Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Progresses on grades change view and events. Discovered security vuln…
…erability that allows a course admin to change whatever grade they want if they know the ID, even in other classes
- Loading branch information
App Academy Student
committed
Mar 19, 2015
1 parent
dc422a1
commit 134f548
Showing
16 changed files
with
89 additions
and
93 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| MerlinsBoard.Models.Grade = Backbone.Model.extend({ | ||
| urlRoot: 'api/grades', | ||
| validate: function () {} | ||
| }) | ||
| }) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,32 +1,20 @@ | ||
| MerlinsBoard.Views.CoursesEnroll = Backbone.View.extend({ | ||
| initialize: function () { | ||
| this.coursesearchView = new MerlinsBoard.Views.CoursesSearch({collection: this.collection}); //render will put these in manually | ||
| this.coursesearchView = new MerlinsBoard.Views.CoursesSearch(); | ||
| this.usercoursesView = new MerlinsBoard.Views.CoursesList({collection: this.model.courses()}); | ||
| this.usertaughtcoursesView = new MerlinsBoard.Views.CoursesList({collection: this.model.taughtcourses()}); | ||
| }, | ||
|
|
||
| template: JST['courses/enroll'], | ||
|
|
||
| render: function () { | ||
| this.$el.html(this.template()); | ||
|
|
||
| this.$("section.courses-attended").html(this.usercoursesView.render().$el); | ||
| this.$("section.courses-taught").html(this.usertaughtcoursesView.render().$el); | ||
| this.$("section.course-search").html(this.coursesearchView.render().$el); | ||
|
|
||
| return this | ||
| }, | ||
|
|
||
| //below two, again - hardcode URLs instead | ||
|
|
||
| show: function (event) { | ||
| event.preventDefault(); | ||
| var id = $(event.currentTarget).data("id"); | ||
| Backbone.history.navigate("course/" + id + "/enroll", {trigger:true}) | ||
| }, | ||
|
|
||
| events: { | ||
| "click a": "show" | ||
| return this | ||
| } | ||
|
|
||
| }); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -10,5 +10,4 @@ all this will be is organized links--> | |
| </form> | ||
|
|
||
| <section class="course-results"> | ||
|
|
||
| </section> | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,3 @@ | ||
| <% courses.each( function (course) { %> | ||
| <li><a href="#" data-id="<%=course.id%>"><%= course.escape("name") %></a></li> | ||
| <% })%> | ||
| <li><a href="<%= '#course/' + course.id + '/enroll'%>"><%= course.escape("name") %></a></li> | ||
| <% })%> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,12 +1,10 @@ | ||
| <h1>Grades for <%=grades.escape('fname') + " " + grades.escape('lname')%></h1> | ||
| <h1>Grades for <%= student.escape('fname') + " " + student.escape('lname')%></h1> | ||
|
|
||
| <section class="grade-errors"></section> | ||
|
|
||
| <% grades.each(function (grade) { %> | ||
| <h4> grade.escape('assignment_title') </h4> | ||
| <p> grade.escape('description')</p> | ||
| <h4> Assignment name:<%= grade.escape('title') %></h4> | ||
| <p> description: <%= grade.escape('description') %></p> | ||
| Grade: <strong class="grade-number" data-id="<%= grade.id %>"><%= grade.get('grade')%></strong> | ||
| <br> | ||
| <% }) %> | ||
|
|
||
| //I think all I'll do is just pretend like nothing happened if the entry is invalid |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,16 +1,17 @@ | ||
| json.grades @grades do |grade_obj| | ||
| json.id grade_obj.id | ||
| json.grade grade_obj.grade | ||
| json.assignment_id grade_obj.assignment_id | ||
| json.id grade_obj.assignment_id | ||
| json.user_id grade_obj.user_id | ||
| json.assignment_title grade_obj.assignment.title | ||
| json.assignment_description grade_obj.assignment.description | ||
| json.title grade_obj.assignment.title | ||
| json.description grade_obj.assignment.description | ||
| end | ||
|
|
||
| json.student_fname @student.fname | ||
| json.student_lname @student.lname | ||
| json.course_id @student.course.id | ||
| json.course_id @course_id | ||
|
|
||
| #remember then that for a single model, only top-level attrs will be assigned | ||
| # for a collection, each entry in the array should be top-level attrs (or wrapped in only a single object wrapper) | ||
| # but the array itself must be top-level | ||
| # weird: Cannot mix json.array! with other top-level attrs | ||
| # weird: Cannot mix json.array! with other top-level attrs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.