You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For restricted notes, right now they only appear in a separate page. We'd like to move them inline so that the presence of a restricted note (but not the substance) is more visible, and to make less friction for folks writing a note to tag is as "restricted."
Here's some work to migrate to inline restricted notes. Since there are so many exposure points, the overall strategy is to:
refactor to use the same mechanism as the profile (redacted, click to see content and possibly edit).
d. Homeroom page
This doesn't include restricted notes (event_notes_without_restricted) so this is safe but will appear mismatched to folks clicking into the profile.
update to include presence of restricted notes
e. Section page
This doesn't include restricted notes (event_notes_without_restricted) so this is safe but will appear mismatched to folks clicking into the profile
update to include presence of restricted notes
f. Home page, feed
The Home page feed does not show restricted notes. We could update this to show the presence (or allow viewing/editing inline with access).
show presence in feed. This might involve some UI unification, since the display of notes in the Feed and the Profile use different components.
g. Home page, insights boxes
InsightStudentsWithHighAbsences and InsightStudentsWithLowGrades both exclude restricted notes in their query, but with this change, they should include them (and continue not sending any content).
update InsightStudentsWithHighAbsences
update InsightStudentsWithLowGrades
h. PDF export
The PDF export never includes restricted notes, even if the user has access to see them. We could update but not a priority.
update PDF export to show presence of restricted note (but not content)
i. School roster
The school roster includes restricted notes, but strips out the content even if the user has access to see it. This is what we'd like to do in the Homeroom and Section page. Nothing to do here.
j. Absences, Tardies, Discipline dashboards
These already include restricted notes, but don't send any content down. Nothing to do here.
k. Profile v3, full case history
This is overhead, since it's a different set of rendering code than in the feed or profile.
update to show message and work similarly to profile notes or feed
l. Tiering
It doesn't include restricted notes. We should update this if we move forward with this, but not a priority.
update to include presence of restricted notes, but no content
Other details or questions
Does EventNoteRevision leak text as well? Yep. We can fix this by removing it from the controller/UI altogether. And add another layer by guarding #as_json on the model. Ideally we'd remove the parallel tables but not now.
What about attachments? Yep, this would leak. But there are no usages of this, and there's another layer of authorization for URL itself (eg, in Drive), so going to punt this to later (alternately could remove attachments altogether since it's not doing more than just a plain URL in the text).
tighten up restricted attachments (or remove feature)
add attachments to <RestrictedNotesPresence /> when viewing (or remove feature)
What about existing endpoints for interacting with event notes? Yep, these don't enforce authorization rules and could conceivably allow someone without access to create a restricted note (but not gain access or change the status of a note).
Part of #1990.
Scope
Notes can influence a few different places:
Approach
For restricted notes, right now they only appear in a separate page. We'd like to move them inline so that the presence of a restricted note (but not the substance) is more visible, and to make less friction for folks writing a note to tag is as "restricted."
Here's some work to migrate to inline restricted notes. Since there are so many exposure points, the overall strategy is to:
EventNote#as_json
) (Profile v3: First set of work for presence of restricted notes inline #1999)event_note_revisions
from endpoints) (Profile v3: First set of work for presence of restricted notes inline #1999)Particular places within the product
a. Profile v3, notes
Aiming to make the minimal changes here:
b. Profile v2
c. My notes
To start, this will continue to only show restricted notes that the current user has written and they'll be readonly.
d. Homeroom page
This doesn't include restricted notes (
event_notes_without_restricted
) so this is safe but will appear mismatched to folks clicking into the profile.e. Section page
This doesn't include restricted notes (
event_notes_without_restricted
) so this is safe but will appear mismatched to folks clicking into the profilef. Home page, feed
The Home page feed does not show restricted notes. We could update this to show the presence (or allow viewing/editing inline with access).
g. Home page, insights boxes
InsightStudentsWithHighAbsences
andInsightStudentsWithLowGrades
both exclude restricted notes in their query, but with this change, they should include them (and continue not sending any content).InsightStudentsWithHighAbsences
InsightStudentsWithLowGrades
h. PDF export
The PDF export never includes restricted notes, even if the user has access to see them. We could update but not a priority.
i. School roster
The school roster includes restricted notes, but strips out the content even if the user has access to see it. This is what we'd like to do in the Homeroom and Section page. Nothing to do here.
j. Absences, Tardies, Discipline dashboards
These already include restricted notes, but don't send any content down. Nothing to do here.
k. Profile v3, full case history
This is overhead, since it's a different set of rendering code than in the feed or profile.
<redacted>
text (Profile v3: First set of work for presence of restricted notes inline #1999)l. Tiering
It doesn't include restricted notes. We should update this if we move forward with this, but not a priority.
Other details or questions
Does
EventNoteRevision
leak text as well? Yep. We can fix this by removing it from the controller/UI altogether. And add another layer by guarding#as_json
on the model. Ideally we'd remove the parallel tables but not now.What about
TransitionNotes
? Going to punt that to a separate pass.TransitionNotes
(Profile v3: Show restricted transition notes in profile page notes when access #2008)What about attachments? Yep, this would leak. But there are no usages of this, and there's another layer of authorization for URL itself (eg, in Drive), so going to punt this to later (alternately could remove attachments altogether since it's not doing more than just a plain URL in the text).
<RestrictedNotesPresence />
when viewing (or remove feature)What about existing endpoints for interacting with event notes? Yep, these don't enforce authorization rules and could conceivably allow someone without access to create a restricted note (but not gain access or change the status of a note).
event_notes_controller
endpoints (Profile v3: First set of work for presence of restricted notes inline #1999)The text was updated successfully, but these errors were encountered: