🐛(back) ignore XAPI statements from public view without consumer_site

lunika · lunika · commit a751e0ad514b · 2024-11-06T15:09:21.000+01:00
When a video or document is used in a public view and has been created
on the website, we have no information at all about the consumer site to
use. In that specifice case we want to ignore the XAPI statement.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,10 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+### Fixed
+
+- Ignore XAPI statements from public view without consumer_site
+
 ## [5.3.0] - 2024-11-04
 
 ### Added
diff --git a/src/backend/marsha/core/api/xapi.py b/src/backend/marsha/core/api/xapi.py
@@ -24,6 +24,10 @@
 logger = logging.getLogger(__name__)
 
 
+class NoConsumerSiteError(Exception):
+    """Error raised when no consumer site is found."""
+
+
 class XAPIStatementView(APIViewMixin, APIView):
     """Viewset managing xAPI requests."""
 
@@ -39,6 +43,13 @@ def _statement_from_lti(
             # The resource is used in a LTI context but have been created in the website context
             # so the consumer site does not exists on the playlist.
             # We have to find it directly from the LTI information we have in the JWT token.
+            if not request.resource.token.payload.get("consumer_site"):
+                # If the consumer site is not present in the JWT token, we have no information
+                # from what context the statement is sent. So we stop here the process.
+                raise NoConsumerSiteError(
+                    "Consumer site is mandatory in the LTI token."
+                )
+
             consumer_site = ConsumerSite.objects.get(
                 pk=request.resource.token.payload.get("consumer_site")
             )
@@ -121,16 +132,20 @@ def post(self, request, resource_kind, resource_id):
             return Response(partial_xapi_statement.errors, status=400)
 
         if request.resource:
+            # consumer site in a LTI token is mandatory.
             if request.resource.playlist_id != str(object_instance.playlist.id):
                 return HttpResponseNotFound()
-            (
-                statement,
-                lrs_url,
-                lrs_auth_token,
-                lrs_xapi_version,
-            ) = self._statement_from_lti(
-                request, partial_xapi_statement, statement_class, object_instance
-            )
+            try:
+                (
+                    statement,
+                    lrs_url,
+                    lrs_auth_token,
+                    lrs_xapi_version,
+                ) = self._statement_from_lti(
+                    request, partial_xapi_statement, statement_class, object_instance
+                )
+            except NoConsumerSiteError:
+                return Response(status=400)
         else:
             statement = self._statement_from_website(
                 request, partial_xapi_statement, statement_class, object_instance
diff --git a/src/backend/marsha/core/tests/api/xapi/video/test_from_lti.py b/src/backend/marsha/core/tests/api/xapi/video/test_from_lti.py
@@ -15,7 +15,10 @@
     PlaylistFactory,
     VideoFactory,
 )
-from marsha.core.simple_jwt.factories import StudentLtiTokenFactory
+from marsha.core.simple_jwt.factories import (
+    PlaylistAccessTokenFactory,
+    StudentLtiTokenFactory,
+)
 
 
 class XAPIVideoFromLTITest(TestCase):
@@ -188,3 +191,44 @@ def test_send_xapi_statement_from_lti_request_video_no_consumer_site(self):
                 "objectType": "Activity",
             },
         )
+
+    def test_send_xapi_statement_from_public_video_view_created_from_website(self):
+        """
+        The XAPI statement should be ignored when the video has been created from the website
+        and used in a public view.
+        """
+        organization = OrganizationFactory()
+        playlist = PlaylistFactory(
+            organization=organization, consumer_site=None, lti_id=None
+        )
+        video = VideoFactory(
+            id="7b18195e-e183-4bbf-b8ef-5145ef64ae19",
+            title="Video 000",
+            playlist=playlist,
+        )
+        # JWT Token used in a public view
+        jwt_token = PlaylistAccessTokenFactory(
+            playlist=video.playlist,
+        )
+        self.assertIsNotNone(video.playlist.organization)
+        self.assertIsNone(video.playlist.consumer_site)
+
+        data = {
+            "verb": {
+                "id": "http://adlnet.gov/expapi/verbs/initialized",
+                "display": {"en-US": "initialized"},
+            },
+            "context": {
+                "extensions": {"https://w3id.org/xapi/video/extensions/volume": 1}
+            },
+        }
+
+        response = self.client.post(
+            f"/xapi/video/{video.id}/",
+            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+            data=json.dumps(data),
+            content_type="application/json",
+        )
+
+        self.assertEqual(response.status_code, 400)
+        self.assertEqual(self.log_stream.getvalue(), "")
