Skip to content

E
edx-platform
Commit ec684271 by Justin Riley
Options

lock down proctor server API completely 

Updated handle_ajax to explicitly handle each proctor server command
individually without accepting any parameters from the client. This
completely avoids users being able to interact with the proctor server
API directly. Updated the JS code to do a POST when requesting access
(TODO: proctor server still needs to be updated to require POST - for
now the proctor xmodule still uses GET under the hood until this
gets changed)
parent a5ebe8c5
Showing with 36 additions and 16 deletions
common/lib/xmodule/xmodule/proctor_module.py
import sys
import json
import logging
import urllib2
import urlparse
import requests
......@@ -47,7 +48,7 @@ class ProctorPanel(object):
self.user = user
self.ses = requests.session()
def request(self, url, data=None, json=True):
def _make_request(self, url, data=None, json=True):
ret = self.ses.get(urlparse.urljoin(self.proc_url, url),
verify=False, data=data,
auth=(self.proc_user, self.proc_pass),
......@@ -63,10 +64,21 @@ class ProctorPanel(object):
data = ret.content
return data
def request(self, json=True):
url = 'cmd/request/{0}/{1}'.format(self.user.id,
urllib2.quote(self.procset_name))
data = dict(uname=self.user.username, name=self.user.profile.name)
return self._make_request(url, data=data, json=json)
def status(self, json=True):
url = 'cmd/status/{0}/{1}'.format(self.user.id,
urllib2.quote(self.procset_name))
return self._make_request(url, json=json)
def is_released(self):
url = 'cmd/status/{0}'.format(self.user.id)
log.info('ProctorPanel url={0}'.format(url))
retdat = self.request(url)
retdat = self._make_request(url)
log.info('ProctorPanel retdat={0}'.format(retdat))
enabled = retdat.get('enabled', False)
return enabled
......@@ -202,14 +214,16 @@ class ProctorModule(ProctorFields, XModule):
if dispatch == 'reset':
username = data.get("username")
return self.reset(username)
if dispatch == 'status':
return self.status()
#if dispatch == 'status':
#return self.status()
# if dispatch == 'grades':
# return self.grades()
# Proctor Panel requests (ALL USERS)
if dispatch.startswith('cmd/'):
return self.pp.request(dispatch, dict(data.items()), json=False)
if dispatch == 'request':
return self.pp.request(json=False)
if dispatch == 'status':
return self.pp.status(json=False)
if not self.is_released(): # check each time we do get_html()
html = self.not_released_html()
......
lms/templates/proctor.html
......@@ -78,22 +78,27 @@ procrel = (function(){
statel.html('<font color="green">' + status + '</font>');
}
var do_pp_get = function(cmd, gfun){
var _do_pp = function(cmd, type, gfun){
$.ajax({ url: "${ajax_url}/" + cmd,
type: 'GET',
data: { "uname": "${pp.user.username}",
"name": "${pp.user.profile.name}"
},
type: type,
success: gfun,
dataType: "json",
error: function(xhr, status, error) {
if (!skiperr){
alert('Error: cannot connect to server ' + status + " error: " + error);
console.log('Error: cannot connect to server ' + status + " error: " + error);
}
}
});
}
var do_pp_get = function(cmd, gfun){
return _do_pp(cmd, 'GET', gfun);
}
var do_pp_post = function(cmd, gfun){
return _do_pp(cmd, 'POST', gfun);
}
var check_access = function(){
do_pp_get('status', function(data){
console.log(data);
......@@ -123,10 +128,10 @@ procrel = (function(){
var make_request = function(){
check_count = 0;
do_pp_get('request', function(result, status, xhr){
setstat(result.status);
periodic_check();
});
do_pp_post('request', function(result, status, xhr){
setstat(result.status);
periodic_check();
});
}
el.click(make_request);
......@@ -135,6 +140,7 @@ procrel = (function(){
"check": check_access,
"make": make_request,
"do_pp_get": do_pp_get,
"do_pp_post": do_pp_post,
"set_skiperr": set_skiperr
};
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment