Syllabus / new dedicated permissions for allowing updates to tool

GENERAL

TESTING

GENERAL

TESTING

Description

In the Syllabus tool, the edit permissions are all tied to the site.upd permission.

Can we break out the following items to their own permission:
Add Item
Bulk Add
Bulk Edit
Redirect

Attachments

17 Mar 2016, 02:59 PM
16 Mar 2016, 07:14 AM

Linked issues

is depended on by

SAK-30713

Syllabus - error 500 on click on tab (bulk edit)

SAK-31201

Syllabus tool-student id can add/delete/hide syllabus items

Activity

Show:

Derek Ramsey March 18, 2016 at 7:31 AM

Verified on trunk master mysql
Sakai - TRUNK - Sakai a8adc2399213a3214ee13eaa7b3ae6d88c42bbc3) - Server ip-172-31-6-159

Matthew Jones March 17, 2016 at 5:07 PM
Edited

Yeah For #1 I wasn't seeing that yesterday but now I am, I'll look at that.
I'll try to test #2 better I thought I made a special "catch all" permission that would allow edit if you had any of edit/add/redirect. But only display the buttons depending on which one you had. It's not perfect (since if you had only edit you might possibly be able to add a redirect if you knew how) but that seems like a minor security risk.

To properly split it all up would be a lot more effort, since it was originally all handled by one permission.

Derek Ramsey March 17, 2016 at 9:35 AM

Test this morning on trunk mysql.

1) The buttons are still not displaying correctly(see screenshot - syllabus2)

2) Set permissions so instructor can bulk add/bulk edit/redirect. The only permission unchecked will be add. If the instructor goes into Syllabus, they have the option to bulk add. When they select that option, the follow error is displayed:
permission_error.jsp
You have no permission for this action!

Derek Ramsey March 16, 2016 at 7:13 AM
Edited

Issues found while testing on trunk(tested on oracle, mysql server was not responding) :

Even if instructor has syllabus.* permissions, if they do not have site.upd, they can not add syllabus. Log output when attempting to do so:
INFO Could not process entity: /syllabus/0 (400)[null]: IllegalArgumentException: Unable to handle input request for format json for this path (/syllabus/0.json) for prefix (syllabus) for entity (/syllabus/0), request url (/syllabus/0.json): User doesn't have access to modify this site.

Next, I added site.upd and all syllabus permissions were checked. I was successful at posting a syllabus item. I then removed all syllabus permissions in realms except syllabus.add. When trying to post an item, the following error was displayed in the UI again: An error occurred while saving. Refresh the page and try again

The log once again displayed the error from above.

This may be a morpheus issue: When removing all syllabus permissions, the expand all and print view tabs are not aligned properly. See screenshot.

Fixed

Details

Priority

Major

Assignee

Core Team

Reporter

Derek Ramsey

Labels

11permissions

Created December 15, 2015 at 7:12 AM

Updated June 21, 2016 at 10:20 AM

Resolved March 15, 2016 at 4:57 PM

Configure