Valence grade update - PUT

[kazmi]

I am working on an external tool which has quiz items & once students finish the quiz, the grade should be updated in D2l using Valence PUT. I can do that when I log in with a user ID that has higher role permission but can I make it work so that students can log in as themselves and the grade can be updated based on their quiz performance?

The issue here would be role permissions? 

Regards,

[Desire2Learn Staff: Sarah-Beth]

Hi Kazmi

Is there a particular reason you're sending the grade back using Valence, rather than the LTI Grade Return service?

We talk about this mechanism in our LTI Primer blog post.

If you do in fact need to use Valence, can you point me to the exact call you're making and the response you're getting?

~Sarah-Beth

[kazmi]

We are working on valence at the moment and are trying to do things through that API.

The call I am making is: 

PUT /d2l/api/le/(version)/(orgUnitId)/grades/(gradeObjectId)/values/(userId)

The JSON is: {"GradeObjectType":1,"PointsNumerator":9}

The call is successful when I do the authentication through my credentials which are admin role.

When I do the same through a student that is in that particular course, it returns a 403.

The purpose of doing this is to create a standalone application that has assessments in it and when user completes the whole module, the final result should be posted in their grade book. 

[Desire2Learn Staff: Jacob Parker]

All API calls are done in the context of a specific user. The student valence credentials are suitable for doing anything a student can. Typically students are not configured to set grades (for obvious reasons.)

Here is a general sketch of how you would build an external quiz app and how to use Valence credentials:
- Teacher logs into quiz app via Valence. The quiz app gets user credentials for the teacher (userId=A, userKey=B)
- The quiz app calls APIs to create grade items using the credentials A, B (the teacher has sufficient permissions to do this.)
- The app stores A, B with an association to this quiz for later use.

- Student logs into quiz app via Valence. The quiz app gets user credentials for the student (userId=C, userKey=D)
- The quiz app uses API calls to find the students name using credentials C, D (this is optional - but this demonstrates one use of C, D)
- The student completes the quiz.
- Using the stored A, B credentials, the quiz app uploads the grade value to the LMS for that student. You could think of this as the teacher sending the grade back - they have sufficient permissions to do this.
- You probably don't need to store C,D outside the users session.

- Once the quiz is done, purge A,B from the database - no longer needed.

------------

An alternative is to store admin tokens and never have the teacher log in. This is not a good solution.

[olmetr...@gmail.com]

Can a savvy student use the instructor's user id and user key (A, B) mischievously?  What are the security implications of this scenario?  Why is this scenario unlike storing admin tokens?

[Desire2Learn Staff: Jacob Parker]

Yes. It is up to the 3rd party quizzing app to use API tokens carefully. This is unavoidable.

A consequence of this is that it is obviously impossible to do a quiz-integration as a client-side JS integration: if sufficient authorization tokens are in the users browser it is impossible to make sure the user doesn't cheat on their assignment :)

The difference between hard-coding admin tokens vs. using teacher tokens is that you are storing tokens with permission to do less things (at best, in this scenario, the "admin" tokens would need permissions to grade things in any course ever.) It also means you don't deal with the mess of hard-coding tokens (you can get them at quiz-creation time) and worrying about expiry etc.