[API] Using login[declared_user_type] to control which roles a user can have in +people
We have a problem with teachers being able to add students to courses as teachers (even just accidentally). Most are unaware of the consequences (ie. markbook visibility, course editing etc). We want students to be restricted to student roles and privileges in all cases, so that it's impossible for a student account to have any elevated privileges. At the same time, we want teachers to be able to assemble their own cohorts in courses without the possibility of handing out elevated privileges.
Currently, user accounts have an attribute login[declared_user_type]. As the documentation states, it does not change any Canvas functionality with respect to their access. I'm proposing that it actually be activated to restrict user access.
Canvas could give admins an option to restrict people to the role types listed in the user's login[declared_user_type] attribute. Adding a person to a course would then only work if the role(s) specified in login[declared_user_type] was chosen in the +people dialogue. If teachers really need to add students with a teacher role, the students could get another login with the login[declared_user_type] set to teacher. The login[declared_user_type] attribute could possibly have multiple values, then we could add teachers as students to training courses if their declared_user_type was [student, teacher].
admin,instructor,student,ta,designer,observer
Added to Theme
Make account configuration more flexible through new account settings Theme Status: Identified