Access to course resources by URL when permissions are closed

Idea created by Andrea Alfonso Ayala on Feb 7, 2019
    Moderating
    Score1
    • Andrea Alfonso Ayala

    Hi,

     

    We recently found that if an account profile has blocked access to some resource such as evalauciones or course tasks manages to access the element by typing the URL of the resource, even though it shows the Erro Ajax: 401.

     

    In our concept, this is a security breach. The user under any criteria should enter blocked elements in the permissions of their profile.

     

    Previously we created a ticket in Cases Canvas, but we noticed that it has not been very important and we believe that this is really serious. Our proposal is that the system does not skip its own security settings based on the permissions that activate and deactivate both the account and course profiles.

     

    We attach videocapture.

     

    Thanks!

     

    Andrea A.