Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Educators import: Mark `missing_from_last_export` and show project leads in permissions tools #2546

Merged
merged 5 commits into from Aug 23, 2019

Conversation

@kevinrobinson
Copy link
Contributor

kevinrobinson commented Aug 23, 2019

Who is this PR for?

Project leads across districts

What problem does this PR fix?

Typically project leads or district IT staff remove educators from the authentication system (eg, LDAP), which means they are not allowed to use Student Insights at all, regardless of past permissions.

By design, the district LDAP system controls who has access regardless of any data within Student Insights. But Student Insights stores records for staff and students after they have been removed from the daily export, so that it can maintain past information (eg, who wrote a note about a student).

For educator records, this distinction isn't tracked or shown. One of the project leads asked about it for an older staff. They understandably were concerned that seeing their name meant that person still had access.

What does this PR do?

Updates the importer and educator model to track this with missing_from_last_export, similar to the StudentsImporter. It also backports a fix for an edge case that hasn't come up to the StudentsImporter.

Uses this info in permissions tools for project leads so this process is visible for them. Removes some old cruft from the administrate config.

This PR doesn't update the authentication process, but a separate one will add a defensive layer beyond the district's own authentication check that ensures the educator record was still present in the latest SIS export.

Screenshot (if adding a client-side feature)

with the full blinding beauty of adminstrate forms :)

overview

Screen Shot 2019-08-23 at 11 49 12 AM

adjust permissions list

Screen Shot 2019-08-23 at 12 04 17 PM

view

Screen Shot 2019-08-23 at 12 09 18 PM

edit

Screen Shot 2019-08-23 at 12 04 30 PM

Checklists

Which features or pages does this PR touch?

  • Educators import
  • Project lead permissions tools

Does this PR use tests to help verify we can deploy these changes quickly and confidently?

  • Included specs for changes
  • Improved specs for existing code in need of better test coverage
  • Manual testing made more sense here
interventions: Field::HasMany.with_options(searchable: false),
id: Field::Number.with_options(searchable: false),
email: Field::String.with_options(searchable: false),
encrypted_password: Field::String.with_options(searchable: false),

This comment has been minimized.

Copy link
@kevinrobinson

kevinrobinson Aug 23, 2019

Author Contributor

These seem scary but most haven't existed on the model in a long time, and none of these extra fields should have had any impact on what data was exposed to project leads in the UI anyway. Without digging into Administrate all the way, these appear to be only limiting what options are available for other config, based on how this behaved editing them here.

That being said, another audit pass on administrate would be a good security step.

@kevinrobinson

This comment has been minimized.

Copy link
Contributor Author

kevinrobinson commented Aug 23, 2019

selfie

@kevinrobinson kevinrobinson merged commit edf2ca5 into master Aug 23, 2019
1 check was pending
1 check was pending
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
@kevinrobinson kevinrobinson deleted the feature/educators-missing-from-last-export branch Aug 23, 2019
@kevinrobinson

This comment has been minimized.

Copy link
Contributor Author

kevinrobinson commented Aug 23, 2019

Done this migration, verified across districts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.