SAK-51713 Tests & Quizzes: Instructors should see all student submissions when a assessment is published to the entire site

[st-manu]

https://sakaiproject.atlassian.net/browse/SAK-51713

Summary by CodeRabbit

• New Features
  • Added granular assessment management permissions including group access control, editing, grading, and publishing capabilities.
  • Enhanced authorization framework with new calendar function options for instructors and administrators.
  • Extended permission controls across multiple site template and role configurations.

[st-manu]

should the roles with this new permission be Instructor and maintain?

[coderabbitai]

Walkthrough

This pull request expands assessment authorization functionality by adding new realm functions for assessment permissions and calendar options across database systems, introduces a new authorization constant, and modifies the evaluation bean to handle privileged multi-group access within the assessment system.

Changes

Cohort / File(s)	Summary
Assessment realm function definitions kernel/kernel-impl/src/main/sql/mysql/sakai_realm.sql, kernel/kernel-impl/src/main/sql/oracle/sakai_realm.sql	Added new assessment-related functions (e.g., assessment.all.groups, assessment.editAssessment.*, assessment.gradeAssessment.*, assessment.submitAssessmentForGrade, assessment.takeAssessment) and calendar.options to SAKAI_REALM_FUNCTION table. Configured realm-function mappings for !site.template and !site.template.course realms with roles including maintain, Instructor, and Student.
Authorization constant addition samigo/samigo-api/src/java/org/sakaiproject/samigo/util/SamigoConstants.java	Added public static final constant AUTHZ_ASSESSMENT_ALL_GROUPS with value "assessment.all.groups" for authorization checks.
Evaluation bean privilege handling samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/bean/evaluation/TotalScoresBean.java	Added imports for SamigoConstants and PersistenceService. Introduced hasAllGroupsPrivilege check to conditionally retrieve enrollments without group filtering when user has all-groups authorization; otherwise uses previous all-group-release behavior. Modified enrollment retrieval logic in getEnrollmentListForSelectedSections method.

Suggested reviewers

• jesusmmp
• ottenhoff

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding authorization for instructors to view all student submissions when assessments are published site-wide.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/bean/evaluation/TotalScoresBean.java (1)

926-931: Consider caching the privilege check result.

The privilege check is performed on every call to getEnrollmentListForSelectedSections, which may be invoked multiple times during histogram generation, exports, and score calculations. Since site-level permissions don't change during a user session, consider caching the result as an instance variable.

Example refactor:

+  private Boolean hasAllGroupsPrivilegeCache = null;
+
   private List getEnrollmentListForSelectedSections(int calledFrom, String siteId) {
     List enrollments;
     
-    // Check if current user has privilege to assess all groups - if so, they should see all student submissions regardless of group restrictions
-    boolean hasAllGroupsPrivilege = PersistenceService.getInstance()
-        .getAuthzQueriesFacade()
-        .hasPrivilege(SamigoConstants.AUTHZ_ASSESSMENT_ALL_GROUPS, siteId);
+    // Check if current user has privilege to assess all groups - if so, they should see all student submissions regardless of group restrictions
+    if (hasAllGroupsPrivilegeCache == null) {
+        hasAllGroupsPrivilegeCache = PersistenceService.getInstance()
+            .getAuthzQueriesFacade()
+            .hasPrivilege(SamigoConstants.AUTHZ_ASSESSMENT_ALL_GROUPS, siteId);
+    }
+    boolean hasAllGroupsPrivilege = hasAllGroupsPrivilegeCache;

Note: Ensure the cache is cleared in resetFields() or when the assessment context changes.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7939e9f and 2acaf61.

📒 Files selected for processing (4)

• kernel/kernel-impl/src/main/sql/mysql/sakai_realm.sql (3 hunks)
• kernel/kernel-impl/src/main/sql/oracle/sakai_realm.sql (3 hunks)
• samigo/samigo-api/src/java/org/sakaiproject/samigo/util/SamigoConstants.java (1 hunks)
• samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/bean/evaluation/TotalScoresBean.java (3 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: ottenhoff
Repo: sakaiproject/sakai PR: 0
File: :0-0
Timestamp: 2025-10-07T15:11:27.298Z
Learning: In samigo’s Total Scores view (samigo/samigo-app/src/webapp/jsf/evaluation/totalScores.jsp), mailto links were hidden after commit dee05746 (PR #12312, SAK-49674) added a render check requiring email.fromEmailAddress to be non-empty; PR #14154 (SAK-52058) restores visibility by checking only description.email.

