Simplify: Remove admin attribute from Educator and from authorization path #2093
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Who is this PR for?
developers and project leads
What problem does this PR fix?
The way that
staff_type
influences permissions is complicated and the interaction between values in Aspen and Insights isn't clear in the UI or code. This leaves open edge cases related to critical path authorization. The first time the educator record is created, thestaff_type
value influencesschoolwide_access
andcan_view_restricted_notes
but the import process only does this once and these relationships aren't kept in sync over time if the underlying SISstaff_type
value changes.What does this PR do?
Removes
admin
as a value that's computed fromstaff_type
and as a result removestaff_type
from influencing Insights authorization altogether. This makes it an explicit steps for project leads to allow new users schoolwide access or to restricted notes, which this PR views as a security improvement.Separately, this tightens authorization in several controllers where were using
admin+districtwide_access
in endpoints where we really should be restricting access to project leads only (and where the UI already had removed these links).Checklists
(this still needs testing)