education / classroom Goto Github PK

AssignmentInvitationsController#accept_invitation uses a GET requests. This should be a POST. Otherwise, an attacker could post an image like

<img src="https://myclassroomapp.com/assignment_invitations/f772b522f9622307106fb91b7afe745d/accept_invitation">

on another site, forcing every Classroom user visiting the page to accept the invitation.

This is the original timeline from my GSoC proposal. Just throwing it in here for feedback and my own edits.

Timeline

April 27th through May 25th
Getting to my mentors and flesh out the projects requirements, security concerns, and goals. I will also take this time to work on the application's design so that I have preliminary mockups to work from when I start building on week 0.

When a student successfully accepts an assignment, we should provide some useful information and a link for them to go to their repository.

Right now, they just get a message that says "Success."

Would be better to say something like: "Your repository for #{assignment.name} has been created at https://github.com/#{org}/#{repo}."

❤️ 💚 💜

• Logo/Branding #42
• Landing Page #77
• Dashboard Layout #61
• Organizations #78
  • Invite Admins #79
  • Settings #85
• New Assignment #80
• Assignments
  • Creation #86
  • Main Page #81
  • Invitation Page #82
  • Settings #84
• Group Assignments
  • Creation #87
  • Main Page #81
  • Invitations Page #83
  • Settings #84

Currently the only way that a user can see the classroom is if they add the organization themselves.

When a user creates a new Individual Assignment they can give it a name, choose whether the assignment repos will be public or private and choose a repository for starter code if they want to.

The clipboard link on the invitation link doesn't copy the url to the clipboard.

Currently on an assignment page, the user can only see the invitation url for their assignment.

I still need to include the settings page see #84

There isn't a whole bunch here, but there is some information that may be useful to the teacher that we have access too. Such as how many student/teams have created their assignment and when they created their assignments.

We also have the ability to delete individual assignments on a per team/per student basis. I'm not sure if that should be another page off the assignments page or it should be on this page.

I'd love some help and feedback on the general layout of these pages. Here are some of the app flows and the pages that go along with them.

Current User Dashboard

For Classroom, teachers can add their organization so that they can manage their assignments and invite students. Currently the dashboard allows them to add and organization and then choose from the list of orgs after they have been created.

Adding an organization flow

Choose your organization

It takes you to the organization page (you then have to click the Classroom link or the dashboard link to get back the dashboard)

You could also click the edit link and it will take you to the edit page

In this case my organization title is "August 2015" but there's no indication of the organization login on the page. I think it might be confusing to users to have a separate title from the actual organization login. Perhaps we should show @classroom next to the title?

The current state of the front page.

It would be awesome if it looked like an extension of GitHub Education.

When the student goes to a Group Assignment Invitation Page, they currently see this.

Or if there already existing teams, then they see this

This allows them to create a new team or join an already existing team after they create their team and it all goes well, they see this.

I just connected my GitHub account to Classroom and landed on the blankslate page with this:

This classroom has no organizations. Add one now.

The statement makes me think that I'm in my classroom and I might have multiple organizations for my classroom. I think it would be better stated as something along the lines of:

You're not managing any GitHub organizations with Classroom. Add an organization to get started.

After connecting my organization to Classroom, I end up on a page with a "create assignment" button. We should probably add a blankslate explaining that no assignments have been created.

Wasn't entirely sure what license should be used for this project. I would assume MIT copyright to GitHub but I didn't want to make assumptions.

As discussed in chat, there may be a case where the user has more than one page of organizations. The new page for Organizations should be able to take care of that.

When a student goes to the individual assignment invitation url, they are greeted with this

This creates their assignment and sets up their team. Currently it will give them an error message or return their GitHub Repo URL for them to go to.

OrganizationsController#invite_users doesn't check that the id of the user being invited is actually part or the organization. This can be used to add arbitrary users to your organization. This could be an abuse vector since the new organization will show up on the user's dashboard and they will have no way to leave the organization. For example, when they go to their dashboard they might see:

The controller should check that the user being invited is actually a member of the GitHub organization.

While it isn't a vulnerability in this case, eval() gives security people heart palpitations. Instead of

invitation_path = eval("#{invitation.class.name.underscore}_path('#{invitation.key}')")

you could do

invitation_path = send("#{invitation.class.name.underscore}_path", invitation.key)

or better yet

invitation_path = case invitation
  when Assignment
    assignment_path invitation.key
  when GroupAssignment
    group_assignment_path invitation.key
end

When you choose to create a new assignment from the Organization Page, you can choose to create one of the following

• Individual Assignment (each student gets their own repository)
• Group Assignment (students are in teams and those teams each get a repo)

Currently the selection looks like this:

This is the first page of the application, currently the user only has the ability to click on their already added Organizations, or add one to Classroom.