📚 Learning: 2025-10-07T15:11:27.298Z

Learnt from: ottenhoff
Repo: sakaiproject/sakai PR: 0
File: :0-0
Timestamp: 2025-10-07T15:11:27.298Z
Learning: In samigo’s Total Scores view (samigo/samigo-app/src/webapp/jsf/evaluation/totalScores.jsp), mailto links were hidden after commit dee05746 (PR #12312, SAK-49674) added a render check requiring email.fromEmailAddress to be non-empty; PR #14154 (SAK-52058) restores visibility by checking only description.email.

Applied to files:

• samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/bean/evaluation/TotalScoresBean.java

🧬 Code graph analysis (1)

samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/bean/evaluation/TotalScoresBean.java (1)

samigo/samigo-api/src/java/org/sakaiproject/samigo/util/SamigoConstants.java (1)

• SamigoConstants (28-213)

⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: maven-build
• GitHub Check: sakai-deploy
• GitHub Check: maven-build

🔇 Additional comments (6)

kernel/kernel-impl/src/main/sql/oracle/sakai_realm.sql (3)

747-747: Grant to maintain on !site.template — LGTM.

Matches existing practice (e.g., 'asn.all.groups', 'calendar.all.groups'). No further changes needed here.

---

916-916: Code change verified and approved — LTI propagation confirmed.

The LTI copy mechanism (Oracle lines 1807-1808) confirms that all Instructor functions from !site.template.course — including the new assessment.all.groups grant — automatically flow into !site.template.lti Instructor and ContentDeveloper roles. Assessment function pruning in LTI is Mentor-only (lines 1822), leaving Instructor/ContentDeveloper unaffected. No duplicate inserts detected.

---

313-313: New realm function 'assessment.all.groups' verified across Oracle and MySQL with proper role mappings.

Cross-database parity confirmed:

• Oracle and MySQL base DDL both include the function insertion and identical role mappings (maintain on !site.template, Instructor on !site.template.course).
• SamigoConstants.java line 152 defines AUTHZ_ASSESSMENT_ALL_GROUPS and is actively used in TotalScoresBean line 930.
• No kernel-specific upgrade scripts exist (standard for Sakai core schema changes; realm adjustments for existing sites are typically manual or bundled with release).

samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/bean/evaluation/TotalScoresBean.java (2)

73-75: LGTM! Imports support the new privilege check.

The added imports for SamigoConstants and PersistenceService are necessary for implementing the all-groups privilege check and are correctly placed.

---

946-951: LGTM! Code correctly implements the privilege scope.

The conditional enrollment logic correctly implements the new privilege:

• When users have all-groups privilege and select "All Sections," they see all enrollments without group filtering via getAvailableEnrollments(false, siteId).
• When users lack the privilege, the existing group-release behavior is preserved via getAllGroupsReleaseEnrollments(siteId).

The privilege scope is intentionally limited to the "All Sections" path (lines 946-951) and does not apply to the "Released Sections/Groups" path (line 954). This is correct: when instructors explicitly select "Released Sections/Groups," they expect group filtering regardless of their privileges.

samigo/samigo-api/src/java/org/sakaiproject/samigo/util/SamigoConstants.java (1)

152-152: SQL realm function mappings verified across MySQL and Oracle.

The new authorization constant AUTHZ_ASSESSMENT_ALL_GROUPS is correctly defined in SamigoConstants.java and the corresponding SQL migration scripts properly introduce and map this function:

• kernel/kernel-impl/src/main/sql/mysql/sakai_realm.sql and Oracle equivalent insert the function and map it to both 'maintain' (for !site.template realm) and 'Instructor' (for !site.template.course realm)
• Consistent implementation across both database dialects

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Function registration looks correct and consistent.

Adding assessment.all.groups follows existing patterns like asn.all.groups and annc.all.groups. Good placement before grants.

Please confirm this function is also registered in the Oracle and Postgres base DDL.

