From 86913938268073a5ae9eeed63461c66c9924fd41 Mon Sep 17 00:00:00 2001
From: Robert Raposa <rraposa@edx.org>
Date: Tue, 15 Mar 2016 12:44:57 -0400
Subject: [PATCH 1/4] Escape full name

TNL-3849/SEC-69
---
 lms/templates/verify_student/pay_and_verify.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lms/templates/verify_student/pay_and_verify.html b/lms/templates/verify_student/pay_and_verify.html
index 6c1882ff1d..7ea4f6ac27 100644
--- a/lms/templates/verify_student/pay_and_verify.html
+++ b/lms/templates/verify_student/pay_and_verify.html
@@ -59,7 +59,7 @@ from lms.djangoapps.verify_student.views import PayAndVerifyView
     <div
       id="pay-and-verify-container"
       class="pay-and-verify"
-      data-full-name='${user_full_name}'
+      data-full-name='${user_full_name | h}'
       data-platform-name='${platform_name}'
       data-course-key='${course_key}'
       data-course-name='${course.display_name|h}'

From 1961189819282cc9341889fc928f06a340b71ae5 Mon Sep 17 00:00:00 2001
From: Robert Raposa <rraposa@edx.org>
Date: Tue, 15 Mar 2016 09:32:10 -0400
Subject: [PATCH 2/4] Properly escape the name

---
 lms/templates/instructor/instructor_dashboard_2/metrics.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lms/templates/instructor/instructor_dashboard_2/metrics.html b/lms/templates/instructor/instructor_dashboard_2/metrics.html
index 7aae9338ae..5eee8e05e1 100644
--- a/lms/templates/instructor/instructor_dashboard_2/metrics.html
+++ b/lms/templates/instructor/instructor_dashboard_2/metrics.html
@@ -91,7 +91,7 @@ from django.template.defaultfilters import escapejs
             $('.metrics-overlay-content thead', metrics_overlay).append(overlay_content);
 
             $.each(response.results, function(index, value ){
-              overlay_content = '<tr><td>' + value['name'] + "</td><td>" + value['username'] + '</td></tr>';
+              overlay_content = '<tr><td>' + _.escape(value['name']) + "</td><td>" + _.escape(value['username']) + '</td></tr>';
               $('.metrics-overlay-content tbody', metrics_overlay).append(overlay_content);
             });
             // If student list too long, append message to screen.
@@ -131,7 +131,7 @@ from django.template.defaultfilters import escapejs
             $('.metrics-overlay-content thead', metrics_overlay).append(overlay_content);
 
             $.each(response.results, function(index, value ){
-              overlay_content = '<tr><td>' + value['name'] + "</td><td>" + value['username'] + "</td><td>" + value['grade'] + "</td><td>" + value['percent'] + '</td></tr>';
+              overlay_content = '<tr><td>' + _.escape(value['name']) + "</td><td>" + _.escape(value['username']) + "</td><td>" + _.escape(value['grade']) + "</td><td>" + _.escape(value['percent']) + '</td></tr>';
               $('.metrics-overlay-content tbody', metrics_overlay).append(overlay_content);
             });
             // If student list too long, append message to screen.

From f0e7dcd346f1b17505897bbe7b20365c88f51757 Mon Sep 17 00:00:00 2001
From: Ayub-khan <Ayub.khan@arbisoft.com>
Date: Wed, 16 Mar 2016 18:57:45 +0500
Subject: [PATCH 3/4] Properly escaping fullname

