URL patterns should be anchored. SEC-367

Some notes:

* The completion API was pulled out into a new repo, but left behind a
  url() entry.  That entry used a different namespace than the
  pulled-out repo, so I had to fix the one place we used the namespace.

* Two urls couldn't be anchored because they broke tests:

    url(r'users/(?P<user_id>\w+)/followed$', views.followed_threads, name='followed_threads'),
    url(r'users/(?P<user_id>\w+)$', views.user_profile, name='user_profile'),

lms/djangoapps/certificates/urls.py

@@ -25,7 +25,7 @@ urlpatterns = [
     # End-points used by student support
     # The views in the lms/djangoapps/support use these end-points
     # to retrieve certificate information and regenerate certificates.
-    url(r'search', views.search_certificates, name="search"),
-    url(r'regenerate', views.regenerate_certificate_for_user, name="regenerate_certificate_for_user"),
-    url(r'generate', views.generate_certificate_for_user, name="generate_certificate_for_user"),
+    url(r'^search', views.search_certificates, name="search"),
+    url(r'^regenerate', views.regenerate_certificate_for_user, name="regenerate_certificate_for_user"),
+    url(r'^generate', views.generate_certificate_for_user, name="generate_certificate_for_user"),
 ]

lms/djangoapps/django_comment_client/base/urls.py

@@ -6,34 +6,34 @@ from django.conf.urls import url
 from django_comment_client.base import views
 
