Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

1266 private vods are still publicly listed #1340

Merged
merged 6 commits into from
Apr 23, 2024
Merged

1266 private vods are still publicly listed #1340

merged 6 commits into from
Apr 23, 2024

Conversation

YiranDuan721
Copy link
Contributor

@YiranDuan721 YiranDuan721 commented Mar 24, 2024
edited
Loading

Motivation and Context

To prevent streams marked as "private" from being list anywhere (home page, course page and playlist) for a non course admin user. #1266 should be fixed with this.
(Currently they are listed, but unauthorized visiting of the stream is then blocked by a 403 page)

Description

Changes are done to backend APIs. Private streams of one course are filtered out in the responses, if the user is not admin of that course.

Steps for Testing

I tested using the example database setup, with:

  • Users:
    • Stephanie Studi (role: student, not admin of any course)
    • Anja Admin (role: admin, automatically admin of all courses)
  • Course "Einführung Brauereiwesen", visibility public, with the following lectures:
    • VL 1: Was ist Bier? (12:00pm 11.Apr.2022)
    • VL 2: Wie mache ich Bier? (12:00pm 18.Apr.2022)
    • VL 3: Rückblick (Sometime in the future)
      (Note that VL 2 is more recent than VL 1)

Pre-steps:

  1. Log in as Anja Admin
  2. Edit course "Einführung Brauereiwesen", mark "VL 2: Wie mache ich Bier?" as private
  3. Note that VL 2 is still listed everywhere

Tests:

  1. Log in as Stephanie Studi (or impersonate them in admin panel)
  2. Select the semester of course "Einführung Brauereiwesen" ("Summer 2022" under the example database setup)
  3. Check the homepage:
    1. The "most recent lecture" of "Einführung Brauereiwesen", listed under "My Courses", is dated at 11. Apr. 2022 (VL 2 at 18. Apr. 2022 is ignored)
    2. Under "Recent VODs", VL 1 is listed (VL 2 is ignored)
  4. Check the page for course "Einführung Brauereiwesen": VL 2 is not listed under "VODs"
  5. Watch VL 1, check the playlist: VL 2 is not listed there

Additional tests:
Marking a stream without VoD (currently live, or planned in the future) as private is currently not supported, but can be done by direct edition in the database. If one does so, the private live stream / future lecture is as well then not listed

  1. on the home page in the "live" list
  2. on the home page as "next lecture" of the course
  3. on the course page under "scheduled"

Screenshots

1. Home page

As admin:

As student:

2. Course page

As admin:

As student:

3. Playlist

As admin:

As student:

@YiranDuan721 YiranDuan721 linked an issue Mar 24, 2024 that may be closed by this pull request
Private VoDs are still publicly listed #1266
Closed
@github-actions GitHub Actions
Copy link

Your Testserver will be ready at https://1340.test.live.mm.rbg.tum.de in a few minutes.

Logins
Kurs1 Kurs2 Kurs3 Kurs4
public public loggedin enrolled
prof1 prof1 prof2 prof1
prof2
student1
student2
student3		 student1
student2		 student2
student3		 student1
student2

@YiranDuan721 YiranDuan721 mentioned this pull request Mar 24, 2024
Open
@SebiWrn SebiWrn merged commit f2c02cd into dev Apr 23, 2024
8 checks passed
@SebiWrn SebiWrn deleted the 1266-private-vods-are-still-publicly-listed branch April 23, 2024 15:46
SebiWrn pushed a commit that referenced this pull request May 7, 2024
@YiranDuan721 @SebiWrn
1266 private vods are still publicly listed (#1340)
a49ade4 
* Don't show private live stream to non course-admins; show live stream of hidden courses to course admins

* Don't show private VoDs in the playlist to non course admins

* Don't show private VoDs on the course page to non course admins

* On the home page, don't show private VoDs as "LastRecording" / "most recent VoDs" to non course admins

* Change usage of Course.ToDTO, with a mocked admin as the parameter

* No authorization in liveStreams(), as is expected in the tests. This does not affect the result, private live streams are not listed for students.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SebiWrn SebiWrn SebiWrn approved these changes

@hmelder hmelder Awaiting requested review from hmelder

@DawinYurtseven DawinYurtseven Awaiting requested review from DawinYurtseven

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Private VoDs are still publicly listed
2 participants
@YiranDuan721 @SebiWrn