To prevent XSS attacks, we now properly escape any string containing
the user's fullname. Enumerated by searching webview.py for "fullname",
and "git grep"-ing any occurrences. This also exposed some unused strings,
which I deleted for clarity.
---
 lms/templates/certificates/_accomplishment-banner.html    | 2 +-
 lms/templates/certificates/_accomplishment-rendering.html | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lms/templates/certificates/_accomplishment-banner.html b/lms/templates/certificates/_accomplishment-banner.html
index 2ca86733c3..eba7ee8d9c 100644
--- a/lms/templates/certificates/_accomplishment-banner.html
+++ b/lms/templates/certificates/_accomplishment-banner.html
@@ -40,7 +40,7 @@ from django.template.defaultfilters import escapejs
 <div class="wrapper-banner wrapper-banner-user">
     <section class="banner banner-user">
         <div class="message message-block message-notice">
-            <h2 class="message-title hd-5 emphasized">${accomplishment_banner_opening}</h2>
+            <h2 class="message-title hd-5 emphasized">${accomplishment_banner_opening | h}</h2>
             <div class="wrapper-copy-and-actions">
                 <p class="message-copy copy copy-base emphasized">${accomplishment_banner_congrats}</p>
                 <div class="message-actions">
diff --git a/lms/templates/certificates/_accomplishment-rendering.html b/lms/templates/certificates/_accomplishment-rendering.html
index 2182b2ae90..05c67ea26a 100644
--- a/lms/templates/certificates/_accomplishment-rendering.html
+++ b/lms/templates/certificates/_accomplishment-rendering.html
@@ -24,7 +24,7 @@ course_mode_class = course_mode if course_mode else ''
             <div class="wrapper-statement-and-signatories">
                 <div class="accomplishment-statement">
                     <p class="accomplishment-statement-lead">
-                        <strong class="accomplishment-recipient hd-1 emphasized">${accomplishment_copy_name}</strong>
+                        <strong class="accomplishment-recipient hd-1 emphasized">${accomplishment_copy_name | h}</strong>
                         <span class="accomplishment-summary copy copy-lead">${accomplishment_copy_description_full}</span>
 
                         <span class="accomplishment-course hd-1 emphasized">
@@ -86,7 +86,7 @@ course_mode_class = course_mode if course_mode else ''
 
     <div class="wrapper-accomplishment-metadata">
         <div class="accomplishment-metadata">
-            <h2 class="accomplishment-metadata-title hd-6">${accomplishment_copy_more_about}</h2>
+            <h2 class="accomplishment-metadata-title hd-6">${accomplishment_copy_more_about | h}</h2>
 
             <div class="wrapper-metadata">
                 <dl class="metadata accomplishment-recipient">
@@ -96,7 +96,7 @@ course_mode_class = course_mode if course_mode else ''
                             <img class="src" src="/static/certificates/images/demo-user-profile.png" alt="">
                         </span>
                         <div class="recipient-details">
-                            <h3 class="recipient-name">${accomplishment_copy_name}</h3>
+                            <h3 class="recipient-name">${accomplishment_copy_name | h}</h3>
                             <p class="recipient-username">${accomplishment_copy_username} @ ${platform_name}</p>
                         </div>
                     </dd>

From bb952e148f0221442f3e929afd3e8414d34845fd Mon Sep 17 00:00:00 2001
From: muzaffaryousaf <muzaffar.yousaf@arbisoft.com>
Date: Thu, 17 Mar 2016 18:57:14 +0500
Subject: [PATCH 4/4] Restrice non-staff users to access preview content.

TNL-4194
---
 lms/djangoapps/courseware/access.py           |  55 ++++++-
 .../courseware/tests/test_access.py           | 138 +++++++++++++++---
 2 files changed, 169 insertions(+), 24 deletions(-)

diff --git a/lms/djangoapps/courseware/access.py b/lms/djangoapps/courseware/access.py
index 178568dd8e..98306e7a60 100644
--- a/lms/djangoapps/courseware/access.py
+++ b/lms/djangoapps/courseware/access.py
@@ -61,7 +61,10 @@ from courseware.access_response import (
     MobileAvailabilityError,
     VisibilityError,
 )
-from courseware.access_utils import adjust_start_date, check_start_date, debug, ACCESS_GRANTED, ACCESS_DENIED
+from courseware.access_utils import (
+    adjust_start_date, check_start_date, debug, ACCESS_GRANTED, ACCESS_DENIED,
+    in_preview_mode
+)
 
 from lms.djangoapps.ccx.custom_exception import CCXLocatorValidationException
 from lms.djangoapps.ccx.models import CustomCourseForEdX
@@ -135,6 +138,10 @@ def has_access(user, action, obj, course_key=None):
     if isinstance(course_key, CCXLocator):
         course_key = course_key.to_course_locator()
 
+    if in_preview_mode():
+        if not bool(has_staff_access_to_preview_mode(user=user, obj=obj, course_key=course_key)):
+            return ACCESS_DENIED
+
     # delegate the work to type-specific functions.
     # (start with more specific types, then get more general)
     if isinstance(obj, CourseDescriptor):
@@ -172,6 +179,52 @@ def has_access(user, action, obj, course_key=None):
 
 
 # ================ Implementation helpers ================================
+
+def has_staff_access_to_preview_mode(user, obj, course_key=None):
+    """
+    Returns whether user has staff access to specified modules or not.
+
+    Arguments:
+
+        user: a Django user object.
+
+        obj: The object to check access for.
+
+        course_key: A course_key specifying which course this access is for.
+
+    Returns an AccessResponse object.
+    """
+    if course_key is None:
+        if isinstance(obj, CourseDescriptor) or isinstance(obj, CourseOverview):
+            course_key = obj.id
+
+        elif isinstance(obj, ErrorDescriptor):
+            course_key = obj.location.course_key
+
+        elif isinstance(obj, XModule):
+            course_key = obj.descriptor.course_key
+
+        elif isinstance(obj, XBlock):
+            course_key = obj.location.course_key
+
+        elif isinstance(obj, CCXLocator):
+            course_key = obj.to_course_locator()
+
+        elif isinstance(obj, CourseKey):
+            course_key = obj
+
+        elif isinstance(obj, UsageKey):
+            course_key = obj.course_key
+
+    if course_key is None:
+        if GlobalStaff().has_user(user):
+            return ACCESS_GRANTED
+        else:
+            return ACCESS_DENIED
+
+    return _has_access_to_course(user, 'staff', course_key=course_key)
+
+
 def _can_access_descriptor_with_start_date(user, descriptor, course_key):  # pylint: disable=invalid-name
     """
     Checks if a user has access to a descriptor based on its start date.
diff --git a/lms/djangoapps/courseware/tests/test_access.py b/lms/djangoapps/courseware/tests/test_access.py
index add8c738ee..f261b56282 100644
--- a/lms/djangoapps/courseware/tests/test_access.py
+++ b/lms/djangoapps/courseware/tests/test_access.py
@@ -17,6 +17,7 @@ from mock import Mock, patch
 from nose.plugins.attrib import attr
 from opaque_keys.edx.locations import SlashSeparatedCourseKey
 
+from ccx.tests.factories import CcxFactory
 import courseware.access as access
 import courseware.access_response as access_response
 from courseware.masquerade import CourseMasquerade
@@ -39,17 +40,21 @@ from student.tests.factories import (
     CourseEnrollmentAllowedFactory,
     CourseEnrollmentFactory,
 )
+
 from xmodule.course_module import (
     CATALOG_VISIBILITY_CATALOG_AND_ABOUT,
     CATALOG_VISIBILITY_ABOUT,
     CATALOG_VISIBILITY_NONE,
 )
-from xmodule.modulestore.tests.factories import CourseFactory
+from xmodule.error_module import ErrorDescriptor
+from xmodule.modulestore.tests.factories import CourseFactory, ItemFactory
 from xmodule.modulestore.tests.django_utils import (
     ModuleStoreTestCase,
     SharedModuleStoreTestCase,
     TEST_DATA_SPLIT_MODULESTORE
 )
+from xmodule.modulestore.xml import CourseLocationManager
+from xmodule.tests import get_test_system
 
 from util.milestones_helpers import (
     set_prerequisite_courses,
@@ -157,23 +162,23 @@ class AccessTestCase(LoginEnrollmentTestCase, ModuleStoreTestCase, MilestonesTes
     """
     TOMORROW = datetime.datetime.now(pytz.utc) + datetime.timedelta(days=1)
     YESTERDAY = datetime.datetime.now(pytz.utc) - datetime.timedelta(days=1)
+    MODULESTORE = TEST_DATA_SPLIT_MODULESTORE
 
     def setUp(self):
         super(AccessTestCase, self).setUp()
-        course_key = SlashSeparatedCourseKey('edX', 'toy', '2012_Fall')
-        self.course = course_key.make_usage_key('course', course_key.run)
+        self.course = CourseFactory.create(org='edX', course='toy', run='test_run')
         self.anonymous_user = AnonymousUserFactory()
-        self.beta_user = BetaTesterFactory(course_key=self.course.course_key)
+        self.beta_user = BetaTesterFactory(course_key=self.course.id)
         self.student = UserFactory()
         self.global_staff = UserFactory(is_staff=True)
-        self.course_staff = StaffFactory(course_key=self.course.course_key)
-        self.course_instructor = InstructorFactory(course_key=self.course.course_key)
+        self.course_staff = StaffFactory(course_key=self.course.id)
+        self.course_instructor = InstructorFactory(course_key=self.course.id)
         self.staff = GlobalStaffFactory()
 