 urlpatterns = [
-    url(r'upload$', views.upload, name='upload'),
-    url(r'threads/(?P<thread_id>[\w\-]+)/update$', views.update_thread, name='update_thread'),
-    url(r'threads/(?P<thread_id>[\w\-]+)/reply$', views.create_comment, name='create_comment'),
-    url(r'threads/(?P<thread_id>[\w\-]+)/delete', views.delete_thread, name='delete_thread'),
-    url(r'threads/(?P<thread_id>[\w\-]+)/upvote$', views.vote_for_thread, {'value': 'up'}, name='upvote_thread'),
-    url(r'threads/(?P<thread_id>[\w\-]+)/downvote$', views.vote_for_thread, {'value': 'down'}, name='downvote_thread'),
-    url(r'threads/(?P<thread_id>[\w\-]+)/flagAbuse$', views.flag_abuse_for_thread, name='flag_abuse_for_thread'),
-    url(r'threads/(?P<thread_id>[\w\-]+)/unFlagAbuse$', views.un_flag_abuse_for_thread,
+    url(r'^upload$', views.upload, name='upload'),
+    url(r'^threads/(?P<thread_id>[\w\-]+)/update$', views.update_thread, name='update_thread'),
+    url(r'^threads/(?P<thread_id>[\w\-]+)/reply$', views.create_comment, name='create_comment'),
+    url(r'^threads/(?P<thread_id>[\w\-]+)/delete', views.delete_thread, name='delete_thread'),
+    url(r'^threads/(?P<thread_id>[\w\-]+)/upvote$', views.vote_for_thread, {'value': 'up'}, name='upvote_thread'),
+    url(r'^threads/(?P<thread_id>[\w\-]+)/downvote$', views.vote_for_thread, {'value': 'down'}, name='downvote_thread'),
+    url(r'^threads/(?P<thread_id>[\w\-]+)/flagAbuse$', views.flag_abuse_for_thread, name='flag_abuse_for_thread'),
+    url(r'^threads/(?P<thread_id>[\w\-]+)/unFlagAbuse$', views.un_flag_abuse_for_thread,
         name='un_flag_abuse_for_thread'),
-    url(r'threads/(?P<thread_id>[\w\-]+)/unvote$', views.undo_vote_for_thread, name='undo_vote_for_thread'),
-    url(r'threads/(?P<thread_id>[\w\-]+)/pin$', views.pin_thread, name='pin_thread'),
-    url(r'threads/(?P<thread_id>[\w\-]+)/unpin$', views.un_pin_thread, name='un_pin_thread'),
-    url(r'threads/(?P<thread_id>[\w\-]+)/follow$', views.follow_thread, name='follow_thread'),
-    url(r'threads/(?P<thread_id>[\w\-]+)/unfollow$', views.unfollow_thread, name='unfollow_thread'),
-    url(r'threads/(?P<thread_id>[\w\-]+)/close$', views.openclose_thread, name='openclose_thread'),
-    url(r'comments/(?P<comment_id>[\w\-]+)/update$', views.update_comment, name='update_comment'),
-    url(r'comments/(?P<comment_id>[\w\-]+)/endorse$', views.endorse_comment, name='endorse_comment'),
-    url(r'comments/(?P<comment_id>[\w\-]+)/reply$', views.create_sub_comment, name='create_sub_comment'),
-    url(r'comments/(?P<comment_id>[\w\-]+)/delete$', views.delete_comment, name='delete_comment'),
-    url(r'comments/(?P<comment_id>[\w\-]+)/upvote$', views.vote_for_comment, {'value': 'up'}, name='upvote_comment'),
-    url(r'comments/(?P<comment_id>[\w\-]+)/downvote$', views.vote_for_comment, {'value': 'down'},
+    url(r'^threads/(?P<thread_id>[\w\-]+)/unvote$', views.undo_vote_for_thread, name='undo_vote_for_thread'),
+    url(r'^threads/(?P<thread_id>[\w\-]+)/pin$', views.pin_thread, name='pin_thread'),
+    url(r'^threads/(?P<thread_id>[\w\-]+)/unpin$', views.un_pin_thread, name='un_pin_thread'),
+    url(r'^threads/(?P<thread_id>[\w\-]+)/follow$', views.follow_thread, name='follow_thread'),
+    url(r'^threads/(?P<thread_id>[\w\-]+)/unfollow$', views.unfollow_thread, name='unfollow_thread'),
+    url(r'^threads/(?P<thread_id>[\w\-]+)/close$', views.openclose_thread, name='openclose_thread'),
+    url(r'^comments/(?P<comment_id>[\w\-]+)/update$', views.update_comment, name='update_comment'),
+    url(r'^comments/(?P<comment_id>[\w\-]+)/endorse$', views.endorse_comment, name='endorse_comment'),
+    url(r'^comments/(?P<comment_id>[\w\-]+)/reply$', views.create_sub_comment, name='create_sub_comment'),
+    url(r'^comments/(?P<comment_id>[\w\-]+)/delete$', views.delete_comment, name='delete_comment'),
+    url(r'^comments/(?P<comment_id>[\w\-]+)/upvote$', views.vote_for_comment, {'value': 'up'}, name='upvote_comment'),
+    url(r'^comments/(?P<comment_id>[\w\-]+)/downvote$', views.vote_for_comment, {'value': 'down'},
         name='downvote_comment'),
-    url(r'comments/(?P<comment_id>[\w\-]+)/unvote$', views.undo_vote_for_comment, name='undo_vote_for_comment'),
-    url(r'comments/(?P<comment_id>[\w\-]+)/flagAbuse$', views.flag_abuse_for_comment, name='flag_abuse_for_comment'),
-    url(r'comments/(?P<comment_id>[\w\-]+)/unFlagAbuse$', views.un_flag_abuse_for_comment,
+    url(r'^comments/(?P<comment_id>[\w\-]+)/unvote$', views.undo_vote_for_comment, name='undo_vote_for_comment'),
+    url(r'^comments/(?P<comment_id>[\w\-]+)/flagAbuse$', views.flag_abuse_for_comment, name='flag_abuse_for_comment'),
+    url(r'^comments/(?P<comment_id>[\w\-]+)/unFlagAbuse$', views.un_flag_abuse_for_comment,
         name='un_flag_abuse_for_comment'),
     url(r'^(?P<commentable_id>[\w\-.]+)/threads/create$', views.create_thread, name='create_thread'),
     url(r'^(?P<commentable_id>[\w\-.]+)/follow$', views.follow_commentable, name='follow_commentable'),
     url(r'^(?P<commentable_id>[\w\-.]+)/unfollow$', views.unfollow_commentable, name='unfollow_commentable'),
-    url(r'users$', views.users, name='users'),
+    url(r'^users$', views.users, name='users'),
 ]

