 -3

               class ConfigurationsController < ApplicationController
-            -   before_action :authenticate
+            +   before_action :admin_authorization
-            -   before_action { |controller| controller.authorization_by_roles(['admin'])}
                 def index
                   @configurations = GraderConfiguration.order(:key)
                   @group = GraderConfiguration.pluck("grader_configurations.key").map{ |x| x[0...(x.index('.'))] }.uniq.sort
                 end
                 def reload
                   GraderConfiguration.reload
                   redirect_to :action => 'index'
                 end
                 def update
                   @config = GraderConfiguration.find(params[:id])
                   User.clear_last_login if @config.key == GraderConfiguration::MULTIPLE_IP_LOGIN_KEY and @config.value == 'true' and params[:grader_configuration][:value] == 'false'
                   respond_to do |format|
                     if @config.update_attributes(configuration_params)
                       format.json { head :ok }
                     else
                       format.json { respond_with_bip(@config) }
                     end
                   end
                 end
               private

app/controllers/groups_controller.rb ¶ +1 -1

               class GroupsController < ApplicationController
                 before_action :set_group, only: [:show, :edit, :update, :destroy,
                                                  :add_user, :remove_user,:remove_all_user,
                                                  :add_problem, :remove_problem,:remove_all_problem,
                                                 ]
-            -   before_action :authenticate, :admin_authorization
+            +   before_action :admin_authorization
                 # GET /groups
                 def index
                   @groups = Group.all
                 end
                 # GET /groups/1
                 def show
                 end
                 # GET /groups/new
                 def new
                   @group = Group.new
                 end
                 # GET /groups/1/edit
                 def edit
                 end
                 # POST /groups
                 def create
                   @group = Group.new(group_params)
                   if @group.save

app/controllers/main_controller.rb ¶ +2 -7

               class MainController < ApplicationController
-            -   before_action :authenticate, :except => [:index, :login]
+            +   before_action :check_valid_login, :except => [:login]
                 before_action :check_viewability, :except => [:index, :login]
                 append_before_action :confirm_and_update_start_time,
                                      :except => [:index,
                                                  :login,
                                                  :confirm_contest_start]
                 # to prevent log in box to be shown when user logged out of the
                 # system only in some tab
                 prepend_before_action :reject_announcement_refresh_when_logged_out,
                                       :only => [:announcements]
                 before_action :authenticate_by_ip_address, :only => [:list]
-            -   # NOTE: This method is not actually needed, 'config/routes.rb' has
-            -   # assigned action login as a default action.
-            -   def index
-            -     redirect_to :action => 'login'
-            -   end
                 #reset login, clear session
+            +   #front page
                 def login
                   saved_notice = flash[:notice]
                   reset_session
                   flash.now[:notice] = saved_notice
                   # EXPERIMENT:
                   # Hide login if in single user mode and the url does not
                   # explicitly specify /login
                   #
                   # logger.info "PATH: #{request.path}"
                   # if GraderConfiguration['system.single_user_mode'] and
                   #     request.path!='/main/login'
                   #   @hidelogin = true
                   # end
                   @announcements = Announcement.frontpage
                   render :action => 'login', :layout => 'empty'
                 end
                 def logout
                   reset_session
                   redirect_to root_path
                 end

app/controllers/problems_controller.rb ¶ +5 -2

               class ProblemsController < ApplicationController
-            -   before_action :authenticate, :authorization
+            +   before_action :admin_authorization
-            -   before_action :testcase_authorization, only: [:show_testcase]
+            +   #NOTE: ghost from the past?
+            +   #before_action :testcase_authorization, only: [:show_testcase]
+            +
                 in_place_edit_for :problem, :name
                 in_place_edit_for :problem, :full_name
                 in_place_edit_for :problem, :full_score
                 def index
                   @problems = Problem.order(date_added: :desc)
                 end
                 def show
                   @problem = Problem.find(params[:id])
                 end
                 def new
                   @problem = Problem.new
                   @description = nil
                 end
                 def create
                   @problem = Problem.new(problem_params)
                   @description = Description.new(problem_params[:description])
                   if @description.body!=''
                     if !@description.save

app/controllers/report_controller.rb ¶ +2 -2

               require 'csv'
               class ReportController < ApplicationController
-            -   before_action :authenticate
+            +   before_action :check_valid_login
                 before_action :admin_authorization, only: [:login_stat,:submission_stat, :stuck, :cheat_report, :cheat_scruntinize, :show_max_score, :current_score]
                 before_action(only: [:problem_hof]) { |c|
-            -     return false unless authenticate
+            +     return false unless check_valid_login
                   admin_authorization unless GraderConfiguration["right.user_view_submission"]
                 }
                 def max_score
                 end
                 def current_score
                   @problems = Problem.available_problems
                   @users = User.includes(:contests).includes(:contest_stat).where(enabled: true)
                   @scorearray = calculate_max_score(@problems, @users,0,0,true)
                   #rencer accordingly
                   if params[:button] == 'download' then
                     csv = gen_csv_from_scorearray(@scorearray,@problems)
                     send_data csv, filename: 'max_score.csv'
                   else
                     #render template: 'user_admin/user_stat'
                     render 'current_score'
                   end
                 end
                 def show_max_score
                   #process parameters