---

🏁 Script executed:

#!/bin/bash
# Check other RDBMS scripts for assessment.all.groups
fd -a "sakai_realm.sql" kernel/kernel-impl/src/main/sql
rg -n "assessment\.all\.groups" kernel/kernel-impl/src/main/sql

Length of output: 1862

---

---

🏁 Script executed:

```shell
#!/bin/bash
# 1. Search for any postgres SQL scripts
fd -a "sakai_realm" kernel/kernel-impl/src/main/sql/postgres
# 2. Check if postgres directory exists
ls -la kernel/kernel-impl/src/main/sql/ 2>/dev/null | grep -E "^d"
# 3. Get context around similar function in hsqldb (e.g., asn.all.groups) to see where assessment.all.groups should be
rg -n "asn\.all\.groups|annc\.all\.groups" kernel/kernel-impl/src/main/sql/hsqldb/sakai_realm.sql -A2 -B2

Length of output: 222

---

---

🏁 Script executed:

#!/bin/bash
# List the actual SQL directory structure
ls -la kernel/kernel-impl/src/main/sql/

# Find all sakai_realm.sql and related files across the entire repo
echo "=== All sakai_realm files ==="
fd "sakai_realm" kernel/kernel-impl/src/main/sql/

# Look for upgrade or migration scripts
echo "=== Upgrade/migration scripts ==="
fd -e sql kernel/kernel-impl/src/main/sql/ | grep -i "upgrade\|migrat\|convert" | head -20

Length of output: 934

---

---

🏁 Script executed:

#!/bin/bash
# Confirm assessment.all.groups is missing from hsqldb
echo "=== Assessment.all.groups in hsqldb ==="
rg "assessment\.all\.groups" kernel/kernel-impl/src/main/sql/hsqldb/sakai_realm.sql || echo "NOT FOUND"

# Check hsqldb context around where function should be (similar to mysql line 301)
echo "=== HSQLDB lines 295-310 (around expected insert location) ==="
sed -n '295,310p' kernel/kernel-impl/src/main/sql/hsqldb/sakai_realm.sql

# Search for similar all.groups patterns in hsqldb to verify structure
echo "=== Similar *.all.groups patterns in hsqldb ==="
rg "\.all\.groups" kernel/kernel-impl/src/main/sql/hsqldb/sakai_realm.sql | head -10

# Look for any upgrade scripts at repo root or in special directories
echo "=== Searching for upgrade/migration scripts ==="
find . -maxdepth 3 -type f -name "*upgrade*" -o -name "*migration*" -o -name "*convert*" 2>/dev/null | grep -i sql | head -20

Length of output: 4038

---

HSQLDB database is missing the assessment.all.groups function and its role grants.

The PR adds assessment.all.groups to MySQL (line 301) and Oracle (line 313), but the HSQLDB variant lacks this function entirely. This creates a critical cross-database inconsistency. Other similar *.all.groups functions (annc, asn, calendar, content) are present in all three database scripts, establishing that parity should be maintained.

Add to kernel/kernel-impl/src/main/sql/hsqldb/sakai_realm.sql:

• Function definition (following the HSQLDB syntax pattern with NEXT VALUE FOR SAKAI_REALM_FUNCTION_SEQ)
• Role grants for !site.template + maintain role
• Role grants for !site.template.course + Instructor role

🤖 Prompt for AI Agents

In kernel/kernel-impl/src/main/sql/hsqldb/sakai_realm.sql (add near where other
*.all.groups functions are defined, around the same area as the MySQL line 301 /
Oracle line 313), the HSQLDB script is missing the INSERT for
'assessment.all.groups' and its role grants; add an INSERT INTO
SAKAI_REALM_FUNCTION using HSQLDB sequence syntax (use NEXT VALUE FOR
SAKAI_REALM_FUNCTION_SEQ) for the function name 'assessment.all.groups', then
add the corresponding SAKAI_REALM_ROLE GRANT entries mirroring the pattern used
for other '*.all.groups' functions: one grant for '!site.template' with role
'maintain' and one grant for '!site.template.course' with role 'Instructor' so
the HSQLDB file matches MySQL/Oracle parity.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Grant to maintain on !site.template — aligns with intent.

Granting assessment.all.groups to maintain on !site.template matches how other .all.groups permissions are scoped. LGTM.