lms/djangoapps/grades/apps.py

@@ -20,7 +20,7 @@ class GradesConfig(AppConfig):
         PluginURLs.CONFIG: {
             ProjectType.LMS: {
                 PluginURLs.NAMESPACE: u'grades_api',
-                PluginURLs.REGEX: u'api/grades/',
+                PluginURLs.REGEX: u'^api/grades/',
                 PluginURLs.RELATIVE_PATH: u'api.urls',
             }
         },

lms/djangoapps/instructor/apps.py

@@ -19,7 +19,7 @@ class InstructorConfig(AppConfig):
         PluginURLs.CONFIG: {
             ProjectType.LMS: {
                 PluginURLs.NAMESPACE: u'',
-                PluginURLs.REGEX: u'courses/{}/instructor/api/'.format(COURSE_ID_PATTERN),
+                PluginURLs.REGEX: u'^courses/{}/instructor/api/'.format(COURSE_ID_PATTERN),
                 PluginURLs.RELATIVE_PATH: u'views.api_urls',
             }
         },

lms/djangoapps/instructor/views/api_urls.py

@@ -50,27 +50,27 @@ urlpatterns = [
 
     # Grade downloads...
     url(r'^list_report_downloads$', api.list_report_downloads, name='list_report_downloads'),
-    url(r'calculate_grades_csv$', api.calculate_grades_csv, name='calculate_grades_csv'),
-    url(r'problem_grade_report$', api.problem_grade_report, name='problem_grade_report'),
+    url(r'^calculate_grades_csv$', api.calculate_grades_csv, name='calculate_grades_csv'),
+    url(r'^problem_grade_report$', api.problem_grade_report, name='problem_grade_report'),
 
     # Financial Report downloads..
     url(r'^list_financial_report_downloads$', api.list_financial_report_downloads,
         name='list_financial_report_downloads'),
 
     # Registration Codes..
-    url(r'get_registration_codes$', api.get_registration_codes, name='get_registration_codes'),
-    url(r'generate_registration_codes$', api.generate_registration_codes, name='generate_registration_codes'),
-    url(r'active_registration_codes$', api.active_registration_codes, name='active_registration_codes'),
-    url(r'spent_registration_codes$', api.spent_registration_codes, name='spent_registration_codes'),
+    url(r'^get_registration_codes$', api.get_registration_codes, name='get_registration_codes'),
+    url(r'^generate_registration_codes$', api.generate_registration_codes, name='generate_registration_codes'),
+    url(r'^active_registration_codes$', api.active_registration_codes, name='active_registration_codes'),
+    url(r'^spent_registration_codes$', api.spent_registration_codes, name='spent_registration_codes'),
 
     # Reports..
-    url(r'get_enrollment_report$', api.get_enrollment_report, name='get_enrollment_report'),
-    url(r'get_exec_summary_report$', api.get_exec_summary_report, name='get_exec_summary_report'),
-    url(r'get_course_survey_results$', api.get_course_survey_results, name='get_course_survey_results'),
-    url(r'export_ora2_data', api.export_ora2_data, name='export_ora2_data'),
+    url(r'^get_enrollment_report$', api.get_enrollment_report, name='get_enrollment_report'),
+    url(r'^get_exec_summary_report$', api.get_exec_summary_report, name='get_exec_summary_report'),
+    url(r'^get_course_survey_results$', api.get_course_survey_results, name='get_course_survey_results'),
+    url(r'^export_ora2_data', api.export_ora2_data, name='export_ora2_data'),
 
     # Coupon Codes..
-    url(r'get_coupon_codes', api.get_coupon_codes, name='get_coupon_codes'),
+    url(r'^get_coupon_codes', api.get_coupon_codes, name='get_coupon_codes'),
 
     # spoc gradebook
     url(r'^gradebook$', gradebook_api.spoc_gradebook, name='spoc_gradebook'),
@@ -78,7 +78,7 @@ urlpatterns = [
     url(r'^gradebook/(?P<offset>[0-9]+)$', gradebook_api.spoc_gradebook, name='spoc_gradebook'),
 
