replaced session_paramerters with server params for security reasons

cleaned up comments
2017-01-12 15:10:34 +01:00
parent 41a61a8507
commit dd4c789fed
8 changed files with 20 additions and 28 deletions
--- a/app/controllers/concerns/lti.rb
+++ b/app/controllers/concerns/lti.rb
@ -19,14 +19,13 @@ module Lti
  # exercise_id.exists? ==> the user has submitted the results of an exercise to the consumer.
  # Only the lti_parameters are deleted.
  def clear_lti_session_data(exercise_id = nil)
-    #Todo replace session with lti_parameter /done
    if (exercise_id.nil?)
-      LtiParameter.destroy_all(consumers_id: session[:consumer_id], external_user_id: session[:external_user_external_id])
+      LtiParameter.destroy_all(consumers_id: session[:consumer_id], external_user_id: @current_user.external_id)
      session.delete(:consumer_id)
      session.delete(:external_user_id)
    else
      LtiParameter.destroy_all(consumers_id: session[:consumer_id],
-                               external_user_id: session[:external_user_external_id],
+                               external_user_id: @current_user.external_id,
                               exercises_id: exercise_id)
    end
  end
@ -103,15 +102,14 @@ module Lti
  def send_score(exercise_id, score)
    ::NewRelic::Agent.add_custom_parameters({ score: score, session: session })
    fail(Error, "Score #{score} must be between 0 and #{MAXIMUM_SCORE}!") unless (0..MAXIMUM_SCORE).include?(score)
-    #Todo replace session with lti_parameter /done
+
    lti_parameter = LtiParameter.where(consumers_id: session[:consumer_id],
-                                       external_user_id: session[:external_user_external_id],
+                                       external_user_id: @current_user.external_id,
                                       exercises_id: exercise_id).first
-    # lti_parameters = JSON.parse(lti_parameter.lti_parameters)

    consumer = Consumer.find_by(id: session[:consumer_id])
    provider = build_tool_provider(consumer: consumer, parameters: lti_parameter.lti_parameters)
-    # provider = build_tool_provider(consumer: Consumer.find_by(id: session[:consumer_id]), parameters: session[:lti_parameters])
+
    if provider.nil?
      {status: 'error'}
    elsif provider.outcome_service?
@ -141,7 +139,6 @@ module Lti
    lti_parameters.save!

    session[:consumer_id] = options[:consumer].id
-    session[:external_user_external_id] = @current_user.external_id
    session[:external_user_id] = @current_user.id
  end
  private :store_lti_session_data
--- a/app/controllers/exercises_controller.rb
+++ b/app/controllers/exercises_controller.rb
@ -157,16 +157,14 @@ class ExercisesController < ApplicationController
  end

  def redirect_to_lti_return_path
-    #Todo replace session with lti_parameter /done
    lti_parameter = LtiParameter.where(consumers_id: session[:consumer_id],
-                                       external_user_id: session[:external_user_external_id],
+                                       external_user_id: @current_user.external_id,
                                       exercises_id: @submission.exercise_id).first

    path = lti_return_path(consumer_id: session[:consumer_id],
                           submission_id: @submission.id,
                           url: consumer_return_url(build_tool_provider(consumer: Consumer.find_by(id: session[:consumer_id]),
                                                                        parameters: lti_parameter.lti_parameters)))
-                                                                        # parameters: session[:lti_parameters])))
    respond_to do |format|
      format.html { redirect_to(path) }
      format.json { render(json: {redirect: path}) }
@ -230,7 +228,7 @@ class ExercisesController < ApplicationController
  def submit
    @submission = Submission.create(submission_params)
    score_submission(@submission)
-    if lti_outcome_service?(@submission.exercise_id)
+    if lti_outcome_service?(@submission.exercise_id, @current_user.external_id, @current_user.consumer_id)
      transmit_lti_score
    else
      redirect_after_submit
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@ -22,7 +22,7 @@ class SessionsController < ApplicationController
    store_lti_session_data(consumer: @consumer, parameters: params)
    store_nonce(params[:oauth_nonce])
    redirect_to(implement_exercise_path(@exercise),
-                notice: t("sessions.create_through_lti.session_#{lti_outcome_service?(@exercise.id) ? 'with' : 'without'}_outcome",
+                notice: t("sessions.create_through_lti.session_#{lti_outcome_service?(@exercise.id, @current_user.external_id , @consumer.id) ? 'with' : 'without'}_outcome",
                consumer: @consumer))
  end