[Building Sakai] Gradebook Permissions

Wagner, Michelle R. wagnermr at iupui.edu
Tue Aug 28 13:27:24 PDT 2012 

The reason for the SecurityException is that there may be gradebook items that the student is not allowed to view because they have not been released.  getAssignments just returns them all.  Have you looked at GradebookService.getViewableAssignmentsForCurrentUser?  That method takes into consideration more specific situations (ie grader permissions, released/unreleased gradebook items, etc).

Michelle
________________________________
From: sakai-dev-bounces at collab.sakaiproject.org [sakai-dev-bounces at collab.sakaiproject.org] on behalf of Mark J. Norton [markjnorton at earthlink.net]
Sent: Tuesday, August 28, 2012 2:42 PM
To: Sakai-dev at collab.sakaiproject.org
Subject: [Building Sakai] Gradebook Permissions

I am attempting to get currently assigned grades for a particular user in a given course.  The user is logged into Sakai, with an active session.  In my application, I attempt to get a list of graded assignments using GradebookService.getAssignments(courseId).  This throws a permission exception for a student user, though succeeds for an instructor or admin.

However, in this code, I also check to see if the current user has permissions to see their grades using GradebookService.currentUserHasViewOwnGradesPerm(courseId).  Since I set up this course, this returns true.  The false case is handled, also.  If I hard wire the parameters, GradebookService. getAssignmentScoreString(courseId, 2L, studentId), the assigned grade is returned without error.

Ideally, I'd like to iterate over the gradable assignments in this gradebook, but getAssignments() fails.  Perhaps there is a another permission that needs to be configured for this course to enable me to get the assignments?  Perhaps I need to add a SecurityAdvisor to over ride?  It seems odd to me that the user can see her grades, but not get a list of the gradeable assignments.

I only see four functions in the Realms tool for Students in the course I'm using to test:

  *   gradebook.editAssignments (unchecked)
  *   gradebook.gradeAll (unchecked)
  *   gradebook.gradeSection (unchecked)
  *   gradebook.viewOwnGrades (checked)

these all seem to be reasonable values for a Student.  Perhaps a function is missing?

The class mentioned in the stack trace is org.sakaiproject.component.gradebook.GradebookServiceHibernateImpl.  If I look at getAssignments(), I see:


                if (!isUserAbleToViewAssignments(gradebookUid)) {
                        log.warn("AUTHORIZATION FAILURE: User " + getUserUid() + " in gradebook " + gradebookUid + " attempted to get assignments list");
                        throw new SecurityException("You do not have permission to perform this operation");
                }


Looking at isUserAbletoVeiwAssignments() we see checks for authz.isUserAbleToEditAssessments(gradebookUid) || authz.isUserAbleToGrade(gradebookUid).  So in order to see the list of assignments, the user must have grading permissions.  This sounds like I need a SecurityAdvisor override.

Before I do that, is there anything I'm missing or should be aware of?

- Mark Norton




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20120828/f4ff712f/attachment.html

More information about the sakai-dev mailing list