[Building Sakai] Gradebook Permissions

Mark J. Norton markjnorton at earthlink.net
Tue Aug 28 11:42:10 PDT 2012 

I am attempting to get currently assigned grades for a particular user 
in a given course.  The user is logged into Sakai, with an active 
session.  In my application, I attempt to get a list of graded 
assignments using GradebookService.getAssignments(courseId). This throws 
a permission exception for a student user, though succeeds for an 
instructor or admin.

However, in this code, I also check to see if the current user has 
permissions to see their grades using 
GradebookService.currentUserHasViewOwnGradesPerm(courseId).  Since I set 
up this course, this returns true.  The false case is handled, also.  If 
I hard wire the parameters, GradebookService. 
getAssignmentScoreString(courseId, 2L, studentId), the assigned grade is 
returned without error.

Ideally, I'd like to iterate over the gradable assignments in this 
gradebook, but getAssignments() fails.  Perhaps there is a another 
permission that needs to be configured for this course to enable me to 
get the assignments?  Perhaps I need to add a SecurityAdvisor to over 
ride?  It seems odd to me that the user can see her grades, but not get 
a list of the gradeable assignments.

I only see four functions in the Realms tool for Students in the course 
I'm using to test:

  * gradebook.editAssignments (unchecked)
  * gradebook.gradeAll (unchecked)
  * gradebook.gradeSection (unchecked)
  * gradebook.viewOwnGrades (checked)

these all seem to be reasonable values for a Student.  Perhaps a 
function is missing?

The class mentioned in the stack trace is 
org.sakaiproject.component.gradebook.GradebookServiceHibernateImpl. If I 
look at getAssignments(), I see:

		if (!isUserAbleToViewAssignments(gradebookUid)) {
			log.warn("AUTHORIZATION FAILURE: User " + getUserUid() + " in gradebook " + gradebookUid + " attempted to get assignments list");
			throw new SecurityException("You do not have permission to perform this operation");
		}


Looking at isUserAbletoVeiwAssignments() we see checks for 
authz.isUserAbleToEditAssessments(gradebookUid) || 
authz.isUserAbleToGrade(gradebookUid).  So in order to see the list of 
assignments, the user must have grading permissions.  This sounds like I 
need a SecurityAdvisor override.

Before I do that, is there anything I'm missing or should be aware of?

- Mark Norton




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20120828/3f2933aa/attachment.html

More information about the sakai-dev mailing list