Access to course resources by URL when permissions are closed

(1)

Hi,

We recently found that if an account profile has blocked access to some resource such as evalauciones or course tasks manages to access the element by typing the URL of the resource, even though it shows the Erro Ajax: 401.

In our concept, this is a security breach. The user under any criteria should enter blocked elements in the permissions of their profile.

Previously we created a ticket in Cases Canvas, but we noticed that it has not been very important and we believe that this is really serious. Our proposal is that the system does not skip its own security settings based on the permissions that activate and deactivate both the account and course profiles.

We attach videocapture.

Thanks!

Andrea A.

5 Comments
Stef_retired
Instructure Alumni
Instructure Alumni

 @andrea_ayala ‌, do you still have a case open for this? If so, would you please provide the case number?

andrea_ayala
Community Novice

Hi stefaniesanders

The case is On hold, it is: 03718561

Thank you.

Stef_retired
Instructure Alumni
Instructure Alumni

Thank you,  @andrea_ayala ‌, for the case number; that helps considerably. We're investigating this with Canvas Support and will update the thread when we have more information.

JCLambert123
Community Member

I'm having this problem still

Stef_retired
Instructure Alumni
Instructure Alumni
Status changed to: Archived