Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

perms issue: students cannot see instructors in calendar event details #1169

Closed
stopfstedt opened this issue Dec 1, 2015 · 7 comments · Fixed by #1172
Closed

perms issue: students cannot see instructors in calendar event details #1169

stopfstedt opened this issue Dec 1, 2015 · 7 comments · Fixed by #1172
Assignees
@stopfstedt
Labels
BUG
Milestone
v3.0.0-final

Comments

@stopfstedt
Copy link
Member

the user voter rejects any VIEW requests of user details from users that have no elevated privileges, other than to their own user info.
you have to be an instructor/course director/developer to see other user details.

see https://github.com/ilios/ilios/blob/master/src/Ilios/AuthenticationBundle/Voter/UserVoter.php#L55 for the currently implemented perms check.
@stopfstedt stopfstedt self-assigned this Dec 1, 2015
@stopfstedt stopfstedt added this to the v3.0.0-final milestone Dec 2, 2015
@stopfstedt stopfstedt changed the title perms issue/access denied when attempting to show calendar event details. perms issue: students cannot see instructors in calendar event details Dec 2, 2015
@stopfstedt
Copy link
Member Author

example (from ilios-stage):

logged-in user: 11233
requested event: U20151203O63526
bombs out with 403 when attempting to load user details for 4268. api/v1/users/4268

@stopfstedt
Copy link
Member Author

options that come to mind:

  1. don't request user info for instructors/ don't show instructor details in the calendar event details.
  2. augment the perms check to see if the current user is being instructed by the requested user. if so, grant access.

option 2. would warrant further discussion, e.g. define 'instructed by'.

@saschaben @jrjohnson thoughts?

@saschaben
Copy link
Member

This is a real problem. Instructor names MUST be displayed in course event details. This is public information. Anyone should be able to see who is teaching a given event. So option #1 is not feasible, and similarly #2 is too restrictive.

@stopfstedt
Copy link
Member Author

thanks for the feedback. then we'll need another API endpoint. something like 'event instructor', which takes a given user id and a given event id, and then returns a stripped down user record (sans the campus id and such). the user controller is not aware of the surrounding context that the requested user information is used in.
@jrjohnson does that make sense?

@saschaben
Copy link
Member

@stopfstedt @jrjohnson couldn't / shouldn't we just add that attribute to userevent/schoolevent endpoints?

@jrjohnson
Copy link
Member

That was the plan we came up with a few weeks ago. To expand the event endpoints to include faculty names as a string. Along with all of the other details we're currently making a second API request to resolve.

@stopfstedt
Copy link
Member Author

and that's the answer. thanks for the reminder. will weave the instructor names in then.

@stopfstedt stopfstedt mentioned this issue Dec 2, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stopfstedt stopfstedt

Labels
BUG
Projects
None yet
Milestone
v3.0.0-final
Development

Successfully merging a pull request may close this issue.

add instructors to user and school events.
3 participants
@jrjohnson @stopfstedt @saschaben