-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
perms issue: students cannot see instructors in calendar event details #1169
Comments
example (from ilios-stage): logged-in user: 11233 |
options that come to mind:
option 2. would warrant further discussion, e.g. define 'instructed by'. @saschaben @jrjohnson thoughts? |
thanks for the feedback. then we'll need another API endpoint. something like 'event instructor', which takes a given user id and a given event id, and then returns a stripped down user record (sans the campus id and such). the user controller is not aware of the surrounding context that the requested user information is used in. |
@stopfstedt @jrjohnson couldn't / shouldn't we just add that attribute to userevent/schoolevent endpoints? |
That was the plan we came up with a few weeks ago. To expand the event endpoints to include faculty names as a string. Along with all of the other details we're currently making a second API request to resolve. |
and that's the answer. thanks for the reminder. will weave the instructor names in then. |
the user voter rejects any VIEW requests of user details from users that have no elevated privileges, other than to their own user info.
you have to be an instructor/course director/developer to see other user details.
see https://github.com/ilios/ilios/blob/master/src/Ilios/AuthenticationBundle/Voter/UserVoter.php#L55 for the currently implemented perms check.
The text was updated successfully, but these errors were encountered: