Community Help

cesbrandt · ‎05-16-2016

Edit (5/20/2016): Below is the code I came up with to build a global array of all Account Roles assigned to the ENV['current_user_id'] relative to the page being accessed.

Rewriting this edit has turned it more into a Guided Practice than a simple posting of the code. Not really my style (I certainly don't write the material we teach, so my apologies if it's bad), but I hope it helps to give everyone ideas on how they could use this.

/**
 * Executes an XMLHttpRequest and the supplied callback, providing the
 *    responseText and GET URL as variables of the callback function.
 *
 * Important Note: This function assumes the results of the XMLHttpRequest will
 *    be JSON data prepended by "while(1);".
 */
function getJSON(apiURL, callback) {
 xhrRequests++;
 var xhr = new XMLHttpRequest();
 xhr.open('GET', apiURL, true);
 xhr.onload = function() {
  var data;
  if(xhr.status >= 200 && xhr.status < 400) {
   try {
    callback(JSON.parse(xhr.responseText.replace('while(1);', '')), apiURL);
    xhrRequests--;
   } catch(e) {
    console.log(e);
   }
  } else {
   console.log('API Access Error ' + xhr.status + ': ' + xhr.statusText);
  }
 };
 xhr.onerror = function(e) {
  console.log('API Access Error: ' + e.error);
 };
 xhr.send();
}
/**
 * Identifies the parent account of a course or sub-account and retrieves the
 *    Account Roles for that account.
 */
function getParentAccount(id, type) {
 /* Types
    0 = Accounts
    1 = Courses
  */
 var apiURL = '/api/v1/' + ((type === 0) ? 'accounts' : 'courses') + '/' + id, success;
 if(type === 0) {
  success = function(data) {
   var accountID = data['parent_account_id'];
   if(accountID != null) {
    getAdminList(accountID);
   }
  };
 } else {
  success = function(data) {
   getAdminList(data['account_id']);
  };
 }
 getJSON(apiURL, success);
}
/**
 * Retrieves the Account Roles for the current user for the designated accountID
 *    and pushes them to the userRoles global array.
 */
function getAdminList(accountID) {
 getJSON('/api/v1/accounts/' + accountID + '/admins?user_id=' + ENV['current_user_id'], function(data, apiURL) {
  data.forEach(function(obj) {
   userRoles.push(obj);
  });
  getParentAccount(apiURL.split('/')[4], 0);
 });
}
/**
 * Triggers a series of XMLHttpRequests to build a single list of all account
 *    role assignments for the current user that applies to the current page
 *    being accessed.
 *
 * Important Note: Additional logic restricts use fo this function to accounts
 *    and courses pages
 */
function adminRoles() {
 window.url = window.location.href;
 window.rolesRetrieved = false;
 var type = (url.indexOf('/courses/') != -1) ? 1 : ((url.indexOf('/accounts/') != -1) ? 0 : null);
 if(type !== null && ENV['current_user_roles'].includes('admin')) { // If type of page is course or account
  var id = url.split('/')[url.split('/').indexOf((type === 1) ? 'courses' : 'accounts') + 1];
  // Generate global variables for storing the consolidated list of roles and to
  //    track the active XMLHttpRequests
  window.userRoles = [], window.xhrRequests = 0;
  if(type === 1) {
   getParentAccount(id, type);
  } else {
   getAdminList(id);
  }
  var wait = setInterval(function() {
   if(xhrRequests <= 0) {
    rolesRetrieved = true;
    clearInterval(wait);
   }
  }, 500);
  return true;
 }
 console.log('Invalid page for adminRoles() execution.');
 return false;
}

Important Note: This is pure JavaScript, no jQuery, and is fairly heavy on validation. Specifically, this is only meant to work with the accounts and courses pages. The restriction is primarily due to my not having had a chance to look into the API for profile, calendar, and inbox pages. I may revisit this at a later time, but that is doubtful. Nearly every feasible "custom" functionality I can think of that would not be globally applied would belong to a courses page.

The entire process is triggered by calling adminRoles(). It contains validation for execution from courses or accounts pages and to only continue execution if ENV['current_user_roles'] contains admin. If the current page is valid and the current user has an Account Role, the function will return true, otherwise it'll return false.

