-
Notifications
You must be signed in to change notification settings - Fork 84
Permissions
Students are users that are enrolled in a course. Students create submissions, each of which is for a particular assignment, which is part of a course. Students have access to their submissions.
Staff are users that staff a course. Staff have full access to all submissions in their courses.
Admins are users that have full access to all content.
Users also have submissions that have been shared with them (e.g., partners, deputies). Deputies for a particular assignment in a particular course offering are students that are authorized to receive shared submissions.
It is possible for a user to be:
- enrolled in multiple course offerings [including different offerings of the same course],
- staff for multiple course offerings
- enrolled as a student in one course and serve as a staff member in another course
The lists below are permissions granted to classes of users (all users, students, staff, admins). Any permission not explicitly granted below should not be allowed in the system.
Permission to Read includes indexing records and viewing the details of records.
- Users can see all of their submissions.
- Users can see all of the submissions that have been shared with them.
- Staff can see all submissions for a course that they staff.
- Admins can see all submissions.
- Students can create submissions, and they are always creators of those submissions
- Submissions cannot be edited or deleted through an API.
- The assignments for a course can be read publicly without authentication.
- Staff can create assignments, either from scratch or by duplicating an existing assignment and giving it a new name.
- Staff can update or delete assignments only if there are no submissions. (What happens if a students submits an assignment, but the staff realizes that there is a bug in the assignment after the fact?)
- Courses can be viewed publicly without authentication.
- Admins can create/delete courses
- Staff can update the contents of a course.
- Users can see themselves
- Staff can see the enrolled students for their courses.
- Admins can see all users.
- Logging into the system for the first time creates a user
- Admins can create users
| Model | GET/INDEX | POST | PUT (update) | DELETE |
| Submissions | Students (GET own, INDEX shared), Staff (INDEX course), Admin (INDEX all) | Students (they are creators) | N/A | N/A |
| Assignments | Students, Staff, Admin | Staff (from scratch or duplicate+new name) | Staff (if no submissions) | Staff (if no submissions) |
| Courses | Public (without auth) | Admin | Staff (content of course) | Admin |
| Users | Students (GET), Staff (INDEX course), Admin (INDEX all) | Students (logging in for first time), Admin | Students can update profile? | N/A (but what about students that drop?) |