Details
Priority
CriticalAffects versions
Components
Assignee
UnassignedUnassignedReporter
Matthew JonesMatthew Jones
Details
Details
Priority
CriticalAffects versions
Components
Assignee
Unassigned
UnassignedReporter
Matthew Jones
Matthew JonesCreated May 15, 2018 at 9:50 AM
Updated August 27, 2018 at 3:14 PM
In edu-services the call to getCategoryDefinitions does a permissions check for isUserAbleToViewAssignments. Many places in gradebook it calls this and uses a security advisor to get around this. However all they really want is the categories that a student can view rather than the entire list.
I think the best thing is just to modify this method to return the viewable list of categories. We could add a separate method but I think this could just be changed to return what you can return.
+ // get all the categories in the gradebook, use a security advisor in case the current user is the student + SecurityAdvisor gbAdvisor = (String userId, String function, String reference) + -> "gradebook.gradeAll".equals(function) ? SecurityAdvice.ALLOWED : SecurityAdvice.PASS; + securityService.pushAdvisor(gbAdvisor); + List<CategoryDefinition> catDefs = gradebookService.getCategoryDefinitions(getGradebook().getUid()); + securityService.popAdvisor(gbAdvisor); + + // filter out the categories that don't match the categories of the viewable assignments + return catDefs.stream().filter(def -> catIds.contains(def.getId())).collect(Collectors.toList());