ahess4
Community Contributor
‎04-25-2016 11:43 AM

LTI Restrictions (for instructors)

Jump to solution

Does anyone have suggestions on how to prevent instructors from installing non-vetted LTI tools or preventing tools from being added at the course level?

Thanks,

Anthony Hess

Tags (2)
Reply
1 Solution
shane_ohara
Community Champion
In response to ahess4
‎04-26-2016 06:51 AM

Jump to solution

Anthony,

This is what I am using to exclude the buttons from everyone except an account-level admin. You should be able to add the button for "Add App" in there to hide it from all other roles as well.

$(document).ready(function(){

if($.inArray('admin',ENV['current_user_roles']) == -1) {

    $("a.btn.button-sidebar-wide.delete_course_link").hide();

    $("a.btn.button-sidebar-wide.reset_course_content_button").hide();

    $("a[href*='confirm_action?event=conclude']").hide();

    $('a.no-hover.edit_section_link').hide();

    $('a.no-hover.cant_delete_section_link').hide();

    $('#add_section_form').hide();

    $('input#course_section_name').hide();

    $('#add_section_form > button').hide();

}

})

Shane

View solution in original post

Reply
10 Replies
shane_ohara
Community Champion
‎04-25-2016 12:02 PM

Jump to solution

Are you referring to LTI apps from the eduappcenter? If so, you just have to hide the ones that you don't want available to instructors. Otherwise, so long as instructors aren't grant account-level admin access then they wouldn't be able to add LTIs manually.

Shane

Reply
ahess4
Community Contributor
In response to shane_ohara
‎04-25-2016 01:27 PM

Jump to solution

Instructors can add apps regardless of the eduappcenter settings, simply by pasting in xml or the link to the xml in the eduappcenter. To see this, go to (as instructor):

Course Settings -> Apps

Select 'View App Configurations'

Select 'Add App'

You can add any app you like, no matter what is set in eduappcenter.

This is what I am referring to.

Thanks,

Anthony Hess

Reply
shane_ohara
Community Champion
In response to ahess4
‎04-25-2016 02:45 PM

Jump to solution

Ah yes, we've not had this issue so I wasn't thinking of that way. You could always use a Javascript exclude to hide the button. Let me know if you need an example.

Shane

Reply
ahess4
Community Contributor
In response to shane_ohara
‎04-26-2016 06:08 AM

Jump to solution

We've been using JS to customize permissions when there wasn't a permissions setting. Not the best way - but seems like the only way. If you don't mind providing an example, I'll compare it to what we use for blocking course reset and delete from instructors. Our JS blocks based on roles in any course, which is not ideal since it blocks admins also if they have an instructor enrollment in a course.

Plus, users could still use API if they really wanted to.

What we currently have (blocks add, modify, remove section; delete, reset, conclude course):

if (ENV.current_user_roles.indexOf("teacher") >= 1){

  $("a[href*='confirm_action?event=conclude']").hide();

  $("a.btn.button-sidebar-wide.delete_course_link").hide();

  $("a.btn.button-sidebar-wide.reset_course_content_button").hide();

  $("#add_section_form").hide();

  $('a.no-hover.edit_section_link').hide();

  $('a.no-hover.cant_delete_section_link').hide();

  $('a.delete_section_link').hide();

Thanks,

Anthony Hess

Reply
shane_ohara
Community Champion
In response to ahess4
‎04-26-2016 06:51 AM

Jump to solution

Anthony,

This is what I am using to exclude the buttons from everyone except an account-level admin. You should be able to add the button for "Add App" in there to hide it from all other roles as well.

$(document).ready(function(){

if($.inArray('admin',ENV['current_user_roles']) == -1) {

    $("a.btn.button-sidebar-wide.delete_course_link").hide();

    $("a.btn.button-sidebar-wide.reset_course_content_button").hide();

    $("a[href*='confirm_action?event=conclude']").hide();

    $('a.no-hover.edit_section_link').hide();

    $('a.no-hover.cant_delete_section_link').hide();

    $('#add_section_form').hide();

    $('input#course_section_name').hide();

    $('#add_section_form > button').hide();

}

})

Shane

Reply
michael_ainabe
Community Novice
In response to shane_ohara
‎08-03-2016 03:10 PM

Jump to solution

 @shane_ohara ​ ahess4

I'm in the same situation as Anthony, we're trying to restrict the ability for instructors to manually add LTIs via a URL/XML by removing the 'Add App' button. I've added this $("#external_tools .AddExternalToolButton").hide(); and the above to our Canvas JavaScript file, but, for whatever reason, the button won't hide. Is this the same code that you added, or was it something different?

Thanks,

Michael

Reply
ahess4
Community Contributor
In response to michael_ainabe
‎08-04-2016 08:00 AM

Jump to solution

We just ended up hiding the entire apps tab as there was nothing useful for instructors in the tab (because we are managing apps at the institutional level). The JS to hide the tab is- $('#tab-tools-link').hide();

Thanks,

Anthony

Reply
shane_ohara
Community Champion
In response to michael_ainabe
‎08-04-2016 09:25 AM

Jump to solution

I would add the following to my JS, if I wanted to take that away....
$("a.btn.btn-primary.add_tool_link").hide();

Shane

Reply
awilliams
Instructure
Instructure
‎04-25-2016 11:35 PM

Jump to solution

Hmm, we haven't done this at our institution so I'm no expert, but I believe you can manage this with:

How do I manage a whitelist in the Edu App Center?​ and

How do I manage an Edu App Center whitelist in Canvas?

Reply
ahess4
Community Contributor
In response to awilliams
‎04-26-2016 06:09 AM

Jump to solution

We already manage apps there. I was referring to manually adding LTI tools with XML or link to XML.

Thanks,

Anthony

Reply