Current: any user who has been granted instructor role, either by admin via account request or by other instructor e.g. as course manager/observer/tutor, can freely create courses for themselves.
Problem: it allows dishonest usage of course creation. Unlike the course co-owner whose account request has been screened for this purpose, manager/observer/tutor are unlikely intended to have this kind of wide privilege.
Solution:
Course creation should be restricted to users who requested accounts. This field should be persisted in the Account entity. Update: course creation is restricted to users who are already co-owner of some other course in the same institute.- If an existing instructor requires the said permission, s/he must go through the formal account request process.
For backward compatibility of existing instructors, they will be granted course creation permission only if they are already a co-owner in any existing course.
Current: any user who has been granted instructor role, either by admin via account request or by other instructor e.g. as course manager/observer/tutor, can freely create courses for themselves.
Problem: it allows dishonest usage of course creation. Unlike the course co-owner whose account request has been screened for this purpose, manager/observer/tutor are unlikely intended to have this kind of wide privilege.
Solution:
Course creation should be restricted to users who requested accounts. This field should be persisted in theUpdate: course creation is restricted to users who are already co-owner of some other course in the same institute.Accountentity.For backward compatibility of existing instructors, they will be granted course creation permission only if they are already a co-owner in any existing course.