admiral-edu-server's People
Forkers
alexknauthadmiral-edu-server's Issues
&sort; appearing in browse header
In reviewing existing submissions, &next; appears in the header. bad.
the browse page for viewing your submission appears broken
Here's the URL:
https://www.captain-teach.org/calpoly-cpe123/su/[email protected]/next/a1-ct/
.. only the problem is in the iframe
also it has a &step in the header.
basic design documentation
add a version number to the web pages
A github repo would probably be ideal... automating it could be nasty, though.
red dots don't appear consistently
sigh... codemirror is totally messed up here. could it be the new version (hope hope)?
test all URLs with /su/<username>/
be explicit about legal paths
state somewhere what the legal URL patterns are, and check them up front rather than allowing 'last' to fail somewhere deep within a sub-function.
FIXMEs everywhere
get rid of success and failure everywhere
endpoint to allow viewing of error log
It would be nice, and seems like not too much of a security risk, to allow the head instructor
to take a look at the current log.
make sure there are no 'cond's without elses.
codemirror only uses half of box?
When browsing a file, it appears that only half of the given box is used by the codemirror editor.
This problem is somewhat visible on any page load because the left-hand gutter (IIUC) is only
half present. Load a file with many lines to see the problem more clearly. I'm nearly certain
this is a regression.
looks like some 404s may not be caught
... and wind up as 500s instead, viz. /foo
logging should escape the container
logs should go somewhere visible outside the container
explicitly compare html of old and new versions
Use the scraped html from the regression tests to actually compare old and new.
split out logs
The access log should not be mushed in with the error log, I think. The code for this is mostly already in place using loggers, I just need to not dump all of the loggers' output into stdout.
use type for paths
paths could be protected using TR
check for existence of table has hard-coded database name
The "is there already a database" check uses a hard-coded "captain_teach" name, meaning that if your database is named something else, CT will blow it away on startup. Bad.
when performing review, "close form" button does nothing?
It appears that the "close form" button next to an annotation line does nothing when reviewing
a text.
This is probably a regression.
description of states users can be in
trailing slash required on base url
the 404 error has a URL without a trailing slash which won't be properly redirected by the outer apache server.
signal an error on config / db mismatch
currently, if captain teach is started and there's already an existing database, but the name of the head instructor in the database is different from the one specified in the config file, I believe the config file is ignored. In fact, it might be even more broken than that.
The easy fix would be to check for this, and refuse to start up.
More generally, there should be a way to completely re-initialize the database. Since port 8080 is the only way in, though, this would have to be an externally-visible endpoint, which seems like a really bad idea. Alternatively, you could just create a shell script that does this...
eliminate uses of non-raw-bindings
These are probably all linked to scripting vulnerabilities....
three-condition testing not appearing in raco test?
chance for free test coverage bump here...
use templates for all responses
XSS possible in review feedback
itemize other bugs discovered by zap
yep, downloading broked too
to repeat: student submits text file then tries to view it.
https://www.captain-teach.org/calpoly-cpe123/su/[email protected]/next/a1-ct/
YAML parsing produces terrible error messages and contract failures
captain teach should not run as root even inside a docker container
It's absurd that captain teach runs as root inside of the docker container.
unarchiving should check for legal filenames
students could submit archive files containing illegal names, most alarmingly ".." and ".".
did we lose the logging
where's the logging in the new version? did I accidentally disable it, or is it just off for testing?
eliminate all uses of strings flowing directly into responses
These are obvious places for XSS attacks, and are completely unnecessary.
paths must be url-encoded
Related to #13 : paths must be url-encoded, because the receiving end is going to perform decoding.
sql injection bugs identified by zap
eliminate 'temporary-hacks.rkt"
doesn't have a nice sound to it, does it?
no auth is required to access /submit or /feedback paths
I can see how this arose as a refactoring bug. Yikes.
check for < in output
occurrences of < in output are probably evidence of xexpr-mangling, and should probably be considered bugs in regression-testing and zap-script-testing
result of adding users page has &result;
to repeat: upload a file containing a few users.
test case coverage!
test case coverage is awful. we need some regression tests, at least. I'm terrified that I'm breaking things.
error signaled after adding assignment, but assignment still added
In the 'author' page creating a new assignment, I created a new one with the following description
name: Flags
id: flags
description: Supplemental homework 1.
steps:
- id: final-submission
instructions: Submit your final code here.
After clicking "Validate and Submit", I was given an alert box indicating there was an error. However, when clicking the button again, I was given a different alert box saying the assignment already exists.
After navigating to the main page, the assignment did indeed exist and was correct.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.