[SAK-31820] Roster 2 / students can view group memberships without having the 'viewgroup' permission Created: 30-Sep-2016  Updated: 20-Mar-2017  Resolved: 29-Nov-2016

Status: CLOSED
Project: Sakai
Component/s: Roster
Affects Version/s: 10.7, 11.2, 12.0
Fix Version/s: 10.8 [Tentative], 11.3, 12.0

Type: Bug Priority: Critical
Reporter: Derek Ramsey Assignee: Leonardo Canessa
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

10x/11x/trunk


Issue Links:
Depend
is depended on by SAK-31787 Print Roster only is not printing all... CLOSED
11 status: Resolved
10 status: Resolved

 Description   

It seems if students do not have the viewgroup permission, they should not be able to see group memberships for anyone in the site.

To reproduce
1. Log in as a student when that role that does not have the roster.viewgroup permission
2. Go to the Roster tool in a site with groups defined
3. Click the Group Membership Link
5. The student is able to see the group listings in the last column of the table



 Comments   
Comment by Adam Hauerwas [ 10-Oct-2016 ]

Recognize that this can issue lead to a FERPA violation.:

The only current mechanism to give students extra time on a timed assessment is to a) create a copy of the assessment, b) create a group for students who require extra time, and c) restrict access to the second assessment to the group who requires additional time. The issue is that other students in the class can then see who are members of the "additional time group" through the use of the Roster tool.

An alternative would be to create a mechanism where certain groups could be hidden – but that would require much more coding AFAIK for group-aware tools to respect that setting?

Comment by Juan José Meroño Sánchez [ 13-Oct-2016 ]

The "Group Membership" button is not present in Sakai 11, was removed long time ago:
https://github.com/sakaiproject/sakai/commit/e0878be93a557a5187076b78b9f54837e7ef05f9

The Group's dropdown list is only showing the groups that the student belongs to, so you are not able to see the members of group A if you are not member of that group. I guess you are trying to hide members of this special group from each other, so you need to remove that group from the top dropdown list and from each member's group column.

This patch is removing the top dropdown list and the group column completely, so if one student is member of groups A,B and special group, you won't be able to see that is member of group A or B, or filter by any of these groups.

For me the right way to do this is removing the viewgroup permission in the student role in the "special" group, and check if the user has this permission in that group to show this group in any dropdown list, not using a global viewgroup permission to remove all the groups from the list.

Comment by Leonardo Canessa [ 13-Oct-2016 ]

For me the right way to do this is removing the viewgroup permission in the student role in the "special" group, and check if the user has this permission in that group to show this group in any dropdown list, not using a global viewgroup permission to remove all the groups from the list.

This is not a global viewgroup permission, but rather a site permission per role (see Roster tool -> Permissions tab).

Comment by Juan José Meroño Sánchez [ 13-Oct-2016 ]

I'm just wondering what would happen if you are member of 2 groups and you want to hide users from each other in one of them. With this solution you will also hide to the user all the group info, so he can't be able to see the rest of the members in the "open" group, just because is member of a "secret" group.

Comment by Leonardo Canessa [ 13-Oct-2016 ]

If the roster tool does not respect the Allow members to see the other members of this group setting of a group, that is a separate issue and thus a new ticket.

Comment by Adam Hauerwas [ 13-Oct-2016 ]

Re:

For me the right way to do this is removing the viewgroup permission in the student role in the "special" group, and check if the user has this permission in that group to show this group in any dropdown list, not using a global viewgroup permission to remove all the groups from the list.

I agree that removing the ability to view all groups is overkill to get around this issue – but as an end user I can't think of another way this can be done. Remember that the purpose isn't to prevent people in the group from seeing other people in the group – the purpose is to prevent anyone non-editor in the site from learning the membership of the group in question, because of its sensitive nature.

Once Samigo has the ability to provide additional time to individual students without the need for additional groups, this workaround may go away.

I am curious what the initial intent of roster.viewgroup was and whether anything refers to it, though. From its name it would seem that roster.viewgroup would give a role the ability to view groups – so it's surprising that this setting isn't currently being respected if that was its initial intent.

Comment by Adam Hauerwas [ 14-Nov-2016 ]

I found a possibly-related JIRA https://jira.sakaiproject.org/browse/SAK-24790 which requested the ability to hide groups. It seems like "hidden groups" might be a feature that hasn't been worked through all of the related tools?

If an instructor added students to a hidden group in order to provide additional time on a test item AND Roster2 did not display the hidden group in the group membership list, this could be another approach to avoid the FERPA violation that I described in an earlier comment.

Comment by Sam Ottenhoff [ 20-Mar-2017 ]

I modified this code in 10.x in r325789

Generated at Sat May 25 13:10:49 CDT 2019 using JIRA 7.5.0#75005-sha1:fd8c849d4e278dd8bbaccc61e707a716ad697024.