Unrevealed module model solutions do not give a clear reason for error

[lainets]

When accessing an unrevealed chapter (a model solution chapter whose module hasn't been passed) two things may happen:

1. If the user isn't logged in on a course that is visible to everyone, the user is given a login screen without any explanation. The user can however access other chapter without issue as the course is visible to everyone.
2. If the user is logged in, they are given a 403 access restricted page without an explanation that they need to first pass the required module.

The user should be given an explanation in both cases. A login screen should still be shown in the first as the user might have an account but just hasn't logged in.

[jsorva]

I think this is related to — or a specific instance of — a broader (unreported?) issue: pages that you have no right to access just dump you onto the login screen, and this can happen in a pretty annoying way.

For example, let’s say that I’m a random visitor browsing O1’s pages (without being logged in or perhaps even having an account). I’m currently in Chapter 1.6 and using the page-top navigation to move across chapters.

I click on Chapter 1.7 to move there → OK.
I click on Chapter 1.8 → OK.
Then it’s the Week 2 ToC → OK.
Then to Chapter 2.0 (the weekly bulletin page that is only for enrollees) → BLAM! I’m on the login page with no explanation and the navigation is gone.

[markkuriekkinen]

Permissions that are constructed with AND or OR operations from Django REST framework permissions seem to have had this issue for a long time now. The combined OR permission does not have the message attribute from the original permissions, thus A+ loses the intended error message for the permission and the user is not shown any explanatory error messages.

a-plus/exercise/permissions.py

Line 77 in 46dba40

ExerciseVisiblePermission = ExerciseVisiblePermissionBase | JWTExerciseReadPermission

a-plus/authorization/views.py

Line 120 in 46dba40

message = getattr(permission, 'message', None)

a-plus/exercise/permissions.py

Lines 20 to 77 in 46dba40

	class ExerciseVisiblePermissionBase(ObjectVisibleBasePermission):
	message = _('EXERCISE_VISIBILITY_PERMISSION_DENIED_MSG')
	model = LearningObject
	obj_var = 'exercise'
	def is_object_visible(self, request, view, exercise): # pylint: disable=arguments-renamed
	"""
	Find out if Exercise (LearningObject) is visible to user
	"""
	if view.is_course_staff:
	return True
	user = request.user
	if isinstance(user, GraderUser):
	return False
	if exercise.status == LearningObject.STATUS.HIDDEN:
	self.error_msg(_('EXERCISE_VISIBILITY_ERROR_NOT_VISIBLE'))
	return False
	if (
	exercise.is_submittable
	and not exercise.course_module.have_exercises_been_opened()
	and exercise.status not in (
	LearningObject.STATUS.ENROLLMENT,
	LearningObject.STATUS.ENROLLMENT_EXTERNAL,
	)):
	self.error_msg(
	format_lazy(
	_('EXERCISE_VISIBILITY_ERROR_NOT_OPEN_YET -- {}'),
	exercise.course_module.opening_time
	)
	)
	return False
	if exercise.audience == LearningObject.AUDIENCE.REGISTERED_USERS:
	if not exercise.course_instance.is_student(user):
	self.error_msg(_('EXERCISE_VISIBLITY_ERROR_ONLY_RESISTERED_USERS'))
	return False
	elif exercise.audience == LearningObject.AUDIENCE.INTERNAL_USERS:
	if (not exercise.course_instance.is_student(user)
	or user.userprofile.is_external):
	self.error_msg(_('EXERCISE_VISIBLITY_ERROR_ONLY_INTERNAL_USERS'))
	return False
	elif exercise.audience == LearningObject.AUDIENCE.EXTERNAL_USERS:
	if (not exercise.course_instance.is_student(user)
	or not user.userprofile.is_external):
	self.error_msg(_('EXERCISE_VISIBLITY_ERROR_ONLY_EXTERNAL_USERS'))
	return False
	if not exercise.can_be_shown_as_module_model_solution(user):
	self.error_msg(_('MODULE_MODEL_ANSWER_VISIBILITY_PERMISSION_DENIED_MSG'))
	return False
	return True
	ExerciseVisiblePermission = ExerciseVisiblePermissionBase | JWTExerciseReadPermission

[jsorva]

I think this is related to — or a specific instance of — a broader (unreported?) issue: pages that you have no right to access just dump you onto the login screen, and this can happen in a pretty annoying way.

For example, let’s say that I’m a random visitor browsing O1’s pages (without being logged in or perhaps even having an account). I’m currently in Chapter 1.6 and using the page-top navigation to move across chapters.

I click on Chapter 1.7 to move there → OK. I click on Chapter 1.8 → OK. Then it’s the Week 2 ToC → OK. Then to Chapter 2.0 (the weekly bulletin page that is only for enrollees) → BLAM! I’m on the login page with no explanation and the navigation is gone.

Addendum:
The above scenario describes a visitor who is not logged in. A similar thing happens now with logged-in students who have a deadline extension and are forbidden from viewing a chapter that contains solutions (until after their personal deadline has passed). They are now prevented from seeing the page, which is great, but the info on that page could be better, and, more importantly, it would be very nice to still have the navigation controls there in this case.

[markkuriekkinen]

This was fixed in the v1.20_stable branch in the three commits listed below. The fix needs to be still ported to the master branch.

• b7a172b
• 464abc0
• bb5d5e1