Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make hidden courses accessible through LTI #1240

Closed
PasiSa opened this issue Aug 30, 2023 · 3 comments · Fixed by #1290
Closed

Make hidden courses accessible through LTI #1240

PasiSa opened this issue Aug 30, 2023 · 3 comments · Fixed by #1290
Assignees
@PasiSa
Labels
area: LTI LTI protocol (Learning Tools Interoperability, worldwide standard) effort: hours Estimated to take less than one day, from the creation of a new branch to the merging requester: CS The issue is raised internally by a CS teacher type: feature New feature or change to a feature
Milestone
v1.20.X patches i...

Comments

@PasiSa
Copy link
Contributor

PasiSa commented Aug 30, 2023
edited
Loading

Sometimes, when A+ content is intended to be accessed only through external LTI 1.3 platform, it is not desirable to let students access it through A+ front page, nor enroll to it from A+, for example to avoid confusion in transferring points to LTI platform. The most straightforward way to do this is to hide the course in A+ settings, but override the hidden property when content is accessed through LTI.
@PasiSa PasiSa self-assigned this Aug 30, 2023
@PasiSa PasiSa added type: feature New feature or change to a feature area: LTI LTI protocol (Learning Tools Interoperability, worldwide standard) effort: hours Estimated to take less than one day, from the creation of a new branch to the merging requester: CS The issue is raised internally by a CS teacher labels Aug 30, 2023
PasiSa added a commit to PasiSa/a-plus that referenced this issue Sep 27, 2023
@PasiSa
Make hidden courses accessible with LTI
f7c9048 
When an A+ course is intended to be accessed as LTI tool from another
learning platform, teacher may wish to prevent direct access from
the regular A+ front page, for example to avoid possible confusion in
grade management  between the two systems. Therefore teacher can now
hide a course, while it is still available with LTI.

Closes apluslms#1240
PasiSa added a commit to PasiSa/a-plus that referenced this issue Sep 27, 2023
@PasiSa
Make hidden courses accessible with LTI
ced38cb 
When an A+ course is intended to be accessed as LTI tool from another
learning platform, teacher may wish to prevent direct access from
the regular A+ front page, for example to avoid possible confusion in
grade management  between the two systems. Therefore teacher can now
hide a course, while it is still available with LTI.

Closes apluslms#1240
@markkuriekkinen markkuriekkinen linked a pull request Oct 19, 2023 that will close this issue
Make navigation links visible in LTI tool #1290
Merged
18 tasks
markkuriekkinen pushed a commit to PasiSa/a-plus that referenced this issue Oct 20, 2023
@PasiSa @markkuriekkinen
Make hidden courses accessible with LTI
3d6f7c6 
When an A+ course is intended to be accessed as LTI tool from another
learning platform, teacher may wish to prevent direct access from
the regular A+ front page, for example to avoid possible confusion in
grade management  between the two systems. Therefore teacher can now
hide a course, while it is still available with LTI.

Closes apluslms#1240
markkuriekkinen added a commit to PasiSa/a-plus that referenced this issue Oct 20, 2023
@markkuriekkinen
Restrict access to hidden courses: LTI session targets one course
54bf60c 
After using the A+ LTI Tool, e.g., from a Moodle LTI activity,
students were able to access any hidden course in A+.
`CourseVisiblePermissionBase` used to skip
the `course_instance.visible_to_students` setting if the user had
an LTI launch id in the A+ session. The session data remains even
after the student stops using the LTI Platform (like Moodle) and
accesses A+ directly.

I was able verify that the student was able to access other hidden
courses in A+ and also submit to the assignments. The Moodle LTI
activity needs to be launched into a new window since the session
cookies seem to behave differently in iframes. After the student
has launched the LTI activity in Moodle, the student may open
the normal A+ site in another browser window. The student is
already logged in there. Then, the student may manually type
the A+ URL of some hidden course. The student is able to browse
the hidden course normally. However, the student is not able
to enroll in the hidden course, so they should be already enrolled
or the course should have the setting "view content to" in
a less strict value than "enrolled students".

