SAK-51713 Samigo instructors should see all student submissions when a assessment is published to the entire site

[st-manu]

https://sakaiproject.atlassian.net/browse/SAK-51713
sakai-reference: sakaiproject/sakai-reference#278

Summary by CodeRabbit

• New Features
  • Added granular assessment management permissions including group access control, editing, grading, and publishing capabilities.
  • Enhanced authorization framework with new calendar function options for instructors and administrators.
  • Extended permission controls across multiple site template and role configurations.

[coderabbitai]

Walkthrough

This pull request expands assessment authorization functionality by adding new realm functions for assessment permissions and calendar options across database systems, introduces a new authorization constant, and modifies the evaluation bean to handle privileged multi-group access within the assessment system.

Changes

Cohort / File(s)	Summary
Assessment realm function definitions kernel/kernel-impl/src/main/sql/mysql/sakai_realm.sql, kernel/kernel-impl/src/main/sql/oracle/sakai_realm.sql	Added new assessment-related functions (e.g., assessment.all.groups, assessment.editAssessment.*, assessment.gradeAssessment.*, assessment.submitAssessmentForGrade, assessment.takeAssessment) and calendar.options to SAKAI_REALM_FUNCTION table. Configured realm-function mappings for !site.template and !site.template.course realms with roles including maintain, Instructor, and Student.
Authorization constant addition samigo/samigo-api/src/java/org/sakaiproject/samigo/util/SamigoConstants.java	Added public static final constant AUTHZ_ASSESSMENT_ALL_GROUPS with value "assessment.all.groups" for authorization checks.
Evaluation bean privilege handling samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/bean/evaluation/TotalScoresBean.java	Added imports for SamigoConstants and PersistenceService. Introduced hasAllGroupsPrivilege check to conditionally retrieve enrollments without group filtering when user has all-groups authorization; otherwise uses previous all-group-release behavior. Modified enrollment retrieval logic in getEnrollmentListForSelectedSections method.

Suggested reviewers

• jesusmmp
• ottenhoff

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding support for instructors to see all student submissions when an assessment is published to the entire site.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/bean/evaluation/TotalScoresBean.java (1)

926-931: Consider caching the privilege check result.

The privilege check is performed on every call to getEnrollmentListForSelectedSections, which may be invoked multiple times during histogram generation, exports, and score calculations. Since site-level permissions don't change during a user session, consider caching the result as an instance variable.

Example refactor:

+  private Boolean hasAllGroupsPrivilegeCache = null;
+
   private List getEnrollmentListForSelectedSections(int calledFrom, String siteId) {
     List enrollments;
     
-    // Check if current user has privilege to assess all groups - if so, they should see all student submissions regardless of group restrictions
-    boolean hasAllGroupsPrivilege = PersistenceService.getInstance()
-        .getAuthzQueriesFacade()
-        .hasPrivilege(SamigoConstants.AUTHZ_ASSESSMENT_ALL_GROUPS, siteId);
+    // Check if current user has privilege to assess all groups - if so, they should see all student submissions regardless of group restrictions
+    if (hasAllGroupsPrivilegeCache == null) {
+        hasAllGroupsPrivilegeCache = PersistenceService.getInstance()
+            .getAuthzQueriesFacade()
+            .hasPrivilege(SamigoConstants.AUTHZ_ASSESSMENT_ALL_GROUPS, siteId);
+    }
+    boolean hasAllGroupsPrivilege = hasAllGroupsPrivilegeCache;

Note: Ensure the cache is cleared in resetFields() or when the assessment context changes.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7939e9f and 2acaf61.

📒 Files selected for processing (4)

• kernel/kernel-impl/src/main/sql/mysql/sakai_realm.sql (3 hunks)
• kernel/kernel-impl/src/main/sql/oracle/sakai_realm.sql (3 hunks)
• samigo/samigo-api/src/java/org/sakaiproject/samigo/util/SamigoConstants.java (1 hunks)
• samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/bean/evaluation/TotalScoresBean.java (3 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: ottenhoff
Repo: sakaiproject/sakai PR: 0
File: :0-0
Timestamp: 2025-10-07T15:11:27.298Z
Learning: In samigo’s Total Scores view (samigo/samigo-app/src/webapp/jsf/evaluation/totalScores.jsp), mailto links were hidden after commit dee05746 (PR #12312, SAK-49674) added a render check requiring email.fromEmailAddress to be non-empty; PR #14154 (SAK-52058) restores visibility by checking only description.email.

📚 Learning: 2025-10-07T15:11:27.298Z

Learnt from: ottenhoff
Repo: sakaiproject/sakai PR: 0
File: :0-0
Timestamp: 2025-10-07T15:11:27.298Z
Learning: In samigo’s Total Scores view (samigo/samigo-app/src/webapp/jsf/evaluation/totalScores.jsp), mailto links were hidden after commit dee05746 (PR #12312, SAK-49674) added a render check requiring email.fromEmailAddress to be non-empty; PR #14154 (SAK-52058) restores visibility by checking only description.email.

Applied to files:

• samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/bean/evaluation/TotalScoresBean.java

🧬 Code graph analysis (1)

samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/bean/evaluation/TotalScoresBean.java (1)

samigo/samigo-api/src/java/org/sakaiproject/samigo/util/SamigoConstants.java (1)

• SamigoConstants (28-213)

⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: maven-build
• GitHub Check: sakai-deploy
• GitHub Check: maven-build

🔇 Additional comments (6)

kernel/kernel-impl/src/main/sql/oracle/sakai_realm.sql (3)

747-747: Grant to maintain on !site.template — LGTM.

Matches existing practice (e.g., 'asn.all.groups', 'calendar.all.groups'). No further changes needed here.

---

916-916: Code change verified and approved — LTI propagation confirmed.

The LTI copy mechanism (Oracle lines 1807-1808) confirms that all Instructor functions from !site.template.course — including the new assessment.all.groups grant — automatically flow into !site.template.lti Instructor and ContentDeveloper roles. Assessment function pruning in LTI is Mentor-only (lines 1822), leaving Instructor/ContentDeveloper unaffected. No duplicate inserts detected.

---

313-313: New realm function 'assessment.all.groups' verified across Oracle and MySQL with proper role mappings.

Cross-database parity confirmed:

• Oracle and MySQL base DDL both include the function insertion and identical role mappings (maintain on !site.template, Instructor on !site.template.course).
• SamigoConstants.java line 152 defines AUTHZ_ASSESSMENT_ALL_GROUPS and is actively used in TotalScoresBean line 930.
• No kernel-specific upgrade scripts exist (standard for Sakai core schema changes; realm adjustments for existing sites are typically manual or bundled with release).

samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/bean/evaluation/TotalScoresBean.java (2)

73-75: LGTM! Imports support the new privilege check.

The added imports for SamigoConstants and PersistenceService are necessary for implementing the all-groups privilege check and are correctly placed.

---

946-951: LGTM! Code correctly implements the privilege scope.

The conditional enrollment logic correctly implements the new privilege:

• When users have all-groups privilege and select "All Sections," they see all enrollments without group filtering via getAvailableEnrollments(false, siteId).
• When users lack the privilege, the existing group-release behavior is preserved via getAllGroupsReleaseEnrollments(siteId).

The privilege scope is intentionally limited to the "All Sections" path (lines 946-951) and does not apply to the "Released Sections/Groups" path (line 954). This is correct: when instructors explicitly select "Released Sections/Groups," they expect group filtering regardless of their privileges.

samigo/samigo-api/src/java/org/sakaiproject/samigo/util/SamigoConstants.java (1)

152-152: SQL realm function mappings verified across MySQL and Oracle.

The new authorization constant AUTHZ_ASSESSMENT_ALL_GROUPS is correctly defined in SamigoConstants.java and the corresponding SQL migration scripts properly introduce and map this function:

• kernel/kernel-impl/src/main/sql/mysql/sakai_realm.sql and Oracle equivalent insert the function and map it to both 'maintain' (for !site.template realm) and 'Instructor' (for !site.template.course realm)
• Consistent implementation across both database dialects

[st-manu]

sakaiproject/sakai-reference#278