edx-platform icon indicating copy to clipboard operation
edx-platform copied to clipboard

Published 20 hours ago verified publisher icon openedx

fix: cohorts api permissions

Open dyudyunov opened this issue 1 year ago • 4 comments

Description

We've discovered a bug while using the Gradebook MFE - users with course staff/instructor roles can create and manage cohorts in the course's Instructor tab BUT they can't use the cohorts filter and the API request returns 403 Screenshot 2024-03-20 at 15 31 07

The issue isn't reproducible for the Global Staff role's users as well as for users with Forum Moderator roles assigned.

Decision

Considering that the course staff/instructor has most of the permissions for the course data manipulation I decided to:

  • Fix lack of the permissions for course staff/instructor roles.
  • Allow course staff/admin users to use cohorts API.

Steps To Reproduce

  • create a course
  • assign any user without Global Staff or Superuser permissions a course staff or course instructor (aka course admin) role
  • navigate to the course's Instructor tab > cohorts > enable and create any number of cohorts for the course. You can use both Global Staff or course staff user.
  • switch to the course staff/instructor user
  • navigate to the course's Instructor tab > Student Admin > click View Gradebook
  • inspect the browser console and try to use the Cohorts filter

Expected Result

Course Staff/Instructor users can use the Cohorts filter on the Gradebook MFE and there is no 403 error for the .../cohorts/ API call in the browser console. image

Notes

  • The Discussions MFE behavior was not affected. Interestingly, only those users who have the Forum Moderator roles assigned can create discussion posts separated by cohorts. Even the Global Staff has no such option! Anyway, it is out of the scope and I left it as it is. Screenshot 2024-03-20 at 15 50 55

dyudyunov avatar Mar 20 '24 13:03 dyudyunov

Thanks for the pull request, @dyudyunov! Please note that it may take us up to several weeks or months to complete a review and merge your PR.

Feel free to add as much of the following information to the ticket as you can:

  • supporting documentation
  • Open edX discussion forum threads
  • timeline information ("this must be merged by XX date", and why that is)
  • partner information ("this is a course on edx.org")
  • any other information that can help Product understand the context for the PR

All technical communication about the code itself will be done via the GitHub pull request interface. As a reminder, our process documentation is here.

Please let us know once your PR is ready for our review and all tests are green.

openedx-webhooks avatar Mar 20 '24 13:03 openedx-webhooks

@mphilbrick211 Hi

This one is ready for review 🙂

dyudyunov avatar Apr 01 '24 12:04 dyudyunov

@mphilbrick211 Hi

This one is ready for review 🙂

Thanks, @dyudyunov! I'm looking into getting a reviewer for this (and the backport).

mphilbrick211 avatar Apr 02 '24 18:04 mphilbrick211

@mphilbrick211 hi

It would be great to have this one reviewed so we could merge it along with the backport to Quince and include the fix in quince.3 release

dyudyunov avatar Apr 08 '24 11:04 dyudyunov