reset password

CSNS2 Security Implementation

Department

Requirements

  • System admin can create departments.
  • Department admin can edit their own department such as changing logo, theme, and adding/removing faculty, instructors, and courses.

In theory department name abbreviation (e.g. cs) should not be changed once a department is created because doing so may break department role check. Right now it can be changed by System Admin.

Implementation

  • /admin/** requires sysadmin.
  • DepartmentDao.saveDepartment() requires system or department admin by @PreAuthorize
  • The following controller methods require department admin by @PreAuthorize
    • DepartmentUserController.operation()
    • DepartmentCourseController.operation()

User

Requirements

  • General user management operations like add, edit, disable, and search require sysadmin, department admin, or department faculty.
  • The search function used by auto complete is available to department instructors.
  • Users can edit their own account profile.
  • Temporary user accounts may be created during roster/grade import.

Implementation

  • /user/** requires sysadmin, department admin, or department faculty.
  • /user/autocomplete requires department instructors.
  • /profile requires authenticated users.
  • /register requires authenticated users with temporary accounts.

Course

Requirements

  • Adding and editing courses require department admin.
  • Other course operations like view and search are available to everyone, including anonymous users.

Implementation

  • /course/add and /course/edit require department admin.

Section

Requirements

  • Sections can be added by department admin, department faculty, and department instructor.
  • Sections can be edited by department admin.
  • Department faculty and department instructors can edit their own sections.

Section access is kind of tricky because it's not just access the Section objects, but also other data associated with a section such as assignments, student roster, student grades, and so on.

Implementation

  • /section/taken requires authenticated users.
  • /section/** requires department admin, department faculty, or department instructor.
  • SectionDao.getSection() require the caller to be either an instructor or a student in the section (using @PostAuthorize).

The current implementation is not perfect. In fact, there is a known loophole ....

Enrollment

Requirements

  • The instructor(s) of a section and department admin* can add, view, edit, delete enrollments.
  • The students can view their own enrollments.

* Because we allow a course to be included in the curriculum of any department (e.g. TECH250 included in CS BS program), it's difficult to determine which department a section belongs to. So here we allow the admin of any department to manage enrollments, basically trusting that all department admins are good people.

Implementation

  • EnrollmentDao.getEnrollment() is secured with an @PostAuthorize.
  • EnrollmentDao.saveEnrollment() and deleteEnrollment() are secured with @PreAuthorize.

Assignment

Requirements

  • Department instructors can view, add, edit, delete assignments of the sections they teach.
  • Students can views the assignments of the sections they take.
  • Department admins can view all assignments (again, it's admins of all departments)

Implementation

  • /assignment/** requires department admin/faculty/instructor.
  • AssignmentDao.getAssignment() is secured by an @PostAuthorize.
  • AssignemntDao.saveAssignment() is secured by an @PreAuthorize.

Submission

Requirements

  • Department instructors can create, view, edit, grade the submissions for their sections.
  • Students can create, view, and edit their own submissions.
  • Department admins can view all submissions.

Implementation

  • /submission/view, /submission/upload, and /submission/online/edit require authenticated users.
  • /submission/** require department instructors.
  • SubmissionDao.getSubmission() is secured with an @PostAuthorize.
  • SubmissionDao.saveSubmission() is secured with an @PreAuthorize.

Survey

Requirements

  • Department admin/faculty can create, view, edit, delete surveys.
  • Department admin/faculty can view survey results.
  • Anybody can take a survey.
  • Anybody can create a survey response, but only the author can edit a survey response.
  • Only department admin/faculty can view survey responses.

Implementation

  • /department/*/survey/current and /department/*/survey/response/edit allow all.
  • Some @PreAuthorize and @PostAuthorize in SurveyDaoImpl and SurveyResponseDaoImpl and controllers.

The current implementation is not very rigorous, but it should prevent anybody other department faculty from doing bad things.
This page has been viewed 4910 times.