You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm continuing to work on permissions. Here's an issue I'm having.
A user logs in--recall that all users are global when logging in
For example, if the user is an instructor in a course, then should have permission for instructor actions in that course
If the same user is a student in a different course, then should only have permission to student actions in that course.
We know if an action is course-related if the URL is /webwork3/api/courses/XX/.... and then can pull the course_id and check the role of the the user is in the course.
However, there are some actions that are not related to courses. For example, getGlobalUser is independent of a course. We would want this to be accessed by an instructor in order to get information about adding a user to a course (and we need to check if the user exists). We could check if the user has any 'instructor' role and allow it.
Just as a reminder since this will differ from ww2, this is work on the web API for the database and really needs to be thought of separately from the UI. The UI can funnel users into the courses in which they are enrolled, however the API cannot do this. We authenticate them and then need to determine if they have permissions for each action.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I'm continuing to work on permissions. Here's an issue I'm having.
We know if an action is course-related if the URL is /webwork3/api/courses/XX/.... and then can pull the course_id and check the role of the the user is in the course.
However, there are some actions that are not related to courses. For example, getGlobalUser is independent of a course. We would want this to be accessed by an instructor in order to get information about adding a user to a course (and we need to check if the user exists). We could check if the user has any 'instructor' role and allow it.
Just as a reminder since this will differ from ww2, this is work on the web API for the database and really needs to be thought of separately from the UI. The UI can funnel users into the courses in which they are enrolled, however the API cannot do this. We authenticate them and then need to determine if they have permissions for each action.
Thoughts about non-course related routes/actions?
Beta Was this translation helpful? Give feedback.
All reactions