     # Cohort management
-    url(r'add_users_to_cohorts$', api.add_users_to_cohorts, name='add_users_to_cohorts'),
+    url(r'^add_users_to_cohorts$', api.add_users_to_cohorts, name='add_users_to_cohorts'),
 
     # Certificates
     url(r'^generate_example_certificates$', api.generate_example_certificates, name='generate_example_certificates'),

lms/urls.py

@@ -103,9 +103,6 @@ urlpatterns = [
     # Course API
     url(r'^api/courses/', include('course_api.urls')),
 
-    # Completion API
-    url(r'^api/completion/', include('completion.api.urls', namespace='completion_api')),
-
     # User API endpoints
     url(r'^api/user/', include('openedx.core.djangoapps.user_api.urls')),
 
@@ -875,7 +872,7 @@ urlpatterns += [
 if settings.FEATURES.get('ENABLE_THIRD_PARTY_AUTH'):
     urlpatterns += [
         url(r'', include('third_party_auth.urls')),
-        url(r'api/third_party_auth/', include('third_party_auth.api.urls')),
+        url(r'^api/third_party_auth/', include('third_party_auth.api.urls')),
     ]
 
 # Enterprise
@@ -930,10 +927,10 @@ if settings.FEATURES.get('ENABLE_LTI_PROVIDER'):
     ]
 
 urlpatterns += [
-    url(r'config/self_paced', ConfigurationModelCurrentAPIView.as_view(model=SelfPacedConfiguration)),
-    url(r'config/programs', ConfigurationModelCurrentAPIView.as_view(model=ProgramsApiConfig)),
-    url(r'config/catalog', ConfigurationModelCurrentAPIView.as_view(model=CatalogIntegration)),
-    url(r'config/forums', ConfigurationModelCurrentAPIView.as_view(model=ForumsConfig)),
+    url(r'^config/self_paced', ConfigurationModelCurrentAPIView.as_view(model=SelfPacedConfiguration)),
+    url(r'^config/programs', ConfigurationModelCurrentAPIView.as_view(model=ProgramsApiConfig)),
+    url(r'^config/catalog', ConfigurationModelCurrentAPIView.as_view(model=CatalogIntegration)),
+    url(r'^config/forums', ConfigurationModelCurrentAPIView.as_view(model=ForumsConfig)),
 ]
 
 if settings.DEBUG:

openedx/core/djangoapps/bookmarks/apps.py

@@ -17,7 +17,7 @@ class BookmarksConfig(AppConfig):
         PluginURLs.CONFIG: {
             ProjectType.LMS: {
                 PluginURLs.NAMESPACE: u'',
-                PluginURLs.REGEX: u'api/bookmarks/',
+                PluginURLs.REGEX: u'^api/bookmarks/',
                 PluginURLs.RELATIVE_PATH: u'urls',
             }
         },

openedx/core/djangoapps/theming/apps.py

@@ -3,7 +3,7 @@ from django.apps import AppConfig
 from openedx.core.djangoapps.plugins.constants import ProjectType, PluginURLs
 
 
-plugin_urls_config = {PluginURLs.NAMESPACE: u'theming', PluginURLs.REGEX: u'theming/'}
+plugin_urls_config = {PluginURLs.NAMESPACE: u'theming', PluginURLs.REGEX: r'^theming/'}
 
 
 class ThemingConfig(AppConfig):

openedx/features/announcements/apps.py

@@ -15,7 +15,7 @@ class AnnouncementsConfig(AppConfig):
         PluginURLs.CONFIG: {
             ProjectType.LMS: {
                 PluginURLs.NAMESPACE: u'announcements',
-                PluginURLs.REGEX: u'announcements/',
+                PluginURLs.REGEX: u'^announcements/',
                 PluginURLs.RELATIVE_PATH: u'urls',
             }
         },

openedx/tests/completion_integration/test_views.py

@@ -31,7 +31,7 @@ class CompletionBatchTestCase(CompletionWaffleTestMixin, ModuleStoreTestCase):
         Create the test data.
         """
         super(CompletionBatchTestCase, self).setUp()
-        self.url = reverse('completion_api:v1:completion-batch')
+        self.url = reverse('completion:v1:completion-batch')
 
         # Enable the waffle flag for all tests
         self.override_waffle_switch(True)