teachers need a way to access student view of their students, see student logon and reset password

Bug #335631 reported by David Welsh
4
Affects Status Importance Assigned to Milestone
CanDo
High
Douglas Cerna
SchoolTool
Undecided
Tom Hoffman

Bug Description

Teachers now have no way to see the demographic information of their own students, including seeing their students' logons, and resetting their passwords. This is important for when teachers are trying to help students log onto CanDo.

David Welsh (rdavidw)
Changed in cando:
assignee: nobody → replaceafill
importance: Undecided → High
status: New → Triaged
Revision history for this message
Jason Straw (jasonstraw) wrote :

this is a schooltool issue.

SchoolTool does not allow Teachers to see information students. This is up to Tom Hoffman to decide on with the dev team.

Changed in cando:
status: Triaged → Invalid
Changed in schooltool:
assignee: nobody → tom-hoffman
Revision history for this message
Tom Hoffman (tom-hoffman) wrote :

I don't mind teachers being able to see the demographic and contact data of members of their sections, in fact they should be able to. However, allowing teachers to change the passwords of members of their sections opens up too many attack vectors. Perhaps some kind of power user group can be created or something to give some teachers elevated permissions to change passwords.

Changed in schooltool:
status: New → Won't Fix
Revision history for this message
David Welsh (rdavidw) wrote : Re: [Bug 335631] Re: teachers need a way to access student view of their students, see student logon and reset password

Tom, we need to think this through from both security and user perspectives.

Q: What does an instructor do when a students cannot log on due to password
failure?

Is the answer now that neither they nor the student have any immediate way
to fix this problem, and they need to contact the SchoolTool manager and
wait for a password reset?

Can we do any better than this (i.e. use email to reset and resend a
password???).

I mean, think about it, the security model is not working that well now:
Currently, we're using generic passwords such as "schooltool", "teacher",
"student" and "admin". All you have to do to break into most any CanDo
instance is just find a user that has not changed from the generic password,
something not even Lee Capps has done with the Virginia instances.

So, in essence, our "won't fix" approach is hanging up the users to protect
a non-working security model. Not OUR best vector of attack, if you ask me.

--David Welsh

On Tue, Mar 17, 2009 at 9:55 PM, Tom Hoffman <email address hidden> wrote:

> I don't mind teachers being able to see the demographic and contact data
> of members of their sections, in fact they should be able to. However,
> allowing teachers to change the passwords of members of their sections
> opens up too many attack vectors. Perhaps some kind of power user group
> can be created or something to give some teachers elevated permissions
> to change passwords.
>
> --
> teachers need a way to access student view of their students, see student
> logon and reset password
> https://bugs.launchpad.net/bugs/335631
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Revision history for this message
Jason Straw (jasonstraw) wrote :

I agree with Tom about this.

Students are required to remember their passwords, and if they forget them, they need to request a password change from their Technologist or Administrator. The Security Model works, the password rules need to be tightened so schooltool/teacher/student/admin aren't valid passwords.

Email to reset/send a password is a nice long term goal, but it isn't something that should be a focus of development pre-1.0. There are almost no institutional systems that should allow this. (BlackBoard has an option, but Arlington keeps it *off*)

Finally, it is not SchoolTool's fault that people can't change passwords. Every system administrator should know that step 1 of every system is looking for and changing every default password.

Revision history for this message
Tom Hoffman (tom-hoffman) wrote :

We're not going to fix the bug as described in the original report. We can discuss other options and file a new bug later once we've reached a consensus.

Revision history for this message
David Welsh (rdavidw) wrote :

Jason, we should do our research on Blackboard. You are being non-rigorous
here. The only reason it's *off* is that I tipped you off that the option
even existed, and you had it turned off. That's a data point of one (Jason
Straw). Let's ask the Blackboard reps. what they are doing and what their
schools in general are doing. This way, we can go in with some informed
ideas (and not just our own predilections/prejudices).

--David Welsh

On Wed, Apr 8, 2009 at 8:51 AM, Jason Straw <email address hidden> wrote:

> I agree with Tom about this.
>
> Students are required to remember their passwords, and if they forget
> them, they need to request a password change from their Technologist or
> Administrator. The Security Model works, the password rules need to be
> tightened so schooltool/teacher/student/admin aren't valid passwords.
>
> Email to reset/send a password is a nice long term goal, but it isn't
> something that should be a focus of development pre-1.0. There are
> almost no institutional systems that should allow this. (BlackBoard has
> an option, but Arlington keeps it *off*)
>
> Finally, it is not SchoolTool's fault that people can't change
> passwords. Every system administrator should know that step 1 of every
> system is looking for and changing every default password.
>
> --
> teachers need a way to access student view of their students, see student
> logon and reset password
> https://bugs.launchpad.net/bugs/335631
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Revision history for this message
David Welsh (rdavidw) wrote :

Yes. Agreed. We'll need to talk (theoretical) security model vs.
(real-world) user needs. Obviously, I'll hold down the user-needs end of
the argument:)

--David Welsh

On Wed, Apr 8, 2009 at 8:51 AM, Tom Hoffman <email address hidden> wrote:

> We're not going to fix the bug as described in the original report. We
> can discuss other options and file a new bug later once we've reached a
> consensus.
>
> --
> teachers need a way to access student view of their students, see student
> logon and reset password
> https://bugs.launchpad.net/bugs/335631
> You received this bug notification because you are a direct subscriber
> of the bug.
>

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers