Explain access levels. Prevent module actions outside of a user's access level. #2040
Assignees
Labels
Comments
FrenjaminBanklin
added a commit
to FrenjaminBanklin/Obojobo
that referenced
this issue
Jan 10, 2023
…aining what each access level allows. Added logic to draft update API endpoint to prevent saving a draft if the user does not have full or partial access to it. Added logic to permissions update API endpoitn to prevent a user without full access to a draft to change other users' access to it.
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See #1983.
#1997 adds the ability to grant any of three different levels of access to a module. The dashboard correctly interprets the current level of access a user has to any given module at the time of the page loading - however, if a user loads the page and their access level is changed before they load the page again, they are still able to interact with the module based on their previous level of access.
For example: User A previously granted 'Full' access to User B for Module X. User B visits their dashboard and can see Module X. User A changes User B's access to 'Partial' or even 'Minimal', but User B has not refreshed their dashboard. Despite now having non-'Full' access to Module X, User B is still able to manage Module X as though they have 'Full' access - including editing, deleting, or changing other users' access levels.
The differences between each access level are also not apparent to the user setting the levels. This could be solved either with some kind of succinct explanatory text in the Share dialog or perhaps a tooltip.
The text was updated successfully, but these errors were encountered: