justinabrahms
commented
8 years ago Had a discussion with @Ferdi which cleared up much of what I didn't get with the access control discussion we had this week.
We will have users (which is easier to think of as APIUsers) on the ccx connector. They'll get an api key which they'll use to authenticate. With this, they'll have read/write access to the records that they've created. This is the approach that @giocalitri suggested.
So one issue this brings up is that the edx apiuser is going to be creating records. How can the teachersportal user read/edit them?
One potential solution here is through the use of django groups. We could, for instance, have groups like: "edx-read" or "edx-write" that get applied to particular users. This will segment people across different read/writes. This seems like it might not do that much in the long term, because it seems less likely that we'll have multiple sources of courses that won't want to use the edx courses.
Another option is to restrict writes from certain clients (like teacher's portal) to pre-defined scopes. This is what edx itself does. Teacher's Portal would get permissions like "edit_price" or "edit_live". I'm not yet 100% sure what things it would need edit access to, but prices and publish status are certainly among of them.
cc @noisecapella, who I think might be interested in this.
pdpinch
A portal (like the teachers portal) needs to securely communicate with the ccxcon in order to query courses for the catalog and to create new custom courses.