It currently looks like this when there aren't any organizations added.

This is what it looks like with one or more organizations.

Currently we aren't caching any of the requests, when I deployed the application to Heroku I didn't notice any performance lags.

However this is something that should be looked into more, as the application grows and we use more end points.

Right now this is the logo for Classroom

I know other GitHub open source projects like https://notifications.githubapp.com/ have a logo with the GitHub mark and the name of the app.

Can we do something similar? Or if not I'm totally open to suggestions.

By taking one of the Bit.ly links generated by the application, I was able to use the Bit.ly link info API to find out whose account created the Bit.ly link. From there I was able to use the user link history API to find a listing of Bit.ly links generated by this user. This gives me the invitation URLs for all assignments.

• Domain name classroom.github.com ⚡
• Google Analytics
• Blog Post
• Heroku app
• Documentation
• No blocking issues

/cc @johndbritton

When a user creates an Organization if there are other admins that they want to add, they have the option of doing so after they add their Organization or later on from the Organizations page.

The GitHub API doesn't allow us to see a users email if it isn't public so I had to give them optional text boxes.

There should be a list of links to all the repositories that represent assignment submissions on the assignment page:

On the new assignment page we should explain a bit more:

Maybe something like this:

Individual assignment - Each student works independently
Group assignment - Students work in self-selecting groups

When the user hits Classroom for the first time, this is what they currently see. I'm not entirely sure what to do with this, but it could possibly be a page to show off the highlights of the app.

According to http://education.github.com there are two common ways for handling assignments.

• Forks
• Sandboxing

I know personally the classes that I graded for practiced sandboxing, but that may not be the most common use case.

Is there any research or data that could give us an insight as to what method(s) would be most useful to have? My goal would be to eventually handle the most common use cases, but I'd like to at least get the one that helps the most people to fit into current summer timeline.

I'm trying to add my organization, https://github.com/classroom. For some reason it's not showing in the dropdown. ❓

It looks like the listing pages don't have any pagination right now. It's probably fine at the moment, but once we see some larger classes or teachers using it semester after semester, it will become necessary.

I'd like to get feedback as to where in the process this application should be designed. I'm a fan of at least doing some general template design work done near the beginning.

Also since this is a GitHub sponsored open source project what about using Primer as a starting point for styling?

So there isn't a setting page yet for either Individual Assignments or Group Assignments.

What we can currently do is the following.

• Rename the assignment
• Destroy the assignment
• Regenerate the Invitation URL

If you destroy either type of assignment it WILL delete all of the github repositories that were created with it. Probably a good idea to warn them.

Browsing to AssignmentInvitationsController#show fires JavaScript that accepts the invitation. It would be good to require some user interaction. Otherwise, any use can be sent to the URL and will be added to the org, added to the team, etc...

Visiting an assignment URL for a group assignment with starter code of rails/rails gives an application error after trying to join a new team.

URL: https://classroom-staging.herokuapp.com/group_assignment_invitations/5ba3f9f295292f846c56bcd72bc9ba56/accept_invitation

Don't really have any more insight into the issue.

The /logout endpoint should require a POST request. Currently, someone could CSRF this endpoint by including an image like <img src="https://classroomdomain.com/logout"> on another domain to log users out. This is quite low risk, but is an easy fix.

Creating a private assignment if there are no private repositories available results in a poor experience:

@johndbritton This is just an overview of the relationships as I view them for individual and group assignments.

Let me know what you think. (interaction diagram coming soon)

                               +----------------------------------+
+-------------------------+    | Organization                     |
| User                    |    |                                  |
|                         |    | has_many: individual_assignments |
| has_many :repo_accesses |    | has_many: group_assignments      |
| github_user_id          |    | has_many: repo_accesses          |
+-------------------------+    +----------------------------------+

                    +--------------------------+                   
                    | RepoAccess               |                   
                    |                          |                   
                    | belongs_to :organization |                   
                    | belongs_to :user         |                   
                    | github_team_id           |                   
                    +--------------------------+                   

+----------------------+                +-------------------------+
| AssignmentRepo       |                | GroupAssignmentRepo     |
|                      |                |                         |
| has_one :repo_access |                | has_many :repo_accesses |
| github_repo_id       |                | github_repo_id          |
+----------------------+                +-------------------------+

                               +----------------------------------+
+----------------------------+ | Grouping                         |
| IndividualAssignment       | |                                  |
|                            | | has_many :group_assignment_repos |
| has_many :assignment_repos | | title                            |
+----------------------------+ +----------------------------------+

                                              +-------------------+
                                              | GroupAssignment   |
                                              |                   |
                                              | has_one :grouping |
                                              +-------------------+

According to https://developer.github.com/v3/orgs/members/#edit-your-organization-membership you can update your membership state from pending to active.

