Please note: All new registrants to the Panopto Community Forum must be approved by a forum moderator or admin. As such, if you navigate to a feature that is members-only, you may receive an error page if your registration has not yet been approved. We apologize for any inconvenience and are approving new members as quickly as possible.
Ability to deactivated the breadcrumb feature when the parent folder is a private "My Folder"
Craig Murray
Crackerjack
We would like the breadcrumbs feature be . This feature has caused privacy concerns when academics share a video in their "My Folder" with a colleague for peer review (with the appropriate change in permissions). Using the breadcrumbs, users of the shared link can then browse, but not view, the contents of the original creator's "My Folder". Alternatively, we request the ability to turn off the breadcrumb feature by user group or site wide.
7
Comments
I agree. This is also a security risk because students could potentially see other classes videos - even classes they are not registered.
I would suggest make this a folder/video setting. Maybe also add a master admin setting to disable breadcrumbs for the system and a default admin setting.
System breadcrumbs = On/Off default to off - Disables or enables breadcrumbs in the system.
Default breadcrumbs for new folder/sessions = off -- If breadcrumbs enabled, then this is the default for new folders/videos.
Also, every folder and video should have this setting.
Have you looked at the setting: Hide inaccessible folder names
"Enabling this will hide the names of folders that the user cannot access in the folder hierarchy. This only applies when the user can access a child folder but not the parent folder."
I don't know how anyone can view the contents of someone's My Folder. Not unless they've been granted access to the files within.
I use the API to create a Shared and Private folder for everyone to help share content more effectively but it doesn't address the underlying concern (the ability to navigate upward and thus access the folder).
Yes, that setting is set to True. The issue is a pedagogical case for faculty. They want only certain videos to be visible even in the class folder. By default students can go inside the Panopto class folder and see all the videos in the class folder. Sometimes, faculty use the LMS features to only show certain items if the student meets certain criteria. For example, if the student watches this video and scores percent, then show this next video. If they watch the first video, and click on the breadcrumbs, they can see all the other videos and they don't want that. As indicated, is more of a learning path, pedagogical issue than a technical one.
Hi Charles,
Thank you for your comments. We have chosen not to to set the hide inaccessible folder option because, in the collapsed view, the root folder is labelled as "Private" if the students has access to sub folders which is confusing for our students. And agreed, this does not address the underlying concern about being able to navigate upwards.
Regards,
Craig.
Hi Carlos,
Thank you for comments. Agreed, this is a training issue but I feel it is also a system issue. If permission is granted to view one session, I think the user should expect that that is the only access they have granted (on a session basis). The breadcrumbs allow that person to then browser the private folder, permission to browse that was not explicitly granted.
Regards,
Craig.
Hey Craig, Carlos:
I tried to replicate this on my end but couldn't.
I logged in as Panopto/admin me (internal provider), and shared a video that was in my My Folder with my institutional Panopto account (SSO), and could not reproduce it.
Here's what I observed:
I also tested, just in case, to navigate to the direct path by copying/pasting the link of the My Folder, and as the recipient, I received a no access error.
Maybe Panopto fixed this in a recent release? Or are you sharing under different conditions...
Hi Darron.
I have just retested this. And you are correct the error is no longer present.
There are two possible reasons.
1) the error was fixed but I see not mention of it in the release notes.
2) What I was seeing was a result of persistent sessions cookies.
Either way, I had a case where access to a non-shared session in a personal "My Folder" was requested by a person who had a shared link to another session in that folder.
Thank you very much for your time in testing this. I want to do more testing with a colleague before closing this thread.
Regards,
Craig.
Very interesting! In either case, definitely a scary thought if that has been happening. I'm happy to keep an eye out as well if it pops up on our end.
The main thing to remember is that is the user is given direct rights to view in a folder, then the user can browse all videos in a folder.
This is the case in a class folder for example. A teacher can put a link in the LMS for a given video and the user can see that video, but then, the user can also traverse through the folder because (s)he is given viewer access to the folder. So, unless the teacher changes availability to the rest of the videos in the folder, the student can browse and see all videos.
This also applies to the folders/videos in the teacher's My Folder. IF the teacher gives access to sub-folder to a class group, the students will be able to browse all the available videos. This is when the do not traverse folder will come into place. Please check on this to confirm.
I think that is only the case if the viewer has rights at the folder level.
If I explicitly share a video with you from the root of My Folder, you can't see the other videos.
If I have a folder set to "Anyone in the organization with the link can view" and I share a link to a video with you, you would be able to see all the other videos. It's also the same way with a folder created via LTI and the Viewer/Creator groups and permissions.
Yes, the question is what would be the best practice workflow for teacher to create a library of videos they can share with multiple class sections. See these implications:
In this case, the teacher saves the shareable content to My Folder (his/her video library) in a sub-folder for the given class (i.e. INFS-3200, MGMT-6430, etc). By default, the videos are not available to anyone but the teacher. The teacher does not have Share option - "anyone within my organization with the link" because the university believe it to be a security/compliance risk. So, what are the options? Either to give access to the class group via Share or to embed the videos in the LMS links. The best option is probably to embed the videos in the LMS. This way the video is always accessible to the LMS class - even after copying the LMS shell to a new class. The other option will require the teacher to manually update the Share list access every semester to delete old classes and add new classes. Plus, giving access to the class group will allow students to traverse the folder, as we already discussed. Any suggestion for a better workflow? I am thinking re-usability and simplicity here.
It depends on the number of videos. As you said, putting them in a directory is fine. What would need to happen though is each video would need to be shared with the viewers of that course. Adding a group to 5 videos is reasonable.
50? Screw that.
Praying for custom roles without folder ennumeration is your best bet. (Then of course you will need to find a way to modify the groups created via the LTI tool to use the new custom role, or create new groups using these roles.)
Some interesting restrictions, Carlos! I don't have a great answer for you that I can think of. I understand the security risk behind the Anyone with the Link option, but don't fully understand the security risk behind Anyone at your org with the link, since it requires sign-in. Are they worried about a malicious student stumbling on a link they shouldn't have access to? What would the content be? Our methodology here is that we allow the Anyone with the link restrictions, and leave the onus on the instructor. We ask them to use the sharing permissions that are most comfortable depending on the content. We have disabled "Anyone at the organization" because we classify that as a risk, but are comfortable with "anyone with the link".
If you are putting multiple videos into your own manually-created course folder, what would the concern be about other students from that course/section stumbled upon other videos from within that same folder?
Our faculty doesn't trust ITD and vice verse. Ha Ha
As I explained in my original post, this is not a technical issue, more of a pedagogy issue. In my classes, I create Playlist of many videos (<10). But other professor don't know that, I believe. Using the Panopto Embed feature in our LMS, works great. Because, the video is inserted in the Content section of the LMS, right where the faculty want it to be within the course flow. Unfortunately, you cannot embed a playlist.
It is an issue of course flow and pedagogy. Some times, faculty only want to show a content to students when they complete certain work. For example, they watch a video and then take a quiz, if they score 70% or above, show the next video. You can do that in the LMS. But having the video in Panopto, in the class folder, will make all videos visible at once. IF you have them in the My Folder\sub-folder, then students can't.
It is not a big deal, but didactically, this can't be done right now unless you have a combination of options (My Folder, Panopto Embed and LMS conditions) -- Any way, is not a "die in this hill" type of thing. It is just that this type of learning paths are not supported intrinsically.