Gate the learning object dates api according to new permissions, and
only render the assign to buttons & UI if the appropriate permissions
are present. This commit works by adding a policy called
:manage_assign_to to each learning object model which checks the
appropriate course permissions/ conditions. Then in various parts
throughout the UI, we can simply call `object.grants_right?(user,
:manage_assign_to)` anywhere where we're checking the ability to edit
an existing learning object's assign to settings.
To change a module's assign to settings, require the "Course content -
edit" permission.
For existing learning objects, changing assign to settings requires the
following permissions:
- assignments -> "Manage Assignments and Quizzes - edit"
- quizzes -> "Manage Assignments and Quizzes - edit"
- graded discussions -> "Discussions - moderate" and "Manage Assignments
and Quizzes - edit"
- ungraded discussions -> "Discussions - moderate" and either a course
admin enrollment or an enrollment that's not section restricted
- pages -> "Pages - update"
For new learning objects, we require the following permissions on the
object's create page:
- assignments -> "Manage Assignments and Quizzes - add"
- quizzes -> "Manage Assignments and Quizzes - add"
- graded discussions -> "Discussions - create" and "Manage Assignments
and Quizzes - add"
- ungraded discussions -> "Discussions - create" and either a course
admin enrollment or an enrollment that's not section restricted
- pages -> "Pages - update"
The "Discussions - moderate" permission can be granted to students, so
if the user does not have an admin enrollment in the course, we verify
that the student's enrollment is not section-restricted before allowing
them to edit a discussion's assign to settings. Thus, students with
"Discussions - moderate" permissions and a section-restricted
enrollment can not use the assign to tray and can no longer
differentiate a discussion by section.
closes LX-1694
flag = differentiated_modules
[fsc-max-nodes=20]
[fsc-timeout=40]
Test plan:
Visit each of the following locations as a teacher and verify that you
can access the "Assign To" UI. Then disable the associated permission
for the teacher and verify that you can no longer access the "Assign
To" UI. Note that you may need to clear your cache and restart Canvas
after toggling permissions.
- assignments (show, index, edit, create, module items) - note that
the index can show quiz and graded discussion items, and these
items' assign to buttons should be gated by their respective
permissions
- quizzes (show, index, edit, create, module items)
- graded discussions (show, index, edit, create, module items)
- ungraded discussions (show, index, edit, create, module items) -
test this as a student as well
- pages (show, index, edit, create, module items)
- modules (index) - both the menu option and "View Assign To"
button should be gated
Change-Id: I19bdb24c16a4bc77b993a55be4d9536904c6441f
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/348755
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Robin Kuss <rkuss@instructure.com>
QA-Review: Robin Kuss <rkuss@instructure.com>
Product-Review: Jackson Howe <jackson.howe@instructure.com>
6a0869a22a