Ensure an upgrade path exists to backfill this grant into existing sites (not just new installations). If missing, add an upgrade SQL. Example for MySQL (mirrors any realm/role that already has asn.all.groups):

-- 1) Ensure function exists
INSERT INTO SAKAI_REALM_FUNCTION (FUNCTION_NAME)
SELECT 'assessment.all.groups'
WHERE NOT EXISTS (SELECT 1 FROM SAKAI_REALM_FUNCTION WHERE FUNCTION_NAME='assessment.all.groups');

-- 2) Backfill grants wherever asn.all.groups is already granted
INSERT INTO SAKAI_REALM_RL_FN (REALM_KEY, ROLE_KEY, FUNCTION_KEY)
SELECT rf.REALM_KEY, rf.ROLE_KEY, f2.FUNCTION_KEY
FROM SAKAI_REALM_RL_FN rf
JOIN SAKAI_REALM_FUNCTION f1 ON f1.FUNCTION_KEY = rf.FUNCTION_KEY AND f1.FUNCTION_NAME = 'asn.all.groups'
JOIN SAKAI_REALM_FUNCTION f2 ON f2.FUNCTION_NAME = 'assessment.all.groups'
LEFT JOIN SAKAI_REALM_RL_FN x ON x.REALM_KEY=rf.REALM_KEY AND x.ROLE_KEY=rf.ROLE_KEY AND x.FUNCTION_KEY=f2.FUNCTION_KEY
WHERE x.REALM_KEY IS NULL;

---

🏁 Script executed:

#!/bin/bash
# 1) Locate the file mentioned in the review
echo "=== Finding sakai_realm.sql ==="
fd -t f "sakai_realm.sql" -x echo {}

# 2) Check directory structure for SQL files
echo -e "\n=== Directory structure for SQL files ==="
fd -t d "sql" | head -20

# 3) Search for upgrade/patch/migration SQL files
echo -e "\n=== Looking for upgrade SQL files ==="
fd -t f -e sql | grep -iE "(upgrade|patch|migration)" | head -30

# 4) Check the specific line context in the target file
echo -e "\n=== Context around line 734 in sakai_realm.sql ==="
fd "sakai_realm.sql" -x cat {} | sed -n '720,750p'

# 5) Search for assessment.all.groups and asn.all.groups in SQL files
echo -e "\n=== Occurrences of assessment.all.groups in SQL files ==="
rg -t sql "assessment\.all\.groups" -C 2

echo -e "\n=== Occurrences of asn.all.groups in SQL files ==="
rg -t sql "asn\.all\.groups" -C 2

Length of output: 31514

---

🏁 Script executed:

#!/bin/bash
# Check for kernel/realm-specific patch/upgrade SQL files
echo "=== Kernel patch files ==="
fd -t f -e sql ".*patch.*" kernel/ | grep -i realm

# Check for upgrades directory in kernel
echo -e "\n=== Kernel upgrade directories ==="
fd -t d -i upgrade kernel/

# Search for patch directory structure
echo -e "\n=== Checking for patches subdirectory in kernel ==="
find kernel -type d -name patches 2>/dev/null

# Look for any backfill or upgrade patterns in kernel SQL
echo -e "\n=== Backfill patterns in kernel SQL files ==="
rg -t sql "backfill|upgrade|patch|WHERE NOT EXISTS" kernel/ -C 1 | head -40

# Check if assessment.all.groups appears in other SQL files (non-template)
echo -e "\n=== Assessment.all.groups in other contexts ==="
rg -t sql "assessment\.all\.groups" kernel/ -B 2 -A 2 | grep -v "!site.template" | head -40

# Look for migration/upgrade documentation or scripts
echo -e "\n=== Looking for upgrade documentation ==="
fd -t f "(README|MIGRATION|UPGRADE)" kernel/ | head -20

Length of output: 2112

---

Add upgrade SQL to backfill assessment.all.groups into existing site realms

The template grant at line 734 is correctly scoped; however, existing deployed sites will not receive assessment.all.groups when upgrading. Kernel has no established patch infrastructure, and no backfill SQL exists. Add an upgrade SQL file (following samigo's patch pattern) to backfill this grant wherever asn.all.groups is already granted.

Example backfill for kernel/kernel-impl/src/main/sql/mysql/patches/ or equivalent:

-- 1) Ensure function exists
INSERT INTO SAKAI_REALM_FUNCTION (FUNCTION_NAME)
SELECT 'assessment.all.groups'
WHERE NOT EXISTS (SELECT 1 FROM SAKAI_REALM_FUNCTION WHERE FUNCTION_NAME='assessment.all.groups');

-- 2) Backfill grants wherever asn.all.groups is already granted
INSERT INTO SAKAI_REALM_RL_FN (REALM_KEY, ROLE_KEY, FUNCTION_KEY)
SELECT rf.REALM_KEY, rf.ROLE_KEY, f2.FUNCTION_KEY
