The Canvas Course Import does not seem to check a user's permissions before running an import, and does not honor permission restrictions during the import process. If "All content" or "Settings" are selected during the import process, the Course Import tool will match all Settings from the source course site, including the course's Visibility setting.
Therefore, if an instructor imports an imscc package where the source course had a "Public" visibility setting, the import process will make the course publicly viewable. This is done even if the course visibility is set by the institution to "Course" (i.e., Private) and the instructor's role does NOT have the permission "Courses - change visibility". Additionally, the instructor is not warned after the import completes that their course visibility has been set to Public, so they are unlikely to know that all the course content they create after that has occurred will have publicly viewable links generated for it.
There are privacy and copyright issues with making content that should be restricted to the course publicly viewable. This is especially problematic if the system is exposing that content without the instructor's knowledge.
Additionally, because the Course Import process does not honor permissions, course-level LTI installs are always included in the import process. To comply with privacy, security, and accessibility policies, many schools do not allow instructors to install LTI tools that have not been institutionally approved for use. The Import process should not allow unapproved tools to be installed if the institution has policies and settings in place to prevent that from happening.
To prevent issues that can be created by inappropriate settings being imported, the Course Import process should be able to check for and honor the permissions restrictions of the user performing the import.
Provide options at the system level (and, if possible, more granular at the subaccount level) to require that the Course Import process check for and respect user permissions. If the user performing the import does not have permission to modify the specified Course Settings, and changes to those settings are blocked at the system/account level, they should not be changed.
There should be two separate options to require permissions to be honored:
- If the role of the user performing the import does not have the permission "Courses - change visibility", do not change Course Visibility on import.
- If the role of the user performing the import does not have the permission "LTI - add", and the course being imported includes course-specific LTI tool installs that the user would not be able to add on their own, do not import these.
