From 9276aac8d20a28d89dfde37b5e543697959e3362 Mon Sep 17 00:00:00 2001
From: uzairr <uzairr@yahoo.com>
Date: Mon, 15 Jul 2019 20:35:10 +0500
Subject: [PATCH] Restrict grading endpoints in LMS

Cuurently, grading endpoints in capa module are vulnerable as they
are not restricted.To avoid it, changes have been made so that
they are available only for logged-in users.

LEARNER-3761
---
 lms/djangoapps/courseware/module_render.py    | 21 ++++++++++---------
 .../courseware/tests/test_module_render.py    | 20 ++++++++++++++++++
 2 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/lms/djangoapps/courseware/module_render.py b/lms/djangoapps/courseware/module_render.py
index 4e1e114d8e..7100e52a8e 100644
--- a/lms/djangoapps/courseware/module_render.py
+++ b/lms/djangoapps/courseware/module_render.py
@@ -577,16 +577,17 @@ def get_module_system_for_user(
         """
         Submit a grade for the block.
         """
-        grades_signals.SCORE_PUBLISHED.send(
-            sender=None,
-            block=block,
-            user=user,
-            raw_earned=event['value'],
-            raw_possible=event['max_value'],
-            only_if_higher=event.get('only_if_higher'),
-            score_deleted=event.get('score_deleted'),
-            grader_response=event.get('grader_response')
-        )
+        if not user.is_anonymous():
+            grades_signals.SCORE_PUBLISHED.send(
+                sender=None,
+                block=block,
+                user=user,
+                raw_earned=event['value'],
+                raw_possible=event['max_value'],
+                only_if_higher=event.get('only_if_higher'),
+                score_deleted=event.get('score_deleted'),
+                grader_response=event.get('grader_response')
+            )
 
     def handle_deprecated_progress_event(block, event):
         """
diff --git a/lms/djangoapps/courseware/tests/test_module_render.py b/lms/djangoapps/courseware/tests/test_module_render.py
index 65f08d38d4..7bd8c57119 100644
--- a/lms/djangoapps/courseware/tests/test_module_render.py
+++ b/lms/djangoapps/courseware/tests/test_module_render.py
@@ -906,6 +906,26 @@ class TestHandleXBlockCallback(SharedModuleStoreTestCase, LoginEnrollmentTestCas
         with self.assertRaises(BlockCompletion.DoesNotExist):
             BlockCompletion.objects.get(block_key=block.scope_ids.usage_id)
 
+    @XBlock.register_temp_plugin(GradedStatelessXBlock, identifier='stateless_scorer')
+    @patch('lms.djangoapps.courseware.module_render.grades_signals.SCORE_PUBLISHED.send')
+    def test_anonymous_user_not_be_graded(self, mock_score_signal):
+        course = CourseFactory.create()
+        descriptor_kwargs = {
+            'category': 'problem',
+        }
+        request = self.request_factory.get('/')
+        request.user = AnonymousUser()
+        descriptor = ItemFactory.create(**descriptor_kwargs)
+
+        render.handle_xblock_callback(
+            request,
+            text_type(course.id),
+            quote_slashes(text_type(descriptor.location)),
+            'xmodule_handler',
+            'problem_check',
+        )
+        self.assertFalse(mock_score_signal.called)
+
 
 @ddt.ddt
 @patch.dict('django.conf.settings.FEATURES', {'ENABLE_XBLOCK_VIEW_ENDPOINT': True})