[Permissions] Import and Copy should respect role permissions

Problem statement:

Our teachers do not have permission to create or manage LTI external tools for compliance/legal reasons, but if they import (or copy), that import can create external tools. The problem this creates is typically with vendor course cartridges. We define tools at the (sub)account level rather than the course level, but some cartridges contain external tool definitions, so an instructor can import a cartridge which creates an external tool (or multiple) and we (I) have to go behind and clean up these definitions. This is a major maintenance headache since if there are duplicate external tool definitions, neither will work. One security risk is that someone could create a cartridge on a different system that violates our compliance policy and import it to create a potential breach on our system.

Proposed solution:

Don't let people do things that they don't have permission to do! Imports should respect the permissions of the person initiating the import. This has been reported to Instructure, but is not considered a problem!

User role(s):

admin,instructor

Added to Theme

3 Comments
KristinL
Community Team
Community Team
Status changed to: Open
 
KristinL
Community Team
Community Team
Status changed to: New
 
KristinL
Community Team
Community Team
Status changed to: Added to Theme