[#9564] Consolidate GET Student Profile RESTFul API

[Adoby7]

Part of #9564
Outline of Solution

The access control is following:

1. A student can view his own profile.
2. A student can view his teammate's profile in the same class.
3. An instructor can view profiles of students in his class.

Case 1 requires no parameter.
Case 2, 3 require studentEmail and courseId as parameters.

updated: the profile page e2e test is updated because /student/profile endpoint is changed

[junming403]

Overall good work!

[ChooJeremy]

@rrtheonlyone is probably more appropriate to review this, especially since he's also working on profile API. Here are my initial thoughts, I'll do a more thorough check when I have time to download this branch and test out the front end.

[rrtheonlyone]

Look good 👍 I just have some comments.

[Adoby7]

close and reopen PR to solve "Failed to read manifest file" problem

[rrtheonlyone]

LGTM 👍

I just have one small suggestion.

[xpdavid]

You can use logic.createStudent().

[Adoby7]

Actually the logic does not have this function, and I think it's unnecessary to create one just for testing

[xpdavid]

But the creation of student is really weird.

StudentsLogic.inst().createStudent?

[ChooJeremy]

Test consolidation still needs more work. Do take a look through the methods in BaseActionTest and make use of them if possible. Update them if necessary; as long as they don't break anything else. Don't rely on me to find them.

[ChooJeremy]

You can merge this method with testAccessControl_instructorAccessProfileFromHisCourse_shouldPass.
They're both testing for the same thing but one for validity and one for invalidity. Instead of doing these tests, you can just do:

Suggested change

	public void testAccessControl_instructorAccessOtherCourse_shouldFail() {
	public void testAccessControl_onlyInstructorsOfTheSameCourse_shouldPass() {
	StudentAttributes student1InCourse1 = typicalBundle.students.get("student1InCourse1");
	String[] submissionParams = new String[] {
	Const.ParamsNames.COURSE_ID, student1InCourse1.getCourse(),
	Const.ParamsNames.STUDENT_EMAIL, student1InCourse1.getEmail(),
	};
	verifyAccessibleForInstructorsOfTheSameCourse(submissionParams);
	verifyInaccessibleForInstructorsOfOtherCourses(submissionParams);

[Adoby7]

I think it's better to split the test cases as a good practice

[ChooJeremy]

You should use verifyInaccessibleWithoutViewStudentInSectionsPrivilege in BaseActionTest?

[Adoby7]

This is because I need to specify which privilege is needed to be tested, see comments below

[Adoby7]

Hi @ChooJeremy, I think using the BaseActionTest methods is not necessary in the following reasons:

1. The method name of each test case has already self-explained the parameter and the result of this case. Therefore, even not using the BaseActionTest method, each case is described clearly and we can focus more on test case design.
2. The BaseActionTest method may also confuse people. For example, the verifyAccessibleForInstructorInSameCourse simply uses instructor1InCourse1. Why this instructor is considered in the same course? How about I need to test other courses?
3. Some testing will be designed improperly using the BaseActionTest method. For example, the testAccessControl_instructorWithoutViewStudentInSectionPrivilege_shouldFail() that you have commented. The verifyInaccessibleWithoutViewStudentInSectionsPrivilege simply uses a helper account to represent an instructor without privilege. The only invalid value that causes inaccessible is ViewStudentInSectionPrivilege, but the helper account has no privilege at all (i.e. too many invalid values), and this may disrupt the accuracy of testing. See here for test case design heuristic.

That's what my thought.

[ChooJeremy]

@Adoby7
Here's my reasoning:

1. While this is true, it is harder to see that everything is tested if everything is split up into multiple different test cases in methods. I think it's better to do some abstraction so that each methods tests related sections of the endpoint, such as a single method testing for instructors accessing from other courses, testing for both validity and invalidity. Without this abstraction it's harder to reason about the test cases.
2. I agree, and this is a fault with the BaseActionTest that @rrtheonlyone also brought up at some point. The student tests in BaseAction tests also only test specifically for student1 and not any other students. Unfortunately while it is a fault, it's harder to have it adapt - it would have to read the parameters send in and decide which instructor is appropriate as same course and which is appropriate as different course, or add in new parameters to the method. Unfortunately it's likely just a design choice that we'll just have to follow, it's harder to fix it either way.
3. This is kind of why I suggested editing the method if needed.

I see no other problems with your code, so I'll just approve this and pass it on the senior devs to let them give their look through. If they're OK with it, then sure.

[junming403]

LGTM!

[xpdavid]

LGTM!