Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improvements to the Limited Staff role experience #361

Open
jmakowski1123 opened this issue Jun 7, 2024 · 27 comments
Open

Improvements to the Limited Staff role experience #361

jmakowski1123 opened this issue Jun 7, 2024 · 27 comments
Assignees
Labels
product review complete PR has gone through product review

Comments

@jmakowski1123
Copy link

jmakowski1123 commented Jun 7, 2024

The Limited Staff role needs some improvements to the user experience.

Currently, when a user with the Limited Staff role lands on a Studio Page in the new course-authoring MFE, they are blocked by a 403 error message, which contains json fields and is difficult to interpret. Minimally, the messaging could be improved to explain that the user is not granted access to Studio.

An enhancement can be made in the Studio experience such that users with this role do not see the "View this course in Studio" button. This will greatly reduce the chance of users trying to access parts of the platform that they don't have access to.

Copy link

github-actions bot commented Jun 7, 2024

Thanks for your submission, @openedx/open-edx-project-managers will review shortly.

@jmakowski1123 jmakowski1123 moved this to [Prod Proposals] NEW in Open edX Roadmap Jun 7, 2024
@jmakowski1123
Copy link
Author

@arbrandes @brian-smith-tcril Could you please add any technical requirements you'd like to see here?

@brian-smith-tcril
Copy link

In order to be able to fully test the Limited Staff role UX, I'd want to know:

  • What pages are not accessible by Limited Staff?
    • If a Limited Staff user navigates directly to those pages (by entering a URL), what should they see?
      • Should they see the same thing on every page they cannot access?
      • Should they see the same thing as other roles that cannot access those pages?
  • What UI elements on pages Limited Staff can access exist that navigate to pages Limited Staff cannot access?
    • Are they currently visible by limited staff?
    • Should they be hidden/disabled?

Answers to the previous questions would help inform my thoughts on this from a technical implementation perspective:

  • If Limited Staff should see the same thing on every page they cannot access, and they should see the same thing as other roles that cannot access those pages, can we make a generic "you lack permission to see this page" page?
  • If all UI elements that navigate to pages Limited Staff cannot access should be hidden/disabled, and the same is true for any other role that cannot access a page, can we write generic "hide/disable based on role" logic to wrap navigation elements in?

@jmakowski1123
Copy link
Author

Limited Staff should not have access to any of the Studio pages in the course-authoring MFE.
In the LMS, Limited Staff have the same permissions as Course Staff.
Limited Staff should not see the button to "view this course in Studio" from the LMS. This will reduce chances for Limited Staff to land on Studio pages.
If Limited Staff land on a Studio page via a url, they should see a message indicating they do not have access to the page. This message can be the same for any Studio url.

@0x29a as the contributing author for this role, is there anything you'd add here? openedx/edx-platform#32570

@0x29a
Copy link

0x29a commented Jun 11, 2024

as the contributing author for this role, is there anything you'd add here?

No, @jmakowski1123, this description is correct. cc @Agrendalath

@itsjeyd
Copy link

itsjeyd commented Sep 7, 2024

@jmakowski1123 It looks like the following PRs are providing a partial implementation of this proposal:

Could you please have a look at those and let us know what the next steps are from the product perspective?

CC @mphilbrick211

@itsjeyd
Copy link

itsjeyd commented Sep 20, 2024

@jmakowski1123 Could you please have a look at the comment above and let us know how to proceed?

(Happy to ping someone else from the product working group if you'd prefer. Let me know.)

@ali-hugo
Copy link

ali-hugo commented Oct 16, 2024

@itsjeyd I stand to be corrected, but I don't think that #1436: hide studio button for limited staff would need additional product review considering @jmakowski1123 has already "approved" this change simply by creating the current issue:

An enhancement can be made in the Studio experience such that users with this role do not see the "View this course in Studio" button. This will greatly reduce the chance of users trying to access parts of the platform that they don't have access to.

However, something that would need product input, is the messaging described in the following comment, but I imagine this would be covered in a separate issue.

If Limited Staff land on a Studio page via a url, they should see a message indicating they do not have access to the page. This message can be the same for any Studio url.

Let me know if there's anything I can do to help move this along.

@itsjeyd
Copy link

itsjeyd commented Oct 17, 2024

@ali-hugo That's helpful input, thank you!

@0x29a Can you confirm that openedx/frontend-app-learning#1436 and openedx/edx-platform#35313 address this need:

An enhancement can be made in the Studio experience such that users with this role do not see the "View this course in Studio" button. This will greatly reduce the chance of users trying to access parts of the platform that they don't have access to.

... and nothing else?

@0x29a
Copy link

0x29a commented Oct 18, 2024

@itsjeyd, can confirm. These two PRs just remove the button in question for Limited Staff and do nothing else.

