Related to Sentry issues in editor-api#7047853462, editor-api#6982000229 and profile#7260930188, profile#7260983040
Currently the safeguarding flag that recoprds the users role of teacher or owner is not created at the same time as the role is created in this project. Instead, the SchoolStudentsController and SchoolMembersController create the flag before calling the api.
However, some of the other controllers do not have the flag creation built in, and it is possible for the user to call these without ever having had the flag created. This will fail and an error will be flagged in Sentry, both for the editor-api and for profile.
For example, this call:
|
students = ProfileApiClient.list_school_students(token:, school_id: school.id, student_ids:) |
is called also outside of the controllers.
The google SSO student creation is also not protected:
|
def create_school_students(school_students_params, school_class) |
Suggested fix
Ideally the flag in profile should be created as soon as the role is created in the editor-api. As we do have users that have roles in the editor but not in profile, these should either be backfilled in after that fix is in place, or the workaround to attempt to create the flags needs to be extended to cover all the api endpoints.
Related to Sentry issues in editor-api#7047853462, editor-api#6982000229 and profile#7260930188, profile#7260983040
Currently the safeguarding flag that recoprds the users role of
teacherorowneris not created at the same time as the role is created in this project. Instead, the SchoolStudentsController and SchoolMembersController create the flag before calling the api.However, some of the other controllers do not have the flag creation built in, and it is possible for the user to call these without ever having had the flag created. This will fail and an error will be flagged in Sentry, both for the editor-api and for profile.
For example, this call:
editor-api/lib/concepts/school_student/list.rb
Line 20 in 4ae58dd
The google SSO student creation is also not protected:
editor-api/app/controllers/api/school_classes_controller.rb
Line 140 in 4ae58dd
Suggested fix
Ideally the flag in profile should be created as soon as the role is created in the editor-api. As we do have users that have roles in the editor but not in profile, these should either be backfilled in after that fix is in place, or the workaround to attempt to create the flags needs to be extended to cover all the api endpoints.