     def verify_access(self, mock_unit, student_should_have_access, expected_error_type=None):
         """ Verify the expected result from _has_access_descriptor """
         response = access._has_access_descriptor(self.anonymous_user, 'load',
-                                                 mock_unit, course_key=self.course.course_key)
+                                                 mock_unit, course_key=self.course.id)
         self.assertEqual(student_should_have_access, bool(response))
 
         if expected_error_type is not None:
@@ -181,55 +186,142 @@ class AccessTestCase(LoginEnrollmentTestCase, ModuleStoreTestCase, MilestonesTes
             self.assertIsNotNone(response.to_json()['error_code'])
 
         self.assertTrue(
-            access._has_access_descriptor(self.course_staff, 'load', mock_unit, course_key=self.course.course_key)
+            access._has_access_descriptor(self.course_staff, 'load', mock_unit, course_key=self.course.id)
         )
 
+    def test_has_staff_access_to_preview_mode(self):
+        """
+        Tests users have right access to content in preview mode.
+        """
+        course_key = self.course.id
+        usage_key = self.course.scope_ids.usage_id
+        chapter = ItemFactory.create(category="chapter", parent_location=self.course.location)
+        overview = CourseOverview.get_from_id(course_key)
+        test_system = get_test_system()
+
+        ccx = CcxFactory(course_id=course_key)
+        ccx_locator = CCXLocator.from_course_locator(course_key, ccx.id)
+
+        error_descriptor = ErrorDescriptor.from_xml(
+            u"<problem>ABC \N{SNOWMAN}</problem>",
+            test_system,
+            CourseLocationManager(course_key),
+            "error msg"
+        )
+        # Enroll student to the course
+        CourseEnrollmentFactory(user=self.student, course_id=self.course.id)
+
+        modules = [
+            self.course,
+            overview,
+            chapter,
+            ccx_locator,
+            error_descriptor,
+            course_key,
+            usage_key,
+        ]
+        # Course key is not None
+        self.assertTrue(
+            bool(access.has_staff_access_to_preview_mode(self.global_staff, obj=self.course, course_key=course_key))
+        )
+
+        for user in [self.global_staff, self.course_staff, self.course_instructor]:
+            for obj in modules:
+                self.assertTrue(bool(access.has_staff_access_to_preview_mode(user, obj=obj)))
+                self.assertFalse(bool(access.has_staff_access_to_preview_mode(self.student, obj=obj)))
+
+    def test_student_has_access(self):
+        """
+        Tests course student have right access to content w/o preview.
+        """
+        course_key = self.course.id
+        chapter = ItemFactory.create(category="chapter", parent_location=self.course.location)
+        overview = CourseOverview.get_from_id(course_key)
+
+        # Enroll student to the course
+        CourseEnrollmentFactory(user=self.student, course_id=self.course.id)
+
+        modules = [
+            self.course,
+            overview,
+            chapter,
+        ]
+        with patch('courseware.access.in_preview_mode') as mock_preview:
+            mock_preview.return_value = False
+            for obj in modules:
+                self.assertTrue(bool(access.has_access(self.student, 'load', obj, course_key=self.course.id)))
+
+        with patch('courseware.access.in_preview_mode') as mock_preview:
+            mock_preview.return_value = True
+            for obj in modules:
+                self.assertFalse(bool(access.has_access(self.student, 'load', obj, course_key=self.course.id)))
+
+    def test_string_has_staff_access_to_preview_mode(self):
+        """
+        Tests different users has right access to string content in preview mode.
+        """
+        self.assertTrue(bool(access.has_staff_access_to_preview_mode(self.global_staff, obj='global')))
+        self.assertFalse(bool(access.has_staff_access_to_preview_mode(self.course_staff, obj='global')))
+        self.assertFalse(bool(access.has_staff_access_to_preview_mode(self.course_instructor, obj='global')))
+        self.assertFalse(bool(access.has_staff_access_to_preview_mode(self.student, obj='global')))
+
+    @patch('courseware.access.in_preview_mode', Mock(return_value=True))
+    def test_has_access_with_preview_mode(self):
+        """
+        Tests particular user's can access content via has_access in preview mode.
+        """
+        self.assertTrue(bool(access.has_access(self.global_staff, 'staff', self.course, course_key=self.course.id)))
+        self.assertTrue(bool(access.has_access(self.course_staff, 'staff', self.course, course_key=self.course.id)))
+        self.assertTrue(bool(access.has_access(self.course_instructor, 'staff', self.course, course_key=self.course.id)))
+        self.assertFalse(bool(access.has_access(self.student, 'staff', self.course, course_key=self.course.id)))
+        self.assertFalse(bool(access.has_access(self.student, 'load', self.course, course_key=self.course.id)))
+
     def test_has_access_to_course(self):
         self.assertFalse(access._has_access_to_course(
-            None, 'staff', self.course.course_key
+            None, 'staff', self.course.id
         ))
 
