devilry.devilry_search — Search for Devilry
This app provides a search API for Devilry.
How we handle object level permissions
We maintain a list of
admin_ids on Node, Subject, Period, Assignment and AssignmentGroup. On
AssignmentGroup, we also maintain a list of
student_ids. When we perform
a search, we filter on these ids (the requesting user must be in an id-list). I.E:
When we search for assignments, we first filter on
admin_ids=request.user.id, then we perform the search.
Protection of anonymous data
We do not include any sensitive data in the main search index:
No student names on anonymous assignments — Examiners should not be able to search for these because they are only supposed to know the candidate ID.
No examiner names on anonymous assignments — Students should not be able to know who their examiner is.
Tags — Only examiners and admins are supposted to see tags.
This is handled in the
devilry.apps.core.search_indexes.AssignmentGroupIndex, and the exclusions
is handled by the text-template in the
We include the excluded data in their own fields in
candidates, may be used to search for
the excluded terms.
We do not currently use the excluded fields mentioned in the previous section in the search API. This means that it is:
not possible to search for AssignmentGroups by username or examiner on anonymous assignments.
not possible to search for AssignmentGroups by tags.