feat(gradebook): restrict gradebook access to owners and managers#8466
Open
LWS49 wants to merge 1 commit into
Open
feat(gradebook): restrict gradebook access to owners and managers#8466LWS49 wants to merge 1 commit into
LWS49 wants to merge 1 commit into
Conversation
LWS49
force-pushed
the
lws49/feat-ext-assessments-pr4-import
branch
from
2d5ebeb to
6f62578
Compare
LWS49
force-pushed
the
lws49/feat-ext-assessments-pr5-authz
branch
from
910714d to
683bbda
Compare
… harden authz specs Tighten :read_gradebook from staff? to manager_or_owner? so only owners and managers can view the gradebook; teaching assistants, observers, and students are denied. Update the ability and controller specs to assert the new access matrix (owner/manager allowed, the rest denied). The fine-grained :grade ability is intentionally not introduced: the gradebook is coarse-gated to owners and managers, so per-action grade authorization is redundant.
LWS49
force-pushed
the
lws49/feat-ext-assessments-pr4-import
branch
from
6f62578 to
245d005
Compare
LWS49
force-pushed
the
lws49/feat-ext-assessments-pr5-authz
branch
from
683bbda to
b53fd89
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Restricts gradebook access to course owners and managers and hardens the authorization specs. The gradebook ability now grants gradebook actions (view, manage, external CRUD, import, reorder) only to owner and manager roles, and the controller and ability specs assert both the allowed and forbidden roles.
Regression prevention
Covers: the gradebook ability for owner/manager versus other roles, and gradebook and external-assessments controller authorization (the ability spec plus the controller specs). No data or schema change.