This should happen so that the student doesn't have to check their email

The OrganizationsController#create endpoint doesn't check that the current user has access to the GitHub organization they are creating an Organization for. An attacker can create an Organization for any GitHub organization by modifying the organization[github_id] POST parameter.

This request creates an Organization for the @classroom GitHub organization:

POST /orgs HTTP/1.1

utf8=%E2%9C%93&authenticity_token=[redacted]&organization%5Btitle%5D=some+title&organization%5Bgithub_id%5D=13029875&commit=Add+Organization

The application should check that the current user is an admin of the GitHub organization.

The Organizations Settings page currently looks like this

The user can rename their Organization on Classroom, or they can remove it from Clasroom. This WILL delete all both types of assignments, delete all of the repos, and delete all of the teams created by Classroom for that org.

Definitely a dangerzone scenario.

This has all of the same options as the Individual Assignment (#86) but the user has to either create a new group of teams, currently known as a grouping, or choose an existing one.

The grouping aspect isn't really super clear at this point, and I'm not really sure what's the best way to show that to the user.

https://github.com/tylerhunt/rack-canonical-host

Require SSL and redirect all domains to one official domain.

Organization invitations can be sent to any email address. The content of the invitation can be hijacked by modifying the Organization title, which can be quite long and even contain newlines:

Creating an org with newlines in the title:

POST /orgs/free-viagra HTTP/1.1

utf8=%E2%9C%93&_method=patch&authenticity_token=[redacted]&organization%5Btitle%5D=Free+Viagra%21%21%21%21+https%3A%2F%2Fsketchy.site%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d&commit=Update+Organization

Sending spam to any email address:

POST /orgs/free-viagra/invite-users HTTP/1.1

utf8=%E2%9C%93&_method=patch&authenticity_token=[redacted]&github_owners%5Bmastahyeti%5D=1144197&github_owner_emails%5Bmastahyeti%5D=[redacted]@gmail.com&commit=Invite

Spam!!!

This one is kind of hard to solve. Some options are:

1. Only send emails to addresses listed on the invited user's GitHub profile.
2. Implement some kind of rate limiting and spam detection.

This is just a running issue list of what I'm working on / what I will be working on.

Classroom

Done

• Add GitHub organization (classroom), with proper user relationships
• Give users the ability to add their classroom only if they are an owner
• Allow students to join the classroom through an invitation url, which adds them to a students team which consists of all students
• Allow teachers to create an assignment
• Make sure a teacher cannot create an assignment without adding a designated students team first
• Move invitations to assignments
• When a student accesses Classroom for the first time, add them to the students team, and add them to their own personal team. Then create the assignment, then naming convention TBD.

  ---

What I'm working on...

• Group Assignments
• Caching and error handling

Next Up

• Everything else that goes with Assignments
• ... TBD

Each user can have many Organization that are apart of Classroom. When a user chooses their organization on Classroom, this is what it looks like right now.

From this page a user should be able click on creating a new assignment (Individual or Group) see assignments that exist, or invite other Org admins to join classroom. See (issue about invitations)

For an app in which most endpoints require authentication, it's a good idea to check authentication in the ApplicationController and have unauthenticated actions opt-out via skip_before_filter. This makes it harder to forget to add the authentication check when adding a new controller.

OrganizationAuthorizedConstraint searches the URL path for the first set of numeric characters and tries to look up an org with an id matching these digits. If no organization is found the check fails open. The OrganizationsController#set_organization method uses Organization.find(params[:id]) to lookup organizations. Because of FriendlyId, this can take a slug instead of a numeric id. The result is that authorization is not checked for URLs using the org slug instead of a numeric ID.

The authorization check should be moved to the controller level and the organization should be looked up in the same way as elsewhere in the controller. The check should also fail closed if the organization can't be found.