[Building Sakai] Setting a resource's permissions

Matthew Jones matthew at longsight.com
Wed Sep 5 08:18:24 PDT 2012 

I believe what the code would have to do is switch the user to a user the
does have access, push through a security advisor, access the content, then
pop it off. This requires more work and opens up the possibility of a
security issue but it's what other tools do to get around similar issues.
It's either this or obscurity I guess. There's no way for the *system* to
have access that the user context doesn't.

As far as your other point, all it does is generates PDF's with the forms
filled out. I can't see any way the student couldn't just save the PDF to
their desktop and share the certificate if they did feel like doing that.
Or even taking a screen shot if somehow the certificates weren't savable
and recreating the certificate. Anything that can be seen can be
reproduced, and digital objects more easily than others. You'd have to
apply some type of digital certificate but that would only apply to the
actual digital document.

That's why something like the Mozilla badges will probably have more
"value" than a certificate like this because it's something that can be
verified against multiple sources of achievement similar to how a degree
can be verified by contacting the university. The paper alone isn't proof
of anything. ;)

On Wed, Sep 5, 2012 at 10:47 AM, Brian Baillargeon <bbailla2 at uwo.ca> wrote:

>  So, just to clarify - is there a way for students to be denied access to
> the pdf templates, while maintaining the ability to trigger the
> certification tool to read the pdf for them? Also, something that's been at
> the back of my mind is preventing students from seeing eachother's awarded
> certificates. We may not need this latter functionality, but I suspect we
> will.
>
>
> On 12-09-05 10:31 AM, Matthew Jones wrote:
>
> Well the problem is for the certificate tool, the students need permission
> to access the certificate templates because they need these templates to
> generate their actual certificate. The tool or services needs to be able to
> access the file in the context of the student to generate the filled in
> template. The tool could potentially override this with a local
> SecurityAdvisor but then you're getting into a lot more code and a
> potential security problem.
>
>  The students won't ever see this internal URL though and won't be able
> to browse the actual file names, so the chances of them guessing it should
> be about the same as a brute force password attack.
>
> On Wed, Sep 5, 2012 at 10:30 AM, Diego del Blanco Orobitg <
> diego.delblanco at samoo.es> wrote:
>
>> Hidden is the word, but really they don't have permissions to access in
>> any
>> way neither knowing the url, because they need the "View hidden resources"
>> permission that is checked when accessing to a resource that is hidden.
>>
>> So finally all depends on the permissions security system. It's almost the
>> same than change their read or write permission for that folder.
>>
>> Diego
>>
>>
>> -----Mensaje original-----
>> De: Brian Baillargeon [mailto:bbailla2 at uwo.ca]
>> Enviado el: miércoles, 05 de septiembre de 2012 16:16
>> Para: Diego del Blanco Orobitg
>> CC: sakai-dev at collab.sakaiproject.org
>> Asunto: Re: [Building Sakai] Setting a resource's permissions
>>
>> Yes, it seems this is the way to go. I'm a little concerned about security
>> by obscurity, but I'll discuss it with my team
>>
>> On 12-09-05 07:24 AM, Diego del Blanco Orobitg wrote:
>> > There is the hide option for any folder or file in resources.
>> >
>> > Maybe instead try  to change permissions, you can use "public void
>> > setAvailability(boolean hidden, Time releaseDate, Time retractDate)"
>> > from the ContentHostingService to edit a collection and hide a folder
>> > to the users without the permission of "view hidden resources".
>> > Students usually have this permission disabled by default and
>> instructors
>> have it enabled.
>> >
>> > Saludos!
>> >
>> >
>> > Diego del Blanco Orobitg
>> > Director de operaciones
>> > diego.delblanco at samoo.es
>> > Tlf Oficina: 673 80 32 69
>> > Tlf Móvil: 653 683 489
>> > www.samoo.es
>> >
>> > -----Mensaje original-----
>> > De: sakai-dev-bounces at collab.sakaiproject.org
>> > [mailto:sakai-dev-bounces at collab.sakaiproject.org] En nombre de Brian
>> > Baillargeon Enviado el: martes, 04 de septiembre de 2012 20:33
>> > Para: sakai-dev at collab.sakaiproject.org
>> > Asunto: [Building Sakai] Setting a resource's permissions
>> >
>> > Hi all,
>> >
>> > I'm working on a fork of the certification tool. I want the tool to
>> > save PDFs somewhere in the site's resources rather than
>> root/certification/...
>> > However, I don't want students to have any permissions to view/modify
>> > the template PDFs, so I want to disable all of the resource
>> > permissions (such as Create resources, Read resources...) on the
>> > related directories for roles who don't have certificate.admin
>> permissions.
>> >
>> > So for example, if we had
>> > root/certification/templates/<siteId>/<certificateDefinitionId>/myPdf.
>>  > pdf In my implementation it should be somewhere like
>> > <siteCollection>/certification/templates/<certificateDefinitionId>/myP
>> > df.pdf and the <siteCollection>/certification/templates/ folder's
>>  > permissions would all be enabled for Instructor and disabled for
>> > Student
>> >
>> > I've been poking around ContentHostingService, and I see ways to check
>> > for permissions but nothing to set them. I also poked around in
>> > AuthzGroupService, but didn't see how to use it with ContentResources.
>> > Does anybody know a way to set permissions on a ContentCollection?
>> >
>> > Thanks,
>> > Brian
>> > _______________________________________________
>> > sakai-dev mailing list
>> > sakai-dev at collab.sakaiproject.org
>> > http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>> >
>> > TO UNSUBSCRIBE: send email to
>> > sakai-dev-unsubscribe at collab.sakaiproject.org
>> > with a subject of "unsubscribe"
>> >
>>
>> _______________________________________________
>> sakai-dev mailing list
>> sakai-dev at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>
>> TO UNSUBSCRIBE: send email to
>> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>> "unsubscribe"
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20120905/dd4a0343/attachment.html

More information about the sakai-dev mailing list