Better Identification of Roles in ENV Variable

Idea created by cesbrandt on Sep 19, 2018
    Open for Voting
    • Joni Miller
    • Daniel Grobani
    • Xavier Cotto
    • Todd Van Zandt

    I can only imagine what someone that doesn't regularly work with JavaScript would be thinking of that title, but I really couldn't think of a better one.


    The idea, simply put, is to provide a more detailed list of the roles assigned and applicable to a user given the context of where they are in Canvas. I'd guess that the simplest option would to list role IDs, instead of "admin." Alternatively, assuming role names have to be unique, the role name could be parsed into the role list (i.e., "Dean" would parse to "dean;" "Program Director" could parse to "programDirector;" etc.).


    Now, to explain what I'm suggesting and provide context for those that don't already know what I'm talking about:

    We currently use numerous little CSS and JavaScript snippets to emulate greater permission granularity as well as provide additional, custom, functionality to select users (i.e., making non-confidential information for accessible). However, we have to identify who those "select users" are.


    Our first thought is: what information is most accessible to us on any given page? The answer is the ENV variable. Under it is basic user information, including current_user_roles.


    Here's the problem, they're generic! All users assigned a role at the account-level are designated as having an "admin" role. Those users assigned a role at for account 1 are designated has having a "root_admin" role. It doesn't care that user 632 is a "Dean" and user 8326 is a "Student Success Coordinator," it just looks at where they're assigned permissions.


    So, user 632 is a "Dean" for the Arts & Sciences department, so they're assigned the role at the account-level for that department (Development[2] -> Arts and Sciences[7], Masters[3] -> Arts and Sciences[8], Campus x[87] -> Arts and Sciences[91], etc.). User 8326 is a "Student Success Coordinator" for Campus x, so they're assign the role at the account-level for that Campus (Campus x[87]). Obviously both roles have a reason to have access to certain information, and Canvas is decent at letting was break up what information each role can get, but each also has unique tasks that have custom functionality to assist with their work. Problem is, both register as "admin" in JavaScript, so we can't distinguish what each of them is supposed to have access to from it. Both come up with a role map like this:

    ENV.current_user_roles = ["user", "student", "teacher", "admin"];


    Second thought was: use API calls to pull the actual roles. Well, due to the permission restrictions, this isn't viable. Just because a role is assigned to the user doesn't mean the user would be able to retrieve role information. So, it needs elevated permissions to make the API call, which then puts credentials into client-side executable code. Yeah, not gonna happen.


    Third thought: third-party server-size validation accessed via XHR. Overkill for such a small feature.


    Given the extensive overhaul to make permissions more granular, most use of this in custom JavaScript to limit access to certain features will become irrelevant, but I've seen enough userscripts and snippets across the community to know that the ability to provide customized functionality to specific roles is not a new thing. We use it fairly extensively, and, as is best, limit the truly "powerful" or "dangerous" functionality to userscripts with a tighter restriction on who has access to them, but some of it would be much better to integrate into our global JavaScript and limit by the roles.