         self.assertFalse(access._has_access_to_course(
-            self.anonymous_user, 'staff', self.course.course_key
+            self.anonymous_user, 'staff', self.course.id
         ))
         self.assertFalse(access._has_access_to_course(
-            self.anonymous_user, 'instructor', self.course.course_key
+            self.anonymous_user, 'instructor', self.course.id
         ))
 
         self.assertTrue(access._has_access_to_course(
-            self.global_staff, 'staff', self.course.course_key
+            self.global_staff, 'staff', self.course.id
         ))
         self.assertTrue(access._has_access_to_course(
-            self.global_staff, 'instructor', self.course.course_key
+            self.global_staff, 'instructor', self.course.id
         ))
 
         # A user has staff access if they are in the staff group
         self.assertTrue(access._has_access_to_course(
-            self.course_staff, 'staff', self.course.course_key
+            self.course_staff, 'staff', self.course.id
         ))
         self.assertFalse(access._has_access_to_course(
-            self.course_staff, 'instructor', self.course.course_key
+            self.course_staff, 'instructor', self.course.id
         ))
 
         # A user has staff and instructor access if they are in the instructor group
         self.assertTrue(access._has_access_to_course(
-            self.course_instructor, 'staff', self.course.course_key
+            self.course_instructor, 'staff', self.course.id
         ))
         self.assertTrue(access._has_access_to_course(
-            self.course_instructor, 'instructor', self.course.course_key
+            self.course_instructor, 'instructor', self.course.id
         ))
 
         # A user does not have staff or instructor access if they are
         # not in either the staff or the the instructor group
         self.assertFalse(access._has_access_to_course(
-            self.student, 'staff', self.course.course_key
+            self.student, 'staff', self.course.id
         ))
         self.assertFalse(access._has_access_to_course(
-            self.student, 'instructor', self.course.course_key
+            self.student, 'instructor', self.course.id
         ))
 
         self.assertFalse(access._has_access_to_course(
-            self.student, 'not_staff_or_instructor', self.course.course_key
+            self.student, 'not_staff_or_instructor', self.course.id
         ))
 
     def test__has_access_string(self):
@@ -256,12 +348,12 @@ class AccessTestCase(LoginEnrollmentTestCase, ModuleStoreTestCase, MilestonesTes
                 (self.course_instructor, expected_instructor)
         ):
             self.assertEquals(
-                bool(access._has_access_error_desc(user, action, descriptor, self.course.course_key)),
+                bool(access._has_access_error_desc(user, action, descriptor, self.course.id)),
                 expected_response
             )
 
         with self.assertRaises(ValueError):
-            access._has_access_error_desc(self.course_instructor, 'not_load_or_staff', descriptor, self.course.course_key)
+            access._has_access_error_desc(self.course_instructor, 'not_load_or_staff', descriptor, self.course.id)
 
     def test__has_access_descriptor(self):
         # TODO: override DISABLE_START_DATES and test the start date branch of the method
@@ -304,7 +396,7 @@ class AccessTestCase(LoginEnrollmentTestCase, ModuleStoreTestCase, MilestonesTes
         mock_unit.visible_to_staff_only = False
 
         self.assertTrue(bool(access._has_access_descriptor(
-            self.beta_user, 'load', mock_unit, course_key=self.course.course_key)))
+            self.beta_user, 'load', mock_unit, course_key=self.course.id)))
 
     @ddt.data(None, YESTERDAY, TOMORROW)
     @patch.dict('django.conf.settings.FEATURES', {'DISABLE_START_DATES': False})