Beitreten zur OpenOlat Gruppe und Frage zur REST API

99 views
Skip to first unread message

Julius Schmalz

unread,
Jul 26, 2017, 9:29:28 AM7/26/17
to open...@googlegroups.com
Hallo,

ich würde gerne der OpenOlat Gruppe beitreten, um eine Frage zur RestApi zu stellen:

Ich bin als Autor beim OLAT der Uni Kiel registriert und möchte über die Api mehrere Benutzer einem Kurs hinzufügen, wenn der Username (login) bekannt ist. Desweiteren sollen die Benutzer in Gruppen eingeteilt werden.

Versucht habe ich ein GET auf BaseURI/restapi/users?login=name um die UserID zu erhalten. Ich bekomme aber leider 401 als HTTP-Status. Andere Abfragen wie BaseURI/repo/courses/<CourseID>/tutors funktionieren hingegen. Auch das Hinzufügen eines Users zu einem Kurs funktioniert, wenn ich die UserID händisch über die OLAT GUI suche. Die Suche ist also generell freigeschaltet für mich, aber nicht über die API.?

Laut Administrator sollte alles zugänglich sein. Kann es trotzdem sein, dass mir der Zugang verwehrt wird bzw was muss wo aktiviert werden, damit diese Abfrage möglich wird? Oder was mache ich falsch?

Vielen Dank im Voraus und
mit freundlichen Grüßen
Julius Schmalz

Florian Gnägi

unread,
Jul 26, 2017, 11:29:43 AM7/26/17
to open...@googlegroups.com
Hi Julius

I’m switching to english as the mailinglist is in english. 

The REST request looks ok, however this is limited to user with user management or system administration roles. Normal users or course authors can not lookup users via REST API even though they can do it in the web GUI. Note, the REST API does not expose the exact same features as in the web GUI. Since you can do a lot of things a lot faster than in the web GUI we are a lot more restrictive on who is allowed to perform tasks via REST API. 

The reasoning is that we do not want to give people a programatic way to generate address lists containing sensitive data such as email addresses. You might be able to do the same via web GUI, however there it is a lot more cumbersome to do and it is not possible to automate it. The basic reason behind this is to be restrictive due to data privacy concerns. 

Of course this could be modified to also give authors the rights to lookup users in the system, but we first need to agree that there are enough reasons to lower the security checks on the REST API in this regard. 

Cheers
Florian

--
--
Sie erhalten diese Nachricht, weil Sie Mitglied sind von Google
Groups-Gruppe "OpenOLAT".
Für das Erstellen von Beiträgen in dieser Gruppe senden Sie eine E-Mail
an open...@googlegroups.com
Um sich von dieser Gruppe abzumelden, senden Sie eine E-Mail an
openolat+u...@googlegroups.com
Weitere Optionen finden Sie in dieser Gruppe unter
http://groups.google.com/group/openolat?hl=de
-------------------------------------------------------------------------------------------------------------------
OpenOLAT - infinite learning - http://www.openolat.org

---
You received this message because you are subscribed to the Google Groups "OpenOLAT" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openolat+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--------------------------------------------------------------------
professional services for the e-learning system OpenOLAT
hosting - operating - support - development - mobile - consulting
--------------------------------------------------------------------
frentix  GmbH
Florian Gnägi, Geschäftsführer
Hardturmstrasse 76
CH-8005 Zürich, Switzerland


Find me on skype  twitter xing linkedin 
--------------------------------------------------------------------


Stephan Clemenz

unread,
Jul 27, 2017, 6:45:52 AM7/27/17
to open...@googlegroups.com

Hi Florian,

an improvement on CourseWebService.addParticipant could be:

 

Identity participant = securityManager.loadIdentityByKey(identityKey, false);

if (participant == null)

participant = securityManager.findIdentityByName(identityKey);

 

This doesn't work from the scratch because parameter identityKey is Long, but has to be changed to String. Don't know if this can be done without any side effects ;-)

It can be copied also to addAuthor() and addTutor().

 

What do you think about it?

