Redirect user when loading class summary results in 403

[nucleogenesis]

Summary

When a coach is doing coach things and they are logged out due to timeout, Kolibri will keep track of the last place the user was in. If a coach is doing coach things, then they timeout, but then a Learner logs in again the Learner is redirected to where the coach previously was.

Since the Learner cannot do Coach things, they get a 403 on the classSummary API call.

So we catch that particular error and redirect the user such that they go to wherever they'd normally have gone after logging in.

References

Fixes #12442

Reviewer guidance

• Sign in as admin/coach and go to create a quiz
• Go to your devtools and delete the kolibri cookie, see that you are redirected to the sign-in page
• Sign in as a learner

Before the fix:

• The learner would see a blank screen and basically be stuck there

After the fix:

• The learner is completely virtually unaware that they were initially being redirected to Coach things (unless they're keenly watching the URL bar or their devtools as they are still directed to the Coach URL before being re-redirected)

---

Testing checklist

• Contributor has fully tested the PR manually
• If there are any front-end changes, before/after screenshots are included
• Critical user journeys are covered by Gherkin stories
• Critical and brittle code paths are covered by unit tests

PR process

• PR has the correct target branch and milestone
• PR has 'needs review' or 'work-in-progress' label
• If PR is ready for review, a reviewer has been added. (Don't use 'Assignees')
• If this is an important user-facing change, PR or related issue has a 'changelog' label
• If this includes an internal dependency change, a link to the diff is provided

Reviewer checklist

• PR is fully functional
• PR has been tested for accessibility regressions
• External dependency files were updated if necessary (yarn and pip)
• Documentation is updated
• Contributor is in AUTHORS.md

[rtibbles]

This is a fairly drastic change in existing behaviour. The issue asked for the authentication wrapper to be used in the quiz creation flow, not to globally alter behaviour on permission failure.

[rtibbles]

This is not fixing the issue as described - the mismatch in the behaviour was specifically in the quiz creation page, where it is not using the authentication wrapper component to show meaningful errors to the user in the case that they are not authenticted.

Also, as this is now applying to every page in coach, the existing authentication wrapper errors may not show because of this.

Further, if a coach's session expired, and the classSummary API update call returned early, they would now get redirected to the login page, but without a next parameter to guide them back to where they were before.

[github-actions]

Build Artifacts

Asset type	Download link
PEX file	kolibri-0.18.0a0.dev0_git.204.g58555216.pex
Windows Installer (EXE)	kolibri-0.18.0a0.dev0+git.204.g58555216-windows-setup-unsigned.exe
Debian Package	kolibri_0.18.0a0.dev0+git.204.g58555216-0ubuntu1_all.deb
Mac Installer (DMG)	kolibri-0.18.0a0.dev0+git.204.g58555216.dmg
Android Package (APK)	kolibri-0.18.0a0.dev0+git.204.g58555216-0.1.4-debug.apk
Raspberry Pi Image	kolibri-pi-image-0.18.0a0.dev0+git.204.g58555216.zip
TAR file	kolibri-0.18.0a0.dev0+git.204.g58555216.tar.gz
WHL file	kolibri-0.18.0a0.dev0+git.204.g58555216-py2.py3-none-any.whl

This looks like the right fix.

[radinamatic]

Learner is still being stuck with blank page and 403 in the console 😕
(Firefox on Ubuntu)

PR-12755.mp4

[rtibbles]

Hrm, looks like it's maybe a race condition? If the class notifications endpoint gives a 403 before the class summary endpoint, we see it stuck, but if the class summary endpoint returns then we see the authentication message properly?

[nucleogenesis]

@radinamatic I've updated this PR and tested in coach - the learner user should be navigated to the AuthMessage as expected now.

[pcenov]

Hi @nucleogenesis - I confirm that #12442 is fixed.

[rtibbles]

Just one question and a comment.

[rtibbles]

This may end up calling next twice, because we catch and then then - but I don't think this matters.

[nucleogenesis]

I think calling next() basically stops any further code execution so if one promise rejects at any point, we'll have next called and will be redirected altogether.

That said, I did look back at Promise.all's docs and see that in this case, the then would be called if next wasn't called because of the chaining order.

If the then comes first in the chain series, then it would not be called if the catch blocks ran because Promise.all handles any rejection immediately. But, if you catch errors and chain a then to the catch though, the then is run.

Might be misinterpreting a bit there but seemed to be the case when I played around a bit w/ Promises in the terminal

In any case, I think you're right that it won't have any effect as-is.

[rtibbles]

Should we only put the handleApiError call in here, so that the other two lines get executed?

[nucleogenesis]

Updated here, thanks Richard