Матрица прав
Принципы
- Public/read endpoints не возвращают answer keys, hidden solutions и teacher notes.
- Visibility решений зависит от контекста использования, статуса внешнего домена и permissions.
- Published problem version нельзя менять даже пользователю с admin permission.
- Manual override, import/export и доступ к закрытым решениям аудируются.
- Сервисные потребители используют service scopes.
Permissions
| Permission | Назначение |
|---|---|
task-bank.problems.read | читать доступные задачи |
task-bank.problems.manage | создавать и редактировать problem |
task-bank.versions.read | читать versions в authoring/admin |
task-bank.versions.manage | редактировать draft/review versions |
task-bank.versions.publish | публиковать versions |
task-bank.solutions.read | читать решения по visibility |
task-bank.solutions.manage | редактировать решения |
task-bank.hints.read | читать подсказки по visibility |
task-bank.hints.manage | редактировать подсказки |
task-bank.answer_keys.read | читать ключи ответов |
task-bank.checking_rules.manage | управлять проверкой |
task-bank.taxonomy.read | читать taxonomy |
task-bank.taxonomy.manage | управлять taxonomy |
task-bank.relations.read | читать связи задач |
task-bank.relations.manage | создавать и редактировать suggested relations |
task-bank.relations.moderate | подтверждать/отклонять связи |
task-bank.sets.read | читать подборки |
task-bank.sets.manage | редактировать подборки |
task-bank.sets.publish | публиковать подборки |
task-bank.activity_templates.read | читать шаблоны активностей |
task-bank.activity_templates.manage | редактировать шаблоны активностей |
task-bank.activity_templates.publish | публиковать шаблоны активностей |
task-bank.program_templates.read | читать программы и треки |
task-bank.program_templates.manage | редактировать программы и треки |
task-bank.program_templates.publish | публиковать программы |
task-bank.publication.manage | управлять public publication profile |
task-bank.usages.manage | управлять usage |
task-bank.checks.manage | запускать/читать checks |
task-bank.checks.override | manual override результата |
task-bank.manual_reviews.read | читать очередь ручной проверки |
task-bank.manual_reviews.manage | назначать и проверять вручную |
task-bank.evidence.read | читать evidence |
task-bank.imports.manage | импортировать задачи |
task-bank.exports.create | экспортировать задачи |
task-bank.exports.read | читать snapshots |
task-bank.exports.lock | фиксировать snapshots |
task-bank.audit.read | читать audit |
task-bank.admin | системные настройки |
Endpoint matrix
| Endpoint/action | Permission | Scope | Audit |
|---|---|---|---|
GET /problems | task-bank.problems.read | visibility + status | no |
POST /problems | task-bank.problems.manage | authoring | yes |
PATCH /problem-versions/{id} | task-bank.versions.manage | draft/review only | yes |
POST /problem-versions/{id}/publish | task-bank.versions.publish | methodist/admin | yes |
GET /problem-versions/{id}/solutions | task-bank.solutions.read | visibility policy | yes if hidden |
GET /answer-keys | task-bank.answer_keys.read | checking/authoring | yes |
POST /checking-rules | task-bank.checking_rules.manage | authoring | yes |
POST /problems/{id}/relations | task-bank.relations.manage | authoring | yes |
POST /problem-relations/{id}/confirm | task-bank.relations.moderate | methodist | yes |
POST /activity-templates | task-bank.activity_templates.manage | authoring | yes |
POST /activity-templates/{id}/publish | task-bank.activity_templates.publish | methodist/admin | yes |
POST /program-templates | task-bank.program_templates.manage | authoring | yes |
POST /program-templates/{id}/publish | task-bank.program_templates.publish | methodist/admin | yes |
PATCH /publication-profiles/{problemId} | task-bank.publication.manage | methodist/admin | yes |
GET /public/tasks/{id} | public | public projection | no |
POST /usages | service scope or task-bank.usages.manage | target domain | yes |
GET /content-export-snapshots/{id} | service scope or task-bank.exports.read | target domain | yes if sensitive |
POST /content-export-snapshots/{id}/lock | task-bank.exports.lock | service/admin | yes |
POST /attempts | authenticated/service | owner/context | no |
POST /attempts/{id}/submit | owner/service | attempt owner | no |
POST /attempts/{id}/check | service or task-bank.checks.manage | checker/context | yes |
POST /answer-checks/{id}/override | task-bank.checks.override | checker/admin | yes |
POST /manual-reviews/{id}/decision | task-bank.manual_reviews.manage | assigned checker | yes |
GET /evidence | task-bank.evidence.read | aggregate/service | no |
POST /imports | task-bank.imports.manage | admin | yes |
POST /exports | task-bank.exports.create | admin/methodist | yes |
GET /audit-logs | task-bank.audit.read | security/admin | yes |
Actor contexts
| Context | Что разрешает |
|---|---|
student_attempt | условие, свои attempts, разрешённый feedback |
teacher_context | задачи и решения в назначенном LMS/competitions контексте |
checker | rubric, answer key, manual review queue |
authoring | draft/review content |
competition_secret | закрытые задачи до публикации |
public_training | опубликованные training задачи без закрытых key |
public_catalog | public-safe projection без hidden key/solution/teacher notes |
template_authoring | activity/program drafts and review |
snapshot_consumer_service | читать target-allowed locked snapshots |
admin | import/export/audit/settings |
Visibility gates
| Данные | Gate |
|---|---|
| statement | published version или authoring permission |
| hint | usage policy + actor context |
| solution | solution visibility + task-bank.solutions.read |
| answer key | task-bank.answer_keys.read |
| teacher notes | teacher/checker/admin context |
| raw answer | owner/checker/service context |
| evidence | aggregate/service permission |
| activity/program template | visibility + organization grant + template permission |
| content export snapshot | target domain scope + payload allowlist |
| public projection | public status + license + embargo gates |
Ролевые наборы
| Роль | Базовые permissions |
|---|---|
task-bank.author | problems/manage, versions/manage, solutions/manage draft |
task-bank.methodist | author + versions.publish, taxonomy/manage, sets/manage |
task-bank.template_designer | activity_templates/manage, program_templates/manage, sets/read |
task-bank.relation_moderator | relations/read/manage/moderate |
task-bank.teacher | problems/read, solutions/read in context, checks/manage limited |
task-bank.checker | manual_reviews/read/manage, answer_keys/read in assigned context |
task-bank.consumer_service | usages/manage, attempts/check service scope |
task-bank.snapshot_consumer_service | exports/read by target scope |
task-bank.analytics | evidence/read |
task-bank.admin | all task-bank permissions |
Audit events
Аудировать обязательно:
- публикацию version;
- изменение answer schema/key/checking rule;
- чтение закрытого solution/key;
- создание usage для закрытой задачи;
- создание, чтение sensitive payload и lock snapshot;
- изменение public publication profile;
- relation moderation;
- manual override;
- import/export;
- изменение visibility policy;
- чтение audit logs.