 

Cheers, Stephan

> --------------------------------------------------------------------

> professional services for the e-learning system OpenOLAT

> hosting - operating - support - development - mobile - consulting

> --------------------------------------------------------------------

>

> frentix GmbH

> Florian Gnägi, Geschäftsführer

> Hardturmstrasse 76

> CH-8005 Zürich, Switzerland

>

> tel://+41-43-544-9000 <tel://+41-43-544-9000>

> dir://+41-43-544-9001 <dir://+41-43-544-9001>

> fax://+41-43-544-9009 <fax://+41-43-544-9009>

>

> Find me on skype <skype:gnaegi> twitter <http://twitter.com/gnaegi> xing

> <https://www.xing.com/profile/Florian_Gnaegi> linkedin

> <https://ch.linkedin.com/in/florian-gnaegi-4026231>

> --------------------------------------------------------------------

>

>

>

> <http://www.frentix.com/news/>

> <http://www.frentix.com/news/>
--

 

Dr. Stephan Clemenz

Virtueller Campus Rheinland-Pfalz

Postfach 3049

67653 Kaiserslautern

Tel: 0631/205-4946

Florian Gnägi

unread,
Jul 27, 2017, 2:05:47 PM7/27/17
to open...@googlegroups.com
Hi Stephan

I thought about this as well, but we have to make it explicit. We have clients where the usernames are more like identifiers and actually is a number, in that case the system can not tell the difference. We need another method there. 

I’ll talk with Stéphane next week about this. 

Chers
Florian


-- 
-- 
Sie erhalten diese Nachricht, weil Sie Mitglied sind von Google
Groups-Gruppe "OpenOLAT".
Für das Erstellen von Beiträgen in dieser Gruppe senden Sie eine E-Mail
an open...@googlegroups.com
Um sich von dieser Gruppe abzumelden, senden Sie eine E-Mail an
openolat+u...@googlegroups.com
Weitere Optionen finden Sie in dieser Gruppe unter
http://groups.google.com/group/openolat?hl=de
-------------------------------------------------------------------------------------------------------------------
OpenOLAT - infinite learning - http://www.openolat.org

--- 
You received this message because you are subscribed to the Google Groups "OpenOLAT" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openolat+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--------------------------------------------------------------------
professional services for the e-learning system OpenOLAT
hosting - operating - support - development - mobile - consulting
--------------------------------------------------------------------
frentix  GmbH
Florian Gnägi, Geschäftsführer
Hardturmstrasse 76
CH-8005 Zürich, Switzerland

Find me on skype  twitter xing linkedin 
--------------------------------------------------------------------


Florian Gnägi

unread,
Jul 31, 2017, 7:41:49 AM7/31/17
to open...@googlegroups.com
Followup: we decided to allow authors to use the users lookup service. It makes no sense to allow authors to add participants if they can not lookup the users in the first place. 

Thanks for bringing this to our attention. You can follow the issue here: https://jira.openolat.org/browse/OO-2937 The changes are part of the upcoming OpenOLAT 12 release. 

Cheers
Florian

jus...@gmail.com

unread,
Aug 4, 2017, 5:35:06 AM8/4/17
to OpenOLAT
Hi Florian,

thanks for the quick fix of this issue! Now I have to wait until the system is upgraded ;)

I have one more question regarding the process of creating and adding a group to a course: I tried to create the group using
http://localhost:8080/olat/restapi/groups by sending (PUT) the following JSON string: {"description":"Test","externalId":'null',"managedFlags":'null',"name":"TestGroup","minParticipants":'null',"maxParticipants":'null'}

I'm getting 200 as a http response but I can't find the group afterwards. Is there something more that has to be done? I would have expected to get the group key as a response of the PUT method.

Best regards,
Julius

Urs Hensler

unread,
Aug 7, 2017, 4:23:38 AM8/7/17
to open...@googlegroups.com
Hi Julius 

You should not set apostrophes around the nulls in your JSON. With the following JSON the group should be created.
{"description":"Test","externalId":null,"managedFlags":null,"name":"TestGroup","minParticipants":null,"maxParticipants":null}
I opened a issue because of the wrong http status code (https://jira.openolat.org/browse/OO-2946). The changes are part of the upcoming OpenOLAT 12 release.

