Permissions granted cannot seem to be revokable
Two types of permissions can be set via Morpho interface
a) Under Documentation -> Access information
This option allows user to grant access to the assessment items.
So, this would enable a user to view assessment items on the
b) Under Data -> Edit data access
This option is used to grant permission to download student
score and response data.
Test case 1: Permission granted to a single user to view assessment items only
- The user could successfully view the assessment items on the
website. Further, the user could also download the student data,
which should not have been the case.
Test case 2: Permission revoked by explicitly choosing the user's name
from the drop down list and opting to "deny" access
- The user was still able to view as well as download assessment
Test case 3: Permission granted to a group (FIRST group)
- All the auhtorized members of FIRST group were able to access
- Similar to Test case 2, revoking the access does not seem to
affect the user's ability to view and download assessment!
Test case 4: Public and private access seems appropriately functional
- Once public access is granted for an assessment, it remains
that way even if we explicitly change the access rights to private.
PS: The above trials were run on "Permission Test 1"
#1 Updated by ben leinfelder over 12 years ago
I see that we were using a more "generous" permissions mode in metacat where we process all of the "deny" rules first before processing the "allow" rules. I've switched all the permission records in the fred database to use the more strict "allowFirst" method so that deny rules should be upheld.
I've also changed this in the Morpho client code so that changes to access rights made in the future will use the "allowFirst" mode. But this means cutting another Morpho installer from the latest source.
Depending on the last permission you set on "Permission Test 1" you may or may not be able to check if you actually revoked permission.
If you'd like, I can clear all permissions that have been set on all documents and we can start from scratch. Only the owner (original person who uploaded the assessment) will be able to read/write/set permissions at that point but it gives you a clean slate for testing permission granting once the new Morpho is built.
Please let me know how you'd like to proceed
#3 Updated by ben leinfelder over 12 years ago
we're still running a few test on the Metacat side of things.
I feel good about the Morpho side - enough so that I think you could build another installer and try a few operations out. I have not cleared the access rules yet. But that is a very quick operation (and getting them back is not).