As the XMLHttpRequests are executed, the Account Roles assigned to the ENV['current_user_id'] relative to the current page will be appended to a global array (userRoles) for manipulation after all the roles have been identified.

In addition, there is also a global variable (rolesRetrieved) created to track whether the list of assigned Account Roles has finished being generated. Since the XMLHttpRequests are asynchronous, a timer needs to be used to watch this variable and wait until it is set to true before trying to work with the roles.

As such, the most simplistic way to call this function would be:

window.onload = (function() {
 /* BEGIN ACCOUNT ROLE LIST GENERATION */
 if(adminRoles()) {
  var wait = setInterval(function() {
   if(rolesRetrieved) {
    // Insert Code to Handle the generated list
    clearInterval(wait);
   }
  }, 500);
 }
 /* END ACCOUNT ROLE LIST GENERATION */
})();

This will execute adminRoles() on EVERY page for EVERY user. However, the validation at the very beginning of the function will prevent any of the time-consuming scripting from executing for users that do not have an Account Role or that are on a page where the parent_account_id cannot be traced.

Simple validation of the current page can be used to identify whether the function should execute. Any method can be used to identify whether the script should continue. A particular element ID or class name could be used on the pages where it should be used, validating the URL, or a combination of these and other means. How a page is validated to execute the script is entirely dependent upon the needs of the institution.

It can also be used to specify different code segments that can be executed by Account Role and be page-specific. However, how this gets implemented is entirely up to the developers. There are a few obvious options, each with their benefits and problems.

In terms of prevent unwanted execution on pages where the generated list would not be used, you can wrap the entire Account Role List Generation in another IF statement that validates the page for your requirements.

window.onload = (function() {
 // Only generate the Account Role List on a courses' Modules page (ensuring module items are not included)
 if(window.location.href.indexOf('/courses/') != -1 && window.location.href.indexOf('/modules') != -1 && window.location.href.indexOf('/modules/') == -1) {
  /* BEGIN ACCOUNT ROLE LIST GENERATION */
  if(adminRoles()) {
   var wait = setInterval(function() {
    if(rolesRetrieved) {
     // Insert Code to Handle the generated list
     clearInterval(wait);
    }
   }, 500);
  }
  /* END ACCOUNT ROLE LIST GENERATION */
 }
})();

As shown in this example, the only place where adminRoles() will execute is a page with a URL containing "/courses/" AND "/modules" BUT NOT "/modules/". The intent being to allow the function to run on the Modules page without it running on module items, like URLs.

In terms of execution and load times, this style of implementation is ideal as it will prevent any of the script from being executed if the current page has no need for it. However, it also can get difficult to manage this for use on multiple, specific page types. Following the same route, adding functionality that is generalized would also need to be specified. Thee page restrictions would need to be identified in the outer IF statement which would prevent unwanted execution of adminRoles() and in the IF statement that executes the Account Role-specific scripting.

window.onload = (function() {
 // Only generate the Account Role List on a courses' Modules page (ensuring module items are not included)
 if((window.location.href.indexOf('/courses/') != -1 && window.location.href.indexOf('/modules') != -1 && window.location.href.indexOf('/modules/') == -1) || window.location.href.indexOf('/accounts/') != -1) {
  /* BEGIN ACCOUNT ROLE LIST GENERATION */
  if(adminRoles()) {
   var wait = setInterval(function() {
    if(rolesRetrieved) {
     // Insert Code to Handle the generated list for general functionality on all pages
     if(url.indexOf('/courses/') != -1 && url.indexOf('/modules') != -1 && url.indexOf('/modules/') == -1) {
      // Insert Code to Handle the generated list for functionality specific to the Modules page of courses
     }
     if(url.indexOf('/accounts/') != -1) {
      // Insert Code to Handle the generated list for general functionality on all Accounts pages
     }
     clearInterval(wait);
    }
   }, 500);
  }
  /* END ACCOUNT ROLE LIST GENERATION */
 }
})();

Alternatively, the function could be ran on EVERY page and then additional functionality dictated only afterward the list has been generated. The overall code would be the same, but the pages regulation would only be handled in one location, making it easier to manage.

