htwkmooc/codeocean
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Don't set admin privileges through LTI

Browse Source
This commit is contained in:
Sebastian Serth
2018-12-19 00:58:04 +01:00
parent f74c241141
commit c0608b6f50
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
app/controllers/concerns/lti.rb
View File

@ -58,7 +58,8 @@ module Lti
provider.roles.each do |role| provider.roles.each do |role|
case role.downcase! case role.downcase!
when 'administrator' when 'administrator'
result = 'admin' # We don't want anyone to get admin privileges through LTI
result = 'teacher' if result == 'learner'
when 'instructor' when 'instructor'
result = 'teacher' if result == 'learner' result = 'teacher' if result == 'learner'
else # 'learner' else # 'learner'
@ -145,7 +146,11 @@ module Lti
def set_current_user def set_current_user
@current_user = ExternalUser.find_or_create_by(consumer_id: @consumer.id, external_id: @provider.user_id) @current_user = ExternalUser.find_or_create_by(consumer_id: @consumer.id, external_id: @provider.user_id)
@current_user.update(email: external_user_email(@provider), name: external_user_name(@provider), role: external_user_role(@provider)) external_role = external_user_role(@provider)
internal_role = @current_user.role
internal_role != 'admin' ? desired_role = external_role : desired_role = internal_role
# Update user with new information but change the role only if he is no admin user
@current_user.update(email: external_user_email(@provider), name: external_user_name(@provider), role: desired_role)
end end
private :set_current_user private :set_current_user