Class Activity 16

  • Due Oct 21, 2020 by 10am
  • Points None

Note: There's nothing to submit to this class assignment, though you will submit homework related to it.

Overview

We've got user-authentication! (you can see solution in the ca13-solutions folder on Dropbox Links to an external site.).  But authentication doesn't get us very far without some authorization scheme. We want to modify VidQuiz so that:

  1. only users who are signed in can add or watch a video
  2. only users who created a particular VidQuiz can edit it (add/update/remove questions)
  3. users can watch any VidQuiz, even if they didn't create it

The ca16-starter folder on Dropbox Links to an external site. has code to get us started. Here's what's implemented and what needs implementing:

  • if a user isn't signed in, they are redirected to the sign in view
  • in the data model:
    • a new table, VidQuizProgress, tracks viewers' progress watching a video (currentTime, currentSpeed, queuedQuestionIndex)
    • a new table, Responses, holds viewers' responses to questions (TODO)
  • in the API:
    • the user must be signed in to perform any action other than sign up/sign in/sign out
      • TODO: Implement the stopUnlessSignedIn function in api.php
    • rework the API so that VidQuiz progress updates are no longer handled by the update-vidquiz action
      • TODO: implement updateVidQuizProgress in api.php
    • updating/deleting a VidQuiz or question, or adding a question to a VidQuiz, requires the user to be the creator of the associated VidQuiz
      • TODO: update these functions to call the helper function stopUnlessAssociatedUser in api.php
    • actions + handlers for CRUD on question responses is supported
      • anyone signed in user can add a question response
      • only the owner of a response can update it
      • only the owner of a response or the owner of the associated VidQuiz can retrieve or delete a response
    • when adding a VidQuiz to the DB, include the user's id
    • when adding a response to the DB, include the user's id (TODO)
    • when retrieving a VidQuiz, also grab the user's progress information from VidQuizProgress (TODO)
      • if a progress entry doesn't exist, create a new one
      • include the id of the entry
    • all unauthorized actions will result in an error about not having authorization
  • on the client:
    • update saving progress (need to specify the VidQuizProgress id, not the VidQuiz id) (TODO)
    • update saving responses (no longer updating whole Questions entry, but a Responses entry) (TODO)

Here's what the tables should look like:

vidquiz-tables.png

 

1603288800 10/21/2020 10:00am