Make hidden courses accessible through LTI #1240
Assignees
Labels
area: LTI
LTI protocol (Learning Tools Interoperability, worldwide standard)
effort: hours
Estimated to take less than one day, from the creation of a new branch to the merging
requester: CS
The issue is raised internally by a CS teacher
type: feature
New feature or change to a feature
Milestone
Comments
PasiSa
added
type: feature
PasiSa
added a commit
to PasiSa/a-plus
that referenced
this issue
Sep 27, 2023
When an A+ course is intended to be accessed as LTI tool from another learning platform, teacher may wish to prevent direct access from the regular A+ front page, for example to avoid possible confusion in grade management between the two systems. Therefore teacher can now hide a course, while it is still available with LTI. Closes apluslms#1240
PasiSa
added a commit
to PasiSa/a-plus
that referenced
this issue
Sep 27, 2023
When an A+ course is intended to be accessed as LTI tool from another learning platform, teacher may wish to prevent direct access from the regular A+ front page, for example to avoid possible confusion in grade management between the two systems. Therefore teacher can now hide a course, while it is still available with LTI. Closes apluslms#1240
18 tasks
markkuriekkinen
pushed a commit
to PasiSa/a-plus
that referenced
this issue
Oct 20, 2023
When an A+ course is intended to be accessed as LTI tool from another learning platform, teacher may wish to prevent direct access from the regular A+ front page, for example to avoid possible confusion in grade management between the two systems. Therefore teacher can now hide a course, while it is still available with LTI. Closes apluslms#1240
markkuriekkinen
added a commit
to PasiSa/a-plus
that referenced
this issue
Oct 20, 2023
After using the A+ LTI Tool, e.g., from a Moodle LTI activity, students were able to access any hidden course in A+. `CourseVisiblePermissionBase` used to skip the `course_instance.visible_to_students` setting if the user had an LTI launch id in the A+ session. The session data remains even after the student stops using the LTI Platform (like Moodle) and accesses A+ directly. I was able verify that the student was able to access other hidden courses in A+ and also submit to the assignments. The Moodle LTI activity needs to be launched into a new window since the session cookies seem to behave differently in iframes. After the student has launched the LTI activity in Moodle, the student may open the normal A+ site in another browser window. The student is already logged in there. Then, the student may manually type the A+ URL of some hidden course. The student is able to browse the hidden course normally. However, the student is not able to enroll in the hidden course, so they should be already enrolled or the course should have the setting "view content to" in a less strict value than "enrolled students". The issue is fixed by checking that when the student is accessing a hidden course, it matches the course set in the LTI launch data. Thus, students may only access a hidden course if they have access to the course via LTI, e.g., from Moodle. Note that chapter views in the LTI Tool access embedded exercises through the normal exercise view. Thus, the function `has_lti_access_to_course()` looks a bit complex since it needs to be able to check the LTI session even if the current view is not any LTI view. Related to apluslms#1240 and apluslms#1290
markkuriekkinen
pushed a commit
that referenced
this issue
Oct 20, 2023
When an A+ course is intended to be accessed as LTI tool from another learning platform, teacher may wish to prevent direct access from the regular A+ front page, for example to avoid possible confusion in grade management between the two systems. Therefore teacher can now hide a course, while it is still available with LTI. Closes #1240
markkuriekkinen
added a commit
that referenced
this issue
Oct 20, 2023
After using the A+ LTI Tool, e.g., from a Moodle LTI activity, students were able to access any hidden course in A+. `CourseVisiblePermissionBase` used to skip the `course_instance.visible_to_students` setting if the user had an LTI launch id in the A+ session. The session data remains even after the student stops using the LTI Platform (like Moodle) and accesses A+ directly. I was able verify that the student was able to access other hidden courses in A+ and also submit to the assignments. The Moodle LTI activity needs to be launched into a new window since the session cookies seem to behave differently in iframes. After the student has launched the LTI activity in Moodle, the student may open the normal A+ site in another browser window. The student is already logged in there. Then, the student may manually type the A+ URL of some hidden course. The student is able to browse the hidden course normally. However, the student is not able to enroll in the hidden course, so they should be already enrolled or the course should have the setting "view content to" in a less strict value than "enrolled students". The issue is fixed by checking that when the student is accessing a hidden course, it matches the course set in the LTI launch data. Thus, students may only access a hidden course if they have access to the course via LTI, e.g., from Moodle. Note that chapter views in the LTI Tool access embedded exercises through the normal exercise view. Thus, the function `has_lti_access_to_course()` looks a bit complex since it needs to be able to check the LTI session even if the current view is not any LTI view. Related to #1240 and #1290
|
#1290 fixes this issue in the v1.20_stable branch, but the fix needs to be ported to the master branch too. |
|
We talked in the weekly that it is risky to create these cases where students can access courses that are set In the master branch, we can use database migrations if need be. There could be a new field in the model |
|
For the master branch we will apply a different approach. See issue #1296 . |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Sometimes, when A+ content is intended to be accessed only through external LTI 1.3 platform, it is not desirable to let students access it through A+ front page, nor enroll to it from A+, for example to avoid confusion in transferring points to LTI platform. The most straightforward way to do this is to hide the course in A+ settings, but override the hidden property when content is accessed through LTI.
The text was updated successfully, but these errors were encountered: