cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
irishb
Community Contributor

Are your students able to hack a hidden People page?

Jump to solution

We just discovered that at least one student has been using a hack to access a hidden People page

(meaning the People navigation link is disabled/hidden from students in the Course Navigation Menu).

The hack is adding "/users" at the end of the site's URL. This hack works via Student View as well.

The student gaining access can see other students’ names at the hidden People page
but not other students' college usernames or ID numbers.

From testing in both Student View and masquerading as an active student,
the hack does not appear to work with other hidden navigation areas,

such as /pages, /files, or /quizzes.

When tried, each resulted in a message "That page has been disabled for this course."

I have submitted a ticket with Canvas Support, Case 02367946,
and wanted to alert other schools about this issue in the meantime.

Thank you,

Bridget Irish

Curricular Technology Support | Canvas Admin
The Evergreen State College

2 Solutions

Accepted Solutions
irishb
Community Contributor

Here's the scoop from Canvas Support:

"After investigating, the People tab cannot be disabled only hidden. If you don't want the students to be able to see who is the course.I suggest your change permissions. You will need to uncheck the "See the list of users" from the student tab. I hope this helps."

It helps to know how it is possible for students/users to access a hidden People page.

We're thinking of turning off the student permission to "See the list of users" at the Account-level

and creating a sub-account with the permission enabled that we can move courses into

for any faculty who would like their students to be able to access the People page.

Hope this information and thread may be of help to others. : )

Best wishes,

Bridget Irish

Curricular Technology Support | Canvas Admin
The Evergreen State College

View solution in original post

kblack
Community Champion

Thank you, Bridget--yes it does! As one who has set up several non-course-related Canvas sites myself, I should have thought of some of those.  We allow students to change their display names, as well, but I'm glad I followed this discussion, because it has pointed out some interesting issues.

Best regards,

Ken

View solution in original post

19 Replies
akkaufmann
Community Contributor

Hi irishb

According to the guide: How do I reorder and hide Course Navigation links? 

All of the links fall under three different categories when hidden:

Disabling a course navigation link creates the following redirects:

  • Hidden only (cannot be disabled): Discussions, Grades, and People
  • Page disabled; redirected to home page: Announcements, Assignments, Conferences, Collaborations, Files, Modules, Outcomes, Quizzes, pages, Syllabus
  • Page disabled; won't appear in navigation: Any LTI links, such as Attendance, Chat, and SCORM

Along with People, the Grades and Discussions pages cannot be disabled, only hidden. So a student can access these pages if they know the URL.

From my understanding, it has to do with how the API works and ensuring that the data associated with these pages is accessible on other pages, i.e. Grades needs to stay enabled to still allow a student to view their grade on a specific assignment on that assignment's page.

Alex

irishb
Community Contributor

Here's the scoop from Canvas Support:

"After investigating, the People tab cannot be disabled only hidden. If you don't want the students to be able to see who is the course.I suggest your change permissions. You will need to uncheck the "See the list of users" from the student tab. I hope this helps."

It helps to know how it is possible for students/users to access a hidden People page.

We're thinking of turning off the student permission to "See the list of users" at the Account-level

and creating a sub-account with the permission enabled that we can move courses into

for any faculty who would like their students to be able to access the People page.

Hope this information and thread may be of help to others. : )

Best wishes,

Bridget Irish

Curricular Technology Support | Canvas Admin
The Evergreen State College

View solution in original post

irishb
Community Contributor

Thank you, Alex.

I think Canvas should add further clarifying information to the guide that users have the ability to still access the "cannot be disabled" pages/areas and that permissions would need to be changed at the Account and or Sub-Account level. 

kona
Community Coach
Community Coach

irishb, I'm not sure of the reasoning behind wanting to keep this hidden from the students, but unless you've shut this down as well, students can also see the list of who is in their course from the Inbox.

kblack
Community Champion

I totally agree with  @kona ‌ on this, irishb‌ (as I often do!). Are you concerned about FERPA issues?  While there is separate ongoing discussion of FERPA violations with courses that get cross-listed, I cannot see students seeing the People area is anything like a FERPA violation, given that even student email addresses cannot even be directly seen from there. 

cfelton1
Community Participant

We have a course students who are on academic probation are required to complete. For confidentiality reasons, we need to hide ability for students to see the list of other students enrolled in the course. I'm glad  @kona  mentioned the inbox as a way for students to see others listed. We hadn't thought of that. While preventing students from being able to see each other is probably a limited need, I know of cases like this where it could be necessary.

Thank you for your information. 

kblack
Community Champion

Interesting use case, cfelton‌!  Thanks for mentioning something like that.

dwillmore
Community Champion

I would create a special role for these situations personally, which would leave students to participate with each other in the majority of courses.  You make a good need case cfelton‌.   We have the same type of courses and you gave me something to think about.  Thank you

RobDitto
Community Champion

At our institution, we have certain courses placed in a sub-account where the Permission called "Send messages to individual course members" is not granted to students. This hides the names of other students listed in the Inbox's To: addressing choices.

While I haven't tried this, you may be able to use the same technique with the "See the list of users" permission, denying that to students within a sub-account.