Lastly, I recommend using the role_id for matching roles to functions. However, since a user can be assigned a role at multiple levels, we don't want to execute the code twice. To prevent this, I would recommend using a "is it set" object to track whether a role's portion of the script has already been executed.

window.onload = (function() {
 // Only generate the Account Role List on a courses' Modules page (ensuring module items are not included)
 if((window.location.href.indexOf('/courses/') != -1 && window.location.href.indexOf('/modules') != -1 && window.location.href.indexOf('/modules/') == -1) || window.location.href.indexOf('/accounts/') != -1) {
  /* BEGIN ACCOUNT ROLE LIST GENERATION */
  if(adminRoles()) {
   var wait = setInterval(function() {
    if(rolesRetrieved) {
     var set = {};
     if(typeof set['generic'][0] === 'undefined') {
      // Insert Code to Handle the generated list for general functionality on all pages
     }
     switch(role['role_id']) {
      case 1:
       if(typeof set['generic'] === 'undefined') {
        set['generic'] = [];
       }
       if(typeof set['generic'][role['role_id']] === 'undefined') {
        // Insert Code to Handle the generated list for general functionality on all pages for role 1
       }
       break;
      case 3:
       if(typeof set['generic'] === 'undefined') {
        set['generic'] = [];
       }
       if(typeof set['generic'][role['role_id']] === 'undefined') {
        // Insert Code to Handle the generated list for general functionality on all pages for role 3
       }
       break;
     }
     if(url.indexOf('/courses/') != -1 && url.indexOf('/modules') != -1 && url.indexOf('/modules/') == -1) {
      if(typeof set[0] === 'undefined') {
       set[0] = [];
      }
      if(typeof set[0][0] === 'undefined') {
       // Insert Code to Handle the generated list for general functionality on all pages
      }
      switch(role['role_id']) {
       case 1:
        if(typeof set[0][role['role_id']] === 'undefined') {
         // Insert Code to Handle the generated list for functionality specific to the Modules page of courses for role 1
        }
        break;
       case 5:
        if(typeof set[0][role['role_id']] === 'undefined') {
         // Insert Code to Handle the generated list for functionality specific to the Modules page of courses for role 5
        }
        break;
      }
     }
     if(url.indexOf('/accounts/') != -1) {
      if(typeof set[1] === 'undefined') {
       set[1] = [];
      }
      if(typeof set[1][0] === 'undefined') {
       // Insert Code to Handle the generated list for general functionality on all pages
      }
      switch(role['role_id']) {
       case 2:
        if(typeof set[1][role['role_id']] === 'undefined') {
         // Insert Code to Handle the generated list for general functionality on all Accounts pages for role 2
        }
        break;
       case 7:
        if(typeof set[1][role['role_id']] === 'undefined') {
         // Insert Code to Handle the generated list for general functionality on all Accounts pages for role 7
        }
        break;
      }
     }
     clearInterval(wait);
    }
   }, 500);
  }
  /* END ACCOUNT ROLE LIST GENERATION */
 }
})();

Tweaking the structure and validation restrictions would be entirely dependent upon the needs of the institution, but hopefully I've given good, basic, ideas on how this can be used.

Original Post

Here's the basic situation: We have customized features (i.e. link homepage generators and inline editing icons) meant to help keep our courses uniform and ease some of the functionality of Canvas. However, these features are not intended for display to students (though they do no harm).

Currently, we're restricting access via Canvas user IDs as retrieved from the ENV constant. Originally, we'd considered restricting them via ENV['current_user_roles'], but found that, for some reason, students receive the teacher role, making it unreliable. Here's our current implementation:

// Array of MCDAs
var mcda = [
  657,
  658
];
// On Window Load
window.onload = (function() {
  if((' ' + document.body.className + ' ').match(/modules/) && mcda.indexOf(parseInt(ENV['current_user_id'])) != -1) {
    ...
  }
})();

This method is not ideal since the JavaScript file will need to be updated whenever the access list is updated. However, there is a select group on individuals that utilize these "special" features and they are all members of the same account roles. However, the ENV constant offers nothing with regards to identifying the account roles of the current user.

