search

hedyorg / hedy

Hedy is a gradual programming language to teach children programming. Gradual languages use different language levels, where each level adds new concepts and syntactic complexity. At the end of the Hedy level sequence, kids master a subset of syntactically valid Python.
https://www.hedy.org
European Union Public License 1.2
1.29k stars 284 forks source link

Allow admin to see all programs #148

Closed Felienne closed 3 years ago

Felienne commented 3 years ago

Would be great if the Hedy/Admin user can see all programs, to aid in lessons. That saves kids with an issue from screensharing or copy-pasting programs to get help. It now shows:

image

(This error message maybe for other users should be something like: "Unauthorized access" rather than "No such program"?)

fpereiro commented 3 years ago

We can definitely allow the admin user to look at all programs. Great idea!

Regarding the 404 (not found) instead of a 403 (unauthorized), it's a security practice I saw implemented to give away as little info as possible - so if someone's trying to figure out if there's a program with id X that doesn't belong to them, they cannot tell whether it exists or not. I admit it's a bit silly to prevent randomly created IDs from being guessed, but it is the application of a general security principle (it would be far less innocent if this referred to named documents or users, which is where the principle comes from). I can change it back to a 403 if you want :).

Felienne commented 3 years ago

Yeah you are right, it is somewhat of an exposure if we should that the program exists rather than it not being accessible to this user, so we can leave that as is.

But allowing the admin to see programs (and in the far future: allowing teachers to add kids to their class, see https://github.com/Felienne/hedy/issues/152) would be great!