FROM SAKAI_REALM_RL_FN rf
JOIN SAKAI_REALM_FUNCTION f1 ON f1.FUNCTION_KEY = rf.FUNCTION_KEY AND f1.FUNCTION_NAME = 'asn.all.groups'
JOIN SAKAI_REALM_FUNCTION f2 ON f2.FUNCTION_NAME = 'assessment.all.groups'
LEFT JOIN SAKAI_REALM_RL_FN x ON x.REALM_KEY=rf.REALM_KEY AND x.ROLE_KEY=rf.ROLE_KEY AND x.FUNCTION_KEY=f2.FUNCTION_KEY
WHERE x.REALM_KEY IS NULL;

Create equivalent patches for Oracle and HSQLDB.

🤖 Prompt for AI Agents

In kernel/kernel-impl/src/main/sql/mysql/sakai_realm.sql around line 734, the
new template grant for assessment.all.groups is added but deployed sites won't
receive it on upgrade; add a new patch SQL (following samigo pattern) to
backfill the grant: create patch files under
kernel/kernel-impl/src/main/sql/<db>/patches/ (mysql, oracle, hsqldb) that first
INSERT the assessment.all.groups function if missing, then INSERT into
SAKAI_REALM_RL_FN by selecting REALM_KEY/ROLE_KEY from existing rows where the
FUNCTION_NAME='asn.all.groups' and mapping to the new function_key, avoiding
duplicates via a LEFT JOIN/WHERE NULL check; ensure Oracle/HSQDB syntax matches
their dialects and name the patches consistently so they run during upgrades.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

Grant to Instructor on !site.template.course — correct audience.

Yes: Instructor + maintain only is appropriate for cross‑group submissions visibility; Teaching Assistant is intentionally excluded.

• Mirror this grant in Oracle/Postgres course templates.
• Confirm no additional grant is needed for TA by product decision. If institutions want TA parity, consider a configurable property rather than default grant.

---

🏁 Script executed:

#!/bin/bash
# Verify course template Instructor grant present across DBs and no TA grant was added
rg -n -C2 $'!site.template.course[\\s\\S]*Instructor[\\s\\S]*assessment\\.all\\.groups' kernel/kernel-impl/src/main/sql
rg -n -C2 $'!site.template.course[\\s\\S]*Teaching Assistant[\\s\\S]*assessment\\.all\\.groups' kernel/kernel-impl/src/main/sql

Length of output: 3413

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Find and verify PostgreSQL course template for assessment.all.groups grant
fd -n 'sakai_realm.sql' kernel/kernel-impl/src/main/sql/
echo "---"
rg -n 'assessment\.all\.groups.*Instructor|Instructor.*assessment\.all\.groups' kernel/kernel-impl/src/main/sql/ --type sql

Length of output: 307

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Find PostgreSQL and verify course template grants
fd sakai_realm.sql kernel/kernel-impl/src/main/sql/
echo "---"
# Search for Instructor + assessment.all.groups in all SQL files
rg -n 'assessment\.all\.groups' kernel/kernel-impl/src/main/sql/ -A2 -B2 | grep -E '(postgres|assessment\.all\.groups|Instructor)'

Length of output: 4537

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Verify HSQLDB course template has matching Instructor grant
rg -n '!site.template.course.*assessment\.all\.groups|assessment\.all\.groups.*!site.template.course' kernel/kernel-impl/src/main/sql/hsqldb/ -C2

Length of output: 0

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Check HSQLDB for assessment.all.groups grants and Instructor role combinations
echo "=== HSQLDB: Instructor + assessment.all.groups (any context) ==="
rg -n 'Instructor' kernel/kernel-impl/src/main/sql/hsqldb/sakai_realm.sql -A5 | grep -B5 'assessment\.all\.groups'
echo "=== HSQLDB: All assessment.all.groups entries ==="
rg -n 'assessment\.all\.groups' kernel/kernel-impl/src/main/sql/hsqldb/sakai_realm.sql -B2 -A2

Length of output: 114

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Examine HSQLDB file structure and check if it contains role/function grants at all
echo "=== HSQLDB file size and structure sample ==="
wc -l kernel/kernel-impl/src/main/sql/hsqldb/sakai_realm.sql
echo "---"
echo "=== First 50 lines of HSQLDB ==="
head -50 kernel/kernel-impