[Building Sakai] Resources read permission & uploading attachments

Beth Kirschner bkirschn at umich.edu
Fri Nov 9 12:19:01 PST 2012 

It's definitely security by obscurity - I agree. I don't think I'd want to call it a bug, though. Hiding the tool should just affect the tool. Deeper permissions on accessing content is a whole different hair-ball :-)

- Beth

On Nov 9, 2012, at 2:37 PM, Bryan Holladay wrote:

> That's why I said the warning should tell the user to do.  The only issue is that when you lock & hide the Resources tool. a student will still have access to the files as long as they have the URL.  Obviously they are very obscure, but still accessible.  Maybe this is a bug in the resources tool?  (I just verified this is the case in nightly2.sakaiproject.org:8082)
> 
> -Bryan
> 
> 
> On Fri, Nov 9, 2012 at 1:37 PM, Beth Kirschner <bkirschn at umich.edu> wrote:
> What about just making the Resources tool hidden to students using the PageOrder tool?
> 
> - Beth
> 
> On Nov 9, 2012, at 12:19 PM, Adam Marshall wrote:
> 
> > I agree that would help but would not allow people to actually remove read access and still have their site function correctly. It would improve the situation but not fix it.
> >
> > adam
> >
> > From: Bryan Holladay [mailto:holladay at longsight.com]
> > Sent: 09 November 2012 17:09
> > To: Adam Marshall
> > Cc: Sakai Development (sakai-dev at collab.sakaiproject.org)
> > Subject: Re: [Building Sakai] Resources read permission & uploading attachments
> >
> > I agree that this is confusing for Site owners.  We run into this issue every once in a while (not always forums).  Instead of adding 3 new permissions, a simpler fix would be to put up a warning on the main page of the resources tool that checks to see if the read permission is removed for students.  If so, the warn the instructor that other tool depend on this for the attachments feature to work and to suggest to the Instructor to go to Site Info -> Tool Order and hide the Resources tool instead.
> >
> > -Bryan
> >
> >
> > On Fri, Nov 9, 2012 at 11:37 AM, Adam Marshall <adam.marshall at it.ox.ac.uk> wrote:
> > We're had a bit of trouble here recently with the Forums tool. This is what happened
> >
> >       1/ Site owner wanted to close off access to the Resources tool to students so they removed the "Read Resources" permission from students
> >
> >       2/ Students then tried to upload an attachment in the Forums tool, they see an error page.
> >
> > Now since we all have insider knowledge that attachments are stored in Resources in a sort of non-visible folder so we all know why the students saw an error. The site owner was totally mystified with good reason.
> >
> > Indeed, why should removing read access to files in resources stop students being able to upload (and view) attachments?
> >
> > Wouldn't it be better to have 3 more permissions in Resource:
> >
> >    attachments.read
> >    attachments.new
> >    attachments.edit
> >
> > these should control attachments NOT the 'content.*' permissions.
> >
> > Goo? Bad? Or ugly?
> >
> > Adam
> >
> > --
> > Dr A C Marshall, WebLearn Service Manager, IT Services, University of Oxford.
> >
> >
> >
> > _______________________________________________
> > sakai-dev mailing list
> > sakai-dev at collab.sakaiproject.org
> > http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
> >
> > TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
> >
> > _______________________________________________
> > sakai-dev mailing list
> > sakai-dev at collab.sakaiproject.org
> > http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
> >
> > TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
> 
>

More information about the sakai-dev mailing list