Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Authorizer: Update homeroom method to be built from student methods #2584
Who is this PR for?
students, families, educators
What problem does this PR fix?
This fixes an authorization gap between the methods answering "what homerooms can an educator access" and "what students can an educator access"? For users with access to the homeroom page, this can result in two problems. This has come up at the start of this school year for this first time.
First, the homeroom dropdown shows homerooms where they wouldn't have access to view full profiles for any students.
Second, if using the dropdown to visit other homeroom pages, those pages would show name and other information about those students, but the student authorization check would prevent access to the profile or to the student photo. This does result in authenticated educators being able to view enrollment information, and other information including disability status.
Student-level authorization rules blocked photos from loading, or from full profiles from being accessed. Monitoring on this is how we came to learn about the problem (there have been no reports from educators).
The core difference in semantics between the previous homeroom-level authorization method and student-level authorization is that the previous homeroom method would include homerooms at the same grade level in the same school as the educator's homeroom, if it was assigned. This would also result in older homerooms (with no students listed) being incorrectly included in the list.
What does this PR do?
This does not cut over the behavior in
Which features or pages does this PR touch?
Does this PR use tests to help verify we can deploy these changes quickly and confidently?