app/controllers/submissions_controller.rb ¶ +1 -1

               class SubmissionsController < ApplicationController
-            -   before_action :authenticate
+            +   before_action :check_valid_login
                 before_action :submission_authorization, only: [:show, :download, :edit]
                 before_action :admin_authorization, only: [:rejudge]
                 # GET /submissions
                 # GET /submissions.json
                 # Show problem selection and user's submission of that problem
                 def index
                   @user = @current_user
                   @problems = @user.available_problems
                   if params[:problem_id]==nil
                     @problem = nil
                     @submissions = nil
                   else
                     @problem = Problem.find_by_id(params[:problem_id])
                     if (@problem == nil) or (not @problem.available)
                       redirect_to main_list_path
                       flash[:notice] = 'Error: submissions for that problem are not viewable.'
                       return
                     end
                     @submissions = Submission.find_all_by_user_problem(@user.id, @problem.id).order(id: :desc)
                   end
                 end

app/controllers/tags_controller.rb ¶ +1

               class TagsController < ApplicationController
+            +   before_action :admin_authorization
                 before_action :set_tag, only: [:show, :edit, :update, :destroy]
                 # GET /tags
                 def index
                   @tags = Tag.all
                 end
                 # GET /tags/1
                 def show
                 end
                 # GET /tags/new
                 def new
                   @tag = Tag.new
                 end
                 # GET /tags/1/edit
                 def edit
                 end
                 # POST /tags
                 def create
                   @tag = Tag.new(tag_params)

app/controllers/tasks_controller.rb ¶ +1 -1

               class TasksController < ApplicationController
-            -   before_action :authenticate, :check_viewability
+            +   before_action :check_valid_login, :check_viewability
                 def index
                   redirect_to :action => 'list'
                 end
                 def list
                   @problems = @user.available_problems
                 end
                 # this has contest-wide access control
                 def view
                   base_name = params[:file]
                   base_filename = File.basename("#{base_name}.#{params[:ext]}")
                   filename = "#{Problem.download_file_basedir}/#{base_filename}"
                   if !FileTest.exists?(filename)
                     redirect_to :action => 'index' and return
                   end
                   send_file_to_user(filename, base_filename)
                 end
                 # this has problem-level access control
                 def download

app/controllers/test_controller.rb ¶ +1 -1

               class TestController < ApplicationController
-            -   before_action :authenticate, :check_viewability
+            +   before_action :check_valid_login, :check_viewability
                 def index
                   prepare_index_information
                 end
                 def submit
                   @user = User.find(session[:user_id])
                   @submitted_test_request = TestRequest.new_from_form_params(@user,params[:test_request])
                   if ! @submitted_test_request.errors.empty?
                     prepare_index_information
                     render :action => 'index' and return
                   end
                   if GraderConfiguration.time_limit_mode?
                     if @user.contest_finished?
                       @submitted_test_request.errors.add(:base,'Contest is over.')
                       prepare_index_information
                       render :action => 'index' and return
                     end
                     if !GraderConfiguration.allow_test_request(@user)

app/controllers/users_controller.rb ¶ +2 -2

               require 'net/smtp'
               class UsersController < ApplicationController
                 include MailHelperMethods
-            -   before_action :authenticate, :except => [:new,
+            +   before_action :check_valid_login, :except => [:new,
                                                          :register,
                                                          :confirm,
                                                          :forget,
                                                          :retrieve_password]
                 before_action :verify_online_registration, :only => [:new,
                                                                      :register,
                                                                      :forget,
                                                                      :retrieve_password]
-            -   before_action :authenticate, :profile_authorization, only: [:profile]
+            +   before_action :check_valid_login, :profile_authorization, only: [:profile]
                 before_action :admin_authorization, only: [:stat, :toggle_activate, :toggle_enable]
                 #in_place_edit_for :user, :alias_for_editing
                 #in_place_edit_for :user, :email_for_editing
                 def index
                   if !GraderConfiguration['system.user_setting_enabled']
                     redirect_to :controller => 'main', :action => 'list'
                   else
                     @user = User.find(session[:user_id])
                   end
                 end
                 def chg_passwd
                   user = User.find(session[:user_id])
                   user.password = params[:passwd]
                   user.password_confirmation = params[:passwd_verify]
                   if user.save
                     flash[:notice] = 'password changed'
                   else
                     flash[:notice] = 'Error: password changing failed'
                   end

test/system/users_test.rb ¶ +2 -2

                     click_on 'Users', match: :first
                   end
                   click_on "View administrator"
                   fill_in 'login', with: 'john'
                   click_on "Grant"
                   visit logout_main_path
                   login 'john','hello'
                   within 'header' do
                     click_on 'Manage'
                     click_on 'Problem', match: :first
                   end
                   assert_text "Turn off all problems"
                 end
                 test "try using admin from normal user" do
                   login 'admin','admin'
                   visit  bulk_manage_user_admin_index_path
                   assert_current_path bulk_manage_user_admin_index_path
                   visit logout_main_path
                   login 'jack','morning'
                   visit  bulk_manage_user_admin_index_path
-            -     assert_current_path root_path
                   assert_text 'You are not authorized'
+            +     assert_current_path login_main_path
                   login 'james','morning'
                   visit  new_list_user_admin_index_path
-            -     assert_current_path root_path
                   assert_text 'You are not authorized'
+            +     assert_current_path login_main_path
                 end
                 def login(username,password)
                   visit root_path
                   fill_in "Login", with: username
                   fill_in "Password", with: password
                   click_on "Login"
                 end
               end

Write
Preview

You need to be logged in to leave comments. Login now

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository permissions settings

Sign in to your account

Author

r756:aa79958f6521 - Mon, 08 Jul 2019 04:08:41 - 13 files changed: 53 inserted, 38 deleted

Sign in to your account

Commit r756:aa79958f6521 public

Author

r756:aa79958f6521 - Mon, 08 Jul 2019 04:08:41 - 13 files changed: 53 inserted, 38 deleted

Commit `r756:aa79958f6521` public