Skip to content

Educators import: Mark missing_from_last_export and show project leads in permissions tools #2546

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Aug 23, 2019

Conversation

kevinrobinson
Copy link
Contributor

@kevinrobinson kevinrobinson commented Aug 23, 2019

Who is this PR for?

Project leads across districts

What problem does this PR fix?

Typically project leads or district IT staff remove educators from the authentication system (eg, LDAP), which means they are not allowed to use Student Insights at all, regardless of past permissions.

By design, the district LDAP system controls who has access regardless of any data within Student Insights. But Student Insights stores records for staff and students after they have been removed from the daily export, so that it can maintain past information (eg, who wrote a note about a student).

For educator records, this distinction isn't tracked or shown. One of the project leads asked about it for an older staff. They understandably were concerned that seeing their name meant that person still had access.

What does this PR do?

Updates the importer and educator model to track this with missing_from_last_export, similar to the StudentsImporter. It also backports a fix for an edge case that hasn't come up to the StudentsImporter.

Uses this info in permissions tools for project leads so this process is visible for them. Removes some old cruft from the administrate config.

This PR doesn't update the authentication process, but a separate one will add a defensive layer beyond the district's own authentication check that ensures the educator record was still present in the latest SIS export.

Screenshot (if adding a client-side feature)

with the full blinding beauty of adminstrate forms :)

overview

Screen Shot 2019-08-23 at 11 49 12 AM

adjust permissions list

Screen Shot 2019-08-23 at 12 04 17 PM

view

Screen Shot 2019-08-23 at 12 09 18 PM

edit

Screen Shot 2019-08-23 at 12 04 30 PM

Checklists

Which features or pages does this PR touch?

  • Educators import
  • Project lead permissions tools

Does this PR use tests to help verify we can deploy these changes quickly and confidently?

  • Included specs for changes
  • Improved specs for existing code in need of better test coverage
  • Manual testing made more sense here

interventions: Field::HasMany.with_options(searchable: false),
id: Field::Number.with_options(searchable: false),
email: Field::String.with_options(searchable: false),
encrypted_password: Field::String.with_options(searchable: false),
Copy link
Contributor Author

@kevinrobinson kevinrobinson Aug 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These seem scary but most haven't existed on the model in a long time, and none of these extra fields should have had any impact on what data was exposed to project leads in the UI anyway. Without digging into Administrate all the way, these appear to be only limiting what options are available for other config, based on how this behaved editing them here.

That being said, another audit pass on administrate would be a good security step.

@kevinrobinson
Copy link
Contributor Author

selfie

@kevinrobinson kevinrobinson merged commit edf2ca5 into master Aug 23, 2019
@kevinrobinson kevinrobinson deleted the feature/educators-missing-from-last-export branch August 23, 2019 16:23
@kevinrobinson
Copy link
Contributor Author

Done this migration, verified across districts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant