[Building Sakai] Problem: /direct links blocked when "hidden" them with Site Info-Page Order

[George Pipkin]

Hi Everyone:

We have been working with embedding /direct links to Assignments, Forum
Topics and Quizzes into syllabus pages. This was done using EVAP’s or
HVAP’s where appropriate (in Assignments or Forums) or nothing at all
(samigo) In v2.6.x, a tool could be “hidden” (using the tool-order
function in Site-Info) but the user could still access a particular
assignment, forum topic, or quiz. In v2.7.x for forums and assignments,
when the tool is “hidden”, attempts to access it with a /direct link
result in a redirect to !error.

The mechanics site-manage uses to “hide” a tool is the same in v2.6.x
and v2.7.x is the same. The site.upd permission is added to the list of
functions.require that is kept in a placement property. Roles that do
not have this permission (i.e. students) cannot access the particular
page upon which the placement is made.

The thing that is puzzling me is why this did not interfere with /direct
links in v2w.6.x and it does in v2.7.x. Is this one of the security
holes that v2.7.x is intended to address? I was wonder if somebody
could point out to me where in the kernel code the placement property is
checked and the redirect to !error happens.

This issue impacts a critical instructional use case we have been
developing here at U.Va., and I’d like to see if there’s any way we
could modify the new business rule so /direct links still work when a
page has been “hidden”.


- George Pipkin U.Va.