Submitting assignment now does not require report student_id (#18)

LibreTexts · Feb 26, 2020 · 1fc5726 · 1fc5726
1 parent dc355e3
commit 1fc5726
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 26 deletions.
diff --git a/api-specifications.md b/api-specifications.md
@@ -244,8 +244,8 @@ Used for the inbound part of ExchangeList.
 
 ### /api/submission: Collecting and submitting a submission
 
-#### POST /api/submission/&lt;course_id&gt;/&lt;assignment_id&gt;/&lt;student_id&gt;
-*submit a copy of an assignment (students+instructors; `student_id` must match, including for instructors)*
+#### POST /api/submission/&lt;course_id&gt;/&lt;assignment_id&gt;
+*submit a copy of an assignment (students+instructors)*
 
 Used for ExchangeSubmit.
 
@@ -266,7 +266,6 @@ files=/* encoded directory tree in JSON */
 * Permission denied
 * Course not found
 * Assignment not found
-* Student not found
 * Please supply files
 * Files cannot be JSON decoded
 * Content cannot be base64 decoded

diff --git a/vulnerable/home.html b/vulnerable/home.html
@@ -79,7 +79,7 @@ <h2>Promise me that you do not use me in production</h2>
       /api/submissions/&lt;course_id&gt;/&lt;assignment_id&gt;/&lt;student_id&gt;</a>:
   List student's submissions
 </p>
-<form id="form2" action="/api/submission/course2/assignment2a/Eric" method="POST">
+<form id="form2" action="/api/submission/course2/assignment2a" method="POST">
   <input type="hidden" name="files" value="[{&quot;path&quot;: &quot;a&quot;, &quot;content&quot;: &quot;amtsCg==&quot;}]" />
   <!-- [{"path": "a", "content": "amtsCg=="}] -->
   <input type="hidden" name="user" value="Eric" />

diff --git a/vulnerable/nbgrader.py b/vulnerable/nbgrader.py
@@ -154,21 +154,18 @@ def list_student_submission(course_id, assignment_id, student_id) :
 		})
 	return json_success(submissions=submissions)
 
-@app_post('/api/submission/<course_id>/<assignment_id>/<student_id>')
-def submit_assignment(course_id, assignment_id, student_id) :
+@app_post('/api/submission/<course_id>/<assignment_id>')
+def submit_assignment(course_id, assignment_id) :
 	'''
-		POST /api/submission/<course_id>/<assignment_id>/<student_id>
-		Submit a copy of an assignment (students+instructors, student_id match)
+		POST /api/submission/<course_id>/<assignment_id>
+		Submit a copy of an assignment (students+instructors)
 	'''
 	db = Session()
 	user = get_user(db)
 	course = find_course(db, course_id)
-	if user.id != student_id :
-		raise JsonError('Permission denied (submitting for someone else)')
 	check_course_related(db, course, user)
 	assignment = find_assignment(db, course, assignment_id)
-	student = find_course_student(db, course, student_id)
-	submission = Submission(student, assignment)
+	submission = Submission(user, assignment)
 	json_files_unpack(request.form.get('files'), submission.files)
 	db.commit()
 	return json_success()

diff --git a/vulnerable/test_nbgrader.py b/vulnerable/test_nbgrader.py
@@ -193,30 +193,25 @@ def test_submit_assignment() :
 	user = 'Kevin'
 	data = {'files': json.dumps([{'path': 'a', 'content': 'amtsCg=='},
 									{'path': 'b', 'content': 'amtsCg=='}])}
-	assert_fail(url + 'jkl/challenge/st', method=POST,
+	assert_fail(url + 'jkl/challenge', method=POST,
 				msg='Course not found')
-	assert_fail(url + 'course1/challenges/Kevin', method=POST,
+	assert_fail(url + 'course1/challenges', method=POST,
 				msg='Assignment not found')
-	assert_fail(url + 'course1/challenge/Kevin', method=POST,
-				msg='Student not found')
 	user = 'Lawrence'
-	assert_fail(url + 'course1/challenge/Lawrence', method=POST,
+	assert_fail(url + 'course1/challenge', method=POST,
 				msg='Please supply files')
-	assert_success(url + 'course1/challenge/Lawrence',
-			method=POST, data=data)
+	assert_success(url + 'course1/challenge', method=POST, data=data)
 	data['files'] = json.dumps([{'path': 'a', 'content': 'amtsCg=='}])
-	assert_success(url + 'course1/challenge/Lawrence',
+	assert_success(url + 'course1/challenge',
 			method=POST, data=data)
 	data['files'] = json.dumps([{'path': 'a', 'content': 'amtsCg'}])
-	assert_fail(url + 'course1/challenge/Lawrence', method=POST,
+	assert_fail(url + 'course1/challenge', method=POST,
 				data=data, msg='Content cannot be base64 decoded')
-	result = assert_success('/api/submissions/course1/challenge/Lawrence')
-	assert len(result['submissions']) == 4	# 2 from init, 2 from this
 	user = 'Kevin'
-	assert_fail(url + 'course1/challenge/Lawrence', method=POST,
-				msg='Permission denied (submitting for someone else)')
+	result = assert_success('/api/submissions/course1/challenge')
+	assert len(result['submissions']) == 4	# 2 from init, 2 from this
 	user = 'Eric'
-	assert_fail(url + 'course1/challenge/Eric', method=POST,
+	assert_fail(url + 'course1/challenge', method=POST,
 				msg='Permission denied (not related to course)')
 
 def test_download_submission() :