The issue is fixed by checking that when the student is accessing
a hidden course, it matches the course set in the LTI launch data.
Thus, students may only access a hidden course if they have access
to the course via LTI, e.g., from Moodle.
Note that chapter views in the LTI Tool access embedded exercises
through the normal exercise view.
Thus, the function `has_lti_access_to_course()` looks a bit complex
since it needs to be able to check the LTI session even if
the current view is not any LTI view.

Related to apluslms#1240 and apluslms#1290
markkuriekkinen pushed a commit that referenced this issue Oct 20, 2023
@PasiSa @markkuriekkinen
Make hidden courses accessible with LTI
1f68a3a 
When an A+ course is intended to be accessed as LTI tool from another
learning platform, teacher may wish to prevent direct access from
the regular A+ front page, for example to avoid possible confusion in
grade management  between the two systems. Therefore teacher can now
hide a course, while it is still available with LTI.

Closes #1240
markkuriekkinen added a commit that referenced this issue Oct 20, 2023
@markkuriekkinen
Restrict access to hidden courses: LTI session targets one course
8e6d873 
After using the A+ LTI Tool, e.g., from a Moodle LTI activity,
students were able to access any hidden course in A+.
`CourseVisiblePermissionBase` used to skip
the `course_instance.visible_to_students` setting if the user had
an LTI launch id in the A+ session. The session data remains even
after the student stops using the LTI Platform (like Moodle) and
accesses A+ directly.

I was able verify that the student was able to access other hidden
courses in A+ and also submit to the assignments. The Moodle LTI
activity needs to be launched into a new window since the session
cookies seem to behave differently in iframes. After the student
has launched the LTI activity in Moodle, the student may open
the normal A+ site in another browser window. The student is
already logged in there. Then, the student may manually type
the A+ URL of some hidden course. The student is able to browse
the hidden course normally. However, the student is not able
to enroll in the hidden course, so they should be already enrolled
or the course should have the setting "view content to" in
a less strict value than "enrolled students".

The issue is fixed by checking that when the student is accessing
a hidden course, it matches the course set in the LTI launch data.
Thus, students may only access a hidden course if they have access
to the course via LTI, e.g., from Moodle.
Note that chapter views in the LTI Tool access embedded exercises
through the normal exercise view.
Thus, the function `has_lti_access_to_course()` looks a bit complex
since it needs to be able to check the LTI session even if
the current view is not any LTI view.

Related to #1240 and #1290
@markkuriekkinen
Copy link
Contributor

#1290 fixes this issue in the v1.20_stable branch, but the fix needs to be ported to the master branch too.

@markkuriekkinen
Copy link
Contributor

We talked in the weekly that it is risky to create these cases where students can access courses that are set visible_to_students = False, that is, hidden from students. If there are bugs somewhere, the system would leak hidden courses to students, which we absolutely must avoid. Therefore, this issue can be closed and @PasiSa is going to create a new issue for the same need, but with a different approach. We could keep this approach implemented in this issue in the v1.20_stable branch, but for the master branch, we can implement a new approach that does not reveal hidden courses to students (that is the new issue which hasn't been written yet).

In the master branch, we can use database migrations if need be. There could be a new field in the model CourseInstance. It could define if the course may be published via the LTI Tool or not. If we assume that LTI courses should never be accessed directly in A+, then the setting would also hide the course from the A+ front page (and the course archive as well as the instance list of the course code). (It would also disallow access to the course without LTI in the permissions.) The visible_to_students field would only be used to really hide the course from students so that there is no way they could enter the course.

@PasiSa PasiSa mentioned this issue Oct 24, 2023
Open
@PasiSa
Copy link
Contributor Author

PasiSa commented Oct 24, 2023

For the master branch we will apply a different approach. See issue #1296 .

@PasiSa PasiSa closed this as completed Oct 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PasiSa PasiSa

Labels
area: LTI LTI protocol (Learning Tools Interoperability, worldwide standard) effort: hours Estimated to take less than one day, from the creation of a new branch to the merging requester: CS The issue is raised internally by a CS teacher type: feature New feature or change to a feature
Projects
A+ sprints
Status: Done
Milestone
v1.20.X patches in the autumn 2023
Development

Successfully merging a pull request may close this issue.

Make navigation links visible in LTI tool PasiSa/a-plus
2 participants
@PasiSa @markkuriekkinen