From 51d4a6fcf987e276e7b36d75fc1bbf40e5b4cd1a Mon Sep 17 00:00:00 2001 From: Jaimos Skriletz Date: Fri, 7 Nov 2025 19:55:53 -0700 Subject: [PATCH] Add permissions to render problems with WebworkWebservice. First, this adds the permission `webservice_render_problem` used to determine if a user can render a problem with the WebworkWebservice, instead of using the `proctor_quiz_login` permission for this. Second, this adds an additional permission `webservice_render_source` used to determine if a user can render problems using the problem provided with the request. The use case for this is to allow users which can render problems only using a problem filename, but not by providing the problem's source. These permissions are both set to `login_proctor` to match current behavior and are provided to allow server admins to change which users can render problems. These permissions are not added to the course configuration page as they are permissions that should not be modified by most users, only server admins via `localOverrides.conf` or `course.conf`. --- conf/defaults.config | 7 +++++++ lib/WebworkWebservice.pm | 2 +- lib/WebworkWebservice/RenderProblem.pm | 8 ++++++++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/conf/defaults.config b/conf/defaults.config index 2602833397..eb631e9790 100644 --- a/conf/defaults.config +++ b/conf/defaults.config @@ -780,6 +780,13 @@ $authen{admin_module} = ['WeBWorK::Authen::Basic_TheLastOption']; modify_tags => "admin", edit_restricted_files => "admin", + # Permission to render problems using the WebworkWebservice. + # Users with only webservice_render_problem can render problems with a provided filename. + # Users with both permissions can also render problems with providing the problem source. + # Note the Problem Editor requires having both permissions. + webservice_render_problem => "login_proctor", + webservice_render_source => "login_proctor", + ##### Behavior of the interactive problem processor ##### show_correct_answers_before_answer_date => "ta", show_solutions_before_answer_date => "ta", diff --git a/lib/WebworkWebservice.pm b/lib/WebworkWebservice.pm index d43e620ba0..589c3e40cf 100644 --- a/lib/WebworkWebservice.pm +++ b/lib/WebworkWebservice.pm @@ -257,7 +257,7 @@ sub command_permission { convertCodeToPGML => 'access_instructor_tools', # WebworkWebservice::RenderProblem - renderProblem => 'proctor_quiz_login', + renderProblem => 'webservice_render_problem', # WebworkWebservice::SetActions listGlobalSets => 'access_instructor_tools', diff --git a/lib/WebworkWebservice/RenderProblem.pm b/lib/WebworkWebservice/RenderProblem.pm index 00217577f3..0f30a8606c 100644 --- a/lib/WebworkWebservice/RenderProblem.pm +++ b/lib/WebworkWebservice/RenderProblem.pm @@ -26,6 +26,14 @@ async sub renderProblem { # is enabled. That is an expensive method to always call here. debug(pretty_print_rh($rh)) if $WeBWorK::Debug::Enabled; + # If the problem source is provided, check user is allow to render problem source. + if (!$ws->authz->hasPermissions($rh->{user}, 'webservice_render_source') + && ($rh->{problemSource} || $rh->{rawProblemSource} || $rh->{uriEncodedProblemSource})) + { + $ws->error_string(__PACKAGE__ . ": User $rh->{user} does not have permission to render problem source."); + return {}; + } + my $problemSeed = $rh->{problemSeed} // '1234'; my $beginTime = Benchmark->new;