Is it possible to use JavaScript to detect what account role (if any) a user has when they access a particular page?

tdw · ‎05-18-2016

Hi cesbrandt,

As I mentioned ENV.current_user_roles does not necessarily correlate to the roles in the system, which is what you are seeing (e.g. somebody that's a TA gets "teacher" in the array). If it's absolutely critical that only someone with the enrollment of teacher is given these tools, then your best bet is to use the Enrollments API.

Essentially, query the current enrollment (you can get the user ID and course ID from ENV) and look for the returned role or type. Look at the filters listed in the API page, you will be able to get exactly what you want in the query and not have to iterate over the results.

/api/v1/courses/{current course}/enrollments?user_id={current user}&role=TeacherEnrollment

will return an array of TeacherEnrollment objects for that user in that course (1 for each section), so you don't even need to dig through the return data, just check if the array.length > 0 and you know they have a teacher enrollment.

View solution in original post

Stef_retired · ‎05-16-2016

cesbrandt, as this question is very specific and highly technical in nature, I've shared it with the Canvas Admins and Canvas Developers groups to enhance its visibility among the experts in this area.

tdw · ‎05-17-2016

Hi cesbrandt,

I'd like to know more about how the students are receiving the "teacher" role in ENV.current_user_roles. If that's the case it's probably a bug. Are you using custom roles for students that were based on the built-in teacher role? Because (I believe) ENV.current_user_roles values are populated from the parent role. Meaning, say, if you created a custom role called "counselor" and based it off of "teacher" the ENV should show "teacher" and not "counselor".

I have used ENV.current_user_roles to successfully show/hide things based off of the array values without issue.

cesbrandt · ‎05-18-2016

I, honestly, have no idea why it has a teacher role. I know that the role assigned to students is original "Student" course role.

Here's a screenshot of a student account (absolutely no account-level permissions) accessing a course where they have the "Student" role and the corresponding console.log of my calling the ENV['current_user_roles']:

Checking the Course Roles and the permissions assigned, the only permission not set to "Use Default" is Read SIS data which is still disabled but has also been locked to prevent accidental enabling in a sub-account. I double-checked each editable setting for the role to ensure it was set that way, and checked them both globally and at the sub-account, to ensure it wasn't changed at some point (they weren't).

Further, in the case of this test student, I've confirmed that the Enrollments for the account is limited to Courses, no Accounts were listed.

tdw · ‎05-18-2016

There's definitely something wrong there. Here's a user who only has a student enrollment on the dashboard and in a course:

You can see that they only have user and student in the current_user_roles array. At this point I would suggest talking to whoever created the test user or reaching out to support.

cesbrandt · ‎05-18-2016

Alright, so I was able to do a thorough investigation of the user permissions. My process was to create a brand new account and systematically add/remove access to it following the exact access assignments for the account in my earlier screenshot. The answer appeared almost immediately.

Our usual test account had been enrolled in one course as a TA and all others as a Student. Removing the enrollment as a TA from another course resulted in the loss of the teacher role in the ENV constant. This, however, doesn't make any sense to me. Wouldn't the teacher role only appear in the course where the account is enrolled as a TA?

Also, my original question is still applicable. I appreciate that we took a deeper look at the odd role assignments, but there are still several roles we have that would award the admin and teacher roles in the ENV constant, most of which would not require access to the custom components I've mentioned. Being able to restrict is by the Account Roles would be ideal. Is it possible?

tdw · ‎05-18-2016

Hi cesbrandt,

As I mentioned ENV.current_user_roles does not necessarily correlate to the roles in the system, which is what you are seeing (e.g. somebody that's a TA gets "teacher" in the array). If it's absolutely critical that only someone with the enrollment of teacher is given these tools, then your best bet is to use the Enrollments API.

Essentially, query the current enrollment (you can get the user ID and course ID from ENV) and look for the returned role or type. Look at the filters listed in the API page, you will be able to get exactly what you want in the query and not have to iterate over the results.

/api/v1/courses/{current course}/enrollments?user_id={current user}&role=TeacherEnrollment

will return an array of TeacherEnrollment objects for that user in that course (1 for each section), so you don't even need to dig through the return data, just check if the array.length > 0 and you know they have a teacher enrollment.

cesbrandt · ‎05-18-2016

Alright, thank you. I was under the impression the ENV['current_user_roles'] was supposed to reflect the roles the user should have on any particular page, not all the generic roles they've been assigned anywhere on Canvas.

James · ‎05-18-2016

I've held off asking this because it didn't go anywhere in helping track down the original problem, but have you looked at the ENV.IS_STUDENT field ? It may not be there or it may be with a true/false value. I'm not sure if it would be useful in discriminating between teacher and student, but it might be an area to explore.

You can also fetch information about the user's enrollments to see what roles they have. That's an extra API call, but sometimes you gotta do what you gotta do.

As for the other, maybe this will help with the explanation: it's "current_user_roles" as in roles that the current user has (anywhere), not user_current_roles as in roles that the user currently has (within a context like a course).

cesbrandt · ‎05-18-2016

ENV['IS_STUDENT'] returns as undefined, regardless of the user and role assignments. I've looked through the constant and couldn't find it.

As for the original question, I'm going to follow API query route. I'll query the account admins and then filter it down by the role ID(s) that I want to grant access to the features. It'll need to be recursive, making several queries to test each sub-account up to the top-level, but it should be fairly easy to actually implement.

Honestly, I was hoping to avoid API calls, but if that's what's needed, it's what is needed.

I'll post up my completed code after I've written and tested it.

tdw · ‎05-18-2016

I don't think you'll need to do multiple API calls, if you're just trying to display some stuff in a course based on certain enrollment types. I think I understand what you're trying to do- check if the user has a specific role (out of a number of roles) and if they do, do some stuff. Here's some pseudo code (seriously, untested!):

$(function(){
    var runOnce = false;
    var doStuff = function() {
        console.log("I'm doing stuff!");
        runOnce = true;
    }
    var supportedRoles = ["TeacherEnrollment", "TaEnrollment"];
    var domain = window.location.hostname;
    var courseID = Number(ENV.course.id);
    var userID = Number(ENV.current_user_id);
    
    var jsonURL = "https://" + domain + ":443/api/v1/courses/" + courseID + "/enrollments?user_id=" + userID;
    var userRoles = [];
    var getEnrollments = $.getJSON( jsonURL, function( data ) {
        for(var i=0; i < data.length; i++) {
            userRoles.push(data[i].type);
        }
    });
    getEnrollments.done(function(){
        for(var i=0; i < userRoles.length; i++) {
            if(runOnce == false) {
                for(var j=0; j < supportedRoles.length) {
                    var supportedRole = supportedRoles.indexOf(userRoles[i]);
                    if((supportedRole != -1) && (RunOnce == false)) {
                        doStuff();
                    } else {
                        break;
                    }
                }
            } else {
                break;
            }
        }
    });
    
    getEnrollments.error(function(){
        console.log("  Error getting enrollments.");
    });
});

Of course that will run for every user on every page, so you'll probably want to nest it in an if so it only runs in the case(s) you want it to.

cesbrandt · ‎05-18-2016

This would be great for testing against Course Roles assignments. What I'll be testing against is Account Roles assignments.

For example, a CDA is assigned at the account level and does not require enrollment in a course, but they do require access to a customized tool. I can't test whether they need access based upon the course enrollments because they aren't enrolled in the course. The returned results would be blank.

Instead, I'll query the list of account admins for the account_id that owns the course and each parent_account_id until I hit the root_account_id OR I get a positive hit on the role_id.

So, I'll get the account_id from:

var jsonURL = '/api/v1/courses/' + courseID;

Then, I'll check its admins for the ENV['current_user_id']:

var jsonURL = '/api/v1/accounts/' + accountID + '/admins?user_id=' + ENV['current_user_id'];

If there are any results with a role_id matching what is being searched for, then there is no need to continue. If there isn't, then I'll check for the parent_account_id and repeat until the root_account_id matches null:

var jsonURL = '/api/v1/accounts/' + accountID;

It's a simple enough script to write, it'll just have to wait until tomorrow for me to do it.

P.S. What do you use to format your code when posting? I haven't found an option in the RTE that will format code. Am I missing it?

James · ‎05-18-2016

cesbrandt

Click on "Use Advanced Editor"
Then click the >> on the second row.
You can select Syntax Highlighter and then pick the language.

cesbrandt · ‎05-18-2016

I feel blind, now. Thank you! ^^'

James · ‎05-18-2016

Have you thought about moving it outside your global JavaScript and into a user script (Greasemonkey or Tampermonkey). Then you could install it on the machines of the people who might need it and it would do the checking only for them rather than for everyone?

cesbrandt · ‎05-18-2016

Actually, I have. One thing prevents me from doing so: I can't require the user of a tool to have to install it. Not my preference, but it's what I'm limited by.

As for it running on everyone, I'm still thinking on that one. Since I now know the ENV['current_user_roles'] is global roles, not just the particular page, I can rely on it and restrict the execution to users with an admin role, which would be granted to any users that would require access to one of these tools.

tdw · ‎05-19-2016

Fortunately I have a snippet for that already if you want it

if($.inArray("admin", ENV.current_user_roles) !== -1) {
  //Stuff for admin
}

Good luck, and have fun with the rest of your script!

cesbrandt · ‎05-19-2016

That's basically what I was going to be using (without the jQuery), but I still need to distinguish which admin get access to which tools.

Here's the basic structure I'm planning to go with:

if(ENV['current_user_roles'].includes('admin')) {
 adminRoles().forEach(function(role) {
  switch(roles) {
   case x:
    // Enable tools for role x
    break;
   case y:
    // Enable tools for role y
    break;
   case z:
    // Enable tools for role y
    break;
  }
 });
}

adminRoles() would be pulling each sub-accounts admin list and filtering by the user, returning only the those that apply to the user. It'll be recursive until parent_account_id equals null.

Originally, I was going to make it escape out of the looping when a positive hit is made, however, to accommodate multiple roles and access that may be awarded at different levels, I'll pull all the roles within the account path for the user and then determine what tools they should have access to.

When I finish the code, I'll post it up. Maybe make a jQuery equivalent.

Edit: Fixed the missing brackets on the switch...case. ^^'

James · ‎05-18-2016

@tdw ,

Awesome to see code (even if it is untested) written by someone who actually knows what they're doing.

I would make one note, Canvas is still using jQuery 1.7 (last I checked) but jQuery has a note that the .error() method has been deprecated as of jQuery 1.8 and to future proof your code to use .fail() instead. Likewise, instead of using .success() you should use .done(). It don't see that it affects the .success() callback anonymous function that is passed as a parameter. http://api.jquery.com/jquery.ajax/ and http://api.jquery.com/jquery.getjson/

And a question since I'm not a JavaScript expert. Is there a potential race issue with .done() getting called while the .success() callback function that populates userRoles is still running. The documentation says .done() is an alternative to .success(), but it also says the deferred stuff gets executed in the order defined and success() is part of the AJAX call so it's defined first, but I don't know if it's an alias for .done() or they're implemented differently since it's a callback and not setup through the deferred process. It seems like it would be safer (or at least cleaner) to move the array population to the .done() method rather than using the callback at all.

cesbrandt · ‎05-19-2016

@James @tdw

I have updated my original post with the JavaScript I came up with for pulling a complete list of the Account Roles for the ENV['current_user_id'] following the parent_account_id/account_id breadcrumb trail. That, in itself, is summed into the adminRoles() which will return true or false depending on if it was able to follow and executable path. The rest is for restricting execution to specific pages and declaring multiple roles with custom functionality.

For my implementation, functions with each tool will be called for the roles that would be allowed to use them. It'll use a tool object for the same purpose as the set object, to prevent it from being loaded twice.

Account Role Detection

Item limit on "Add to Module" dialog box and solut...

How to enable Upload/Recording Media option to tak...

outh2 flow token generation

Acceder a la

Canvas Customization

If I have a Course ID, Quiz ID and a Question ID c...

How can I access previous year data using canvas L...

For new LTI tool - XML or JSON? Which is preferred...

Item limit on "Add to Module" dialog box and solut...

LTI not storing custom values in session data

You're signed out

Account Role Detection

Community Help

View our top guides and resources: