reset password

CSNS2 Security Implementation

Department

Requirements

  • System admin can create departments.
  • Department admin can edit their own department such as changing logo, theme, and adding/removing faculty, instructors, and courses.

In theory department name abbreviation (e.g. cs) should not be changed once a department is created because doing so may break department role check. Right now it can be changed by System Admin.

Implementation

  • /admin/** requires sysadmin.
  • DepartmentDao.saveDepartment() requires system or department admin by @PreAuthorize
  • The following controller methods require department admin by @PreAuthorize
    • DepartmentUserController.operation()
    • DepartmentCourseController.operation()

User

Requirements

  • General user management operations like add, edit, disable require sysadmin, department admin, or department faculty.
  • Users can edit their own account profile.
  • Temporary user accounts may be created during roster/grade import.

Implementation

  • /user/** requires sysadmin, department admin, or department faculty.
  • /profile requires authenticated users.
  • /register requires authenticated users with temporary accounts.

Course

Requirements

  • Adding and editing courses require department admin.
  • Other course operations like view and search are available to everyone, including anonymous users.

Implementation

  • /course/add and /course/edit require department admin.

Section

Requirements

  • Sections can be added by department admin, department faculty, and department instructor.
  • Sections can be edited by department admin.
  • Department faculty and department instructors can edit their own sections.

Section access is kind of tricky because it's not just access the Section objects, but also other data associated with a section such as assignments, student roster, student grades, and so on.

Implementation

  • /section/taken requires authenticated users.
  • /section/** requires department admin, department faculty, and department instructor.
  • SectionDao.getSection() require the caller to be either an instructor or a student in the section (using @PostAuthorize).

The current implementation is not perfect. In fact, there is a known loophole ....
This page has been viewed 4667 times.