@crathbun428 crathbun428 moved this from [Prod Proposals] NEW to [Prod Proposals] In Review in Open edX Roadmap Oct 22, 2024
@ali-hugo ali-hugo self-assigned this Oct 22, 2024
@ali-hugo
Copy link

@0x29a @itsjeyd It was just confirmed in the Core Product Working Group meeting that openedx/frontend-app-learning#1436 and openedx/edx-platform#35313 can be merged! 🚀

We'll keep the current ticket (#361) open to work on improving the user experience when someone visits a Studio page to which they don't have access. We need a more user-friendly solution than 403 error that is currently shown. @0x29a, could you please send a screenshot of the 403 message so I can take a look?

@itsjeyd
Copy link

itsjeyd commented Oct 24, 2024

Thanks @ali-hugo! I added the product review complete label to both PRs and marked them as ready for (engineering) review.

Regarding the 403 message, do we have an internal ticket for working on that? We can't add it to the scope of the ticket that prompted the creation of openedx/frontend-app-learning#1436 and openedx/edx-platform#35313 at this time.

CC @0x29a @mphilbrick211

@ali-hugo
Copy link

Regarding the 403 message, do we have an internal ticket for working on that?

@itsjeyd Not yet. I am out of hours for this month, so will only be able to work on this next month. I will create an internal ticket then.

@0x29a
Copy link

0x29a commented Oct 24, 2024

@ali-hugo, here it is:
image

@ali-hugo
Copy link

@0x29a Thank you!

@itsjeyd
Copy link

itsjeyd commented Oct 29, 2024

@ali-hugo

Regarding the 403 message, do we have an internal ticket for working on that?

Not yet. I am out of hours for this month, so will only be able to work on this next month. I will create an internal ticket then.

Sounds good.

@0x29a If you end up spending more time helping out here, please log that time on the ticket that Ali's going to create. Since the 403 message is out of scope for the original ticket, we can't use that ticket to log time spent on the 403 message.

@ali-hugo
Copy link

@jmakowski1123 @0x29a I've been thinking about how to improve the 403 messaging when someone with the Limited Staff role visits a Studio URL. Please let me know what you think of the two options below:

Option 1:
Studio 403 - Option 1

Option 2:
Studio 403 - Option 2

You'll notice that I've included a "back to safety" link to the LMS (since the Limited Staff user doesn't have access to any Studio pages). For other types of users, I imagine it would be more helpful to link them to the Studio Home. Is it too complicated to show different 403's for different user types?

Thanks for your help!

@sarina
Copy link
Contributor

sarina commented Nov 5, 2024

#2 is better from my opinion, it's more standard a message.

@ali-hugo
Copy link

@sarina Thanks for the feedback!

What do you think about displaying different messages for users with different permissions?:

You'll notice that I've included a "back to safety" link to the LMS (since the Limited Staff user doesn't have access to any Studio pages). For other types of users, I imagine it would be more helpful to link them to the Studio Home. Is it too complicated to show different 403's for different user types?

@sarina
Copy link
Contributor

sarina commented Nov 11, 2024

I think it may be too complicated to display different error messages, but that's a technical detail that is worth asking the implementation team because it's a good idea.

@ali-hugo
Copy link

@0x29a We've decided to go with the following for the 403 message:

381878200-6a944b4d-8c31-439f-9d91-08bfe0ca19c3

Here's the text for easy copy pasting:

Access Restricted
It looks like you’re trying to access a page you don’t have permission to view. Contact your admin if you think this is a mistake, or head back to the LMS.

QUESTION
Do you think it would be feasible to show different error messages for different user types? For example, Limited Staff users, who don’t have access to any Studio pages, could see a message guiding them back to the LMS. Meanwhile, users who do have Studio access could be directed to the Studio Home page. What do you think?

@0x29a
Copy link

0x29a commented Nov 21, 2024

Do you think it would be feasible to show different error messages for different user types?

@ali-hugo, given how the Limited Staff role and other Staff-derived roles implemented currently, and the permissions situation in the platform in general, I'd say it's better to stick to a simpler option. Just not to build on top of something we're going to refactor (hopefully soon). So if it's acceptable from the UI viewpoint, let's show the same message to all users.

@sarina
Copy link
Contributor

sarina commented Nov 21, 2024

I agree with one message!

@ali-hugo
Copy link

@0x29a That makes sense; let's go with a single message shown to all users:

Access Restricted
It looks like you’re trying to access a page you don’t have permission to view. Contact your admin if you think this is a mistake, or head back to the LMS.

"LMS" should be a link.

Thanks for your work on this!

@ali-hugo
Copy link

@farhaanbukhsh Thanks for offering to add the new 403 message!

@ali-hugo ali-hugo moved this from [Prod Proposals] In Review to Being Developed in Open edX Roadmap Dec 3, 2024
@ali-hugo ali-hugo added the product review complete PR has gone through product review label Dec 3, 2024
@farhaanbukhsh
Copy link
Member

@ali-hugo

@farhaanbukhsh Thanks for offering to add the new 403 message!

openedx/frontend-app-authoring#1569

The PR above takes a stab on the implementation and is up for review.

@farhaanbukhsh
Copy link
Member

@ali-hugo this is merged now 😄 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
product review complete PR has gone through product review
Projects
Status: Being Developed
Development

No branches or pull requests

7 participants