Best regards,
Urs

--------------------------------------------------------------------
professional services for the e-learning system OpenOLAT
hosting - operating - support - development - mobile - consulting
--------------------------------------------------------------------
frentix  GmbH
Urs Hensler
Hardturmstrasse 76
CH-8005 Zürich, Switzerland

jus...@gmail.com

unread,
Aug 7, 2017, 9:11:14 AM8/7/17
to OpenOLAT
Hi Urs,

thanks for your response. With your JSON statement I'm getting an 401 error code. And that was the reason for me playing around with the apostrophes which ended in getting 200 but without a new group...
Is it possible that creating a group is not allowed for OLAT authors (we are using OLAT version 11.3.2)?

Best regards,
Julius

Urs Hensler

unread,
Aug 8, 2017, 2:31:25 AM8/8/17
to open...@googlegroups.com
Hi Julius

The author role s not sufficient. You need either the role Group Manager or Administrator.

Best regards,
Urs

--------------------------------------------------------------------
professional services for the e-learning system OpenOLAT
hosting - operating - support - development - mobile - consulting
--------------------------------------------------------------------
frentix  GmbH
Urs Hensler
Hardturmstrasse 76
CH-8005 Zürich, Switzerland




mitarbeit...@googlemail.com

unread,
Aug 15, 2017, 7:49:04 AM8/15/17
to OpenOLAT
Hi Urs,

is there a reason for this restriction? Even students are allowed to create groups in the GUI. I want to import several groups and their members to OLAT and it would be nice to be able to do this with the restapi instead of doing it via the GUI. What are the rights of an group administrator? I couldn't find much information about this role.

Best regards,
Julius

jus...@gmail.com

unread,
Aug 21, 2017, 8:03:09 AM8/21/17
to OpenOLAT
Hi,

i found the following information: "Group managers are able to view all published as well as private groups, and are eligible to manage them to the same extent as group coaches." But you wouldn't want to give each author these rights only to give them the possibility to create their own groups. The only dangerous thing one could do as an author would be to create thousands of groups and maybe crashing the OLAT-system, but with group managing role one could delete all OLAT groups at once.  Or am I missing something here?
In my opinion authors should have the ability to create and manage their own groups via RestAPI without having the ability to manage/delete ALL OLAT groups.

Best regards,
Julius

Florian Gnägi

unread,
Aug 21, 2017, 11:16:04 AM8/21/17
to open...@googlegroups.com
Hi Julius

The REST API is primarily implemented to let a special program manage the system externally. Normally this kind of program will be run by some IT staff and there is normally only one program doing this in an institution. The IT staff can then decide wether he uses a special REST user with full admin privileges or only with a subset, e.g. the user or group manager role. It is not meant to let normal users or author implement their own client.

With the REST API many things can go out of control easily. You can quickly create thousands of groups because of a programming error in a loop. In the desktop client you can’t do this as you don’t have this programmatic possibilities. This is the reason why many of the REST API calls are limited to administrative users. 

Of course this can be changed, but this is just how it is right now. To change our policy here we need further discussions. 

Cheers
Florian

--
--
Sie erhalten diese Nachricht, weil Sie Mitglied sind von Google
Groups-Gruppe "OpenOLAT".
Für das Erstellen von Beiträgen in dieser Gruppe senden Sie eine E-Mail
an open...@googlegroups.com
Um sich von dieser Gruppe abzumelden, senden Sie eine E-Mail an
openolat+u...@googlegroups.com
Weitere Optionen finden Sie in dieser Gruppe unter
http://groups.google.com/group/openolat?hl=de
-------------------------------------------------------------------------------------------------------------------
OpenOLAT - infinite learning - http://www.openolat.org

---
You received this message because you are subscribed to the Google Groups "OpenOLAT" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openolat+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--------------------------------------------------------------------
professional services for the e-learning system OpenOLAT
hosting - operating - support - development - mobile - consulting
--------------------------------------------------------------------
frentix  GmbH
Florian Gnägi, Geschäftsführer
Hardturmstrasse 76
CH-8005 Zürich, Switzerland

--------------------------------------------------------------------


Reply all
Reply to author
Forward
0 new messages