Permission issue in BB SaaS

[scollovati]

As you may know, in SaaS by default the system tool is not visible because the entitlment is missing from the admin role permissions.

I think that the issue is here: https://github.com/AllTheDucks/jshack-v1/blob/69b11b2c8894747a968f92a5c93b27e4341a684b/src/main/webapp/WEB-INF/bb-manifest.xml#L58-L71

Probably in order to fix this you should change to something like

Then you have to update also this piece here: https://github.com/AllTheDucks/jshack-v1/blob/69b11b2c8894747a968f92a5c93b27e4341a684b/src/main/webapp/WEB-INF/bb-manifest.xml#L73-L78 and change the last two lines to

                         type="System"
                         template="system.administration.VIEW

[shaneargo]

Thanks @scollovati,

The issue is indeed due to the use of "system.plugin.CREATE" as a template for the entitlement. However, there are a few things we need to consider.

Existing JS Hack installations The template entitlement is only ever used at the time of creation of the new entitlement. I.e. on the very first install of JS Hack. Simply changing the template entitlement will not resolve the issue in any environment that has previously had JS Hack installed.

Institutions could request that the "system.jshacks.CREATE" entitlement is added to their role. However, it is clearly infeasible to have every single institution request this.

Instead, we have discussed creating a new entitlement (with a new uid) and allowing the existing one to become defunct. This means all (old or new) installations will have the new entitlement created and templated from an appropriate entitlement. It will also mean that old installations will have an orphaned entitlement, with no functionality attached to it.

It also means that if anyone has modified roles to include or exclude this entitlement, that will need to be done again. However, I assume this is not very common, and is certainly creating less work (collectively) than requiring all existing institutions to manually update the roles.

Appropriate template I do not think that "system.administration.VIEW" is an appropriate template entitlement. There are many roles which allow access to the System Admin tab, that you would not expect to be able to manage JS Hacks, e.g. Course Administrator.

We originally chose "system.plugin.CREATE", as JS Hack injects code into Blackboard (albeit, client side) just as plugins are essentially allowing the injection of code into Blackboard.

So now we much choose a more appropriate template entitlement, possibly "system.plugin.MODIFY" which (off the top of my head) allows users to view the list of plugins installed. I believe this is a function that is available by default to SaaS Admins and probably not to roles like Course Administrator.

I am happy to take feedback on this.

[scollovati]

Hi @shaneargo to me the issue is that the entitlment is <entitlement-uid value="system.jshacks.CREATE" />. Probably "system" is a protected word. To my experience, if you change it to something like "alltheducks.jshacks.CREATE" that entitlement is added to system role Z automatically but, if needed, needs to be added manually to other (lower) system roles.

[scollovati]

The issue seems to be fixed with the latest release https://github.com/AllTheDucks/jshack-v1/releases/tag/v1.0.15

[shaneargo]

Thanks @scollovati. It was the intention that v1.0.15 would fix this issue. Sorry I neglected to comment on here.