We recently found that if an account profile has blocked access to some resource such as evalauciones or course tasks manages to access the element by typing the URL of the resource, even though it shows the Erro Ajax: 401.
In our concept, this is a security breach. The user under any criteria should enter blocked elements in the permissions of their profile.
Previously we created a ticket in Cases Canvas, but we noticed that it has not been very important and we believe that this is really serious. Our proposal is that the system does not skip its own security settings based on the permissions that activate and deactivate both the account and course profiles.
We attach videocapture.