Showing results for 
Show  only  | Search instead for 
Did you mean: 

Access to course resources by URL when permissions are closed

Access to course resources by URL when permissions are closed



We recently found that if an account profile has blocked access to some resource such as evalauciones or course tasks manages to access the element by typing the URL of the resource, even though it shows the Erro Ajax: 401.

In our concept, this is a security breach. The user under any criteria should enter blocked elements in the permissions of their profile.

Previously we created a ticket in Cases Canvas, but we noticed that it has not been very important and we believe that this is really serious. Our proposal is that the system does not skip its own security settings based on the permissions that activate and deactivate both the account and course profiles.

We attach videocapture.


Andrea A.

Community Team
Community Team

 @andrea_ayala ‌, do you still have a case open for this? If so, would you please provide the case number?

Community Participant

Hi stefaniesanders

The case is On hold, it is: 03718561

Thank you.

Community Team
Community Team

Thank you,  @andrea_ayala ‌, for the case number; that helps considerably. We're investigating this with Canvas Support and will update the thread when we have more information.

Community Member

I'm having this problem still

About Idea Conversations
In the Instructure Community Ideas space, you can share, converse, and rate idea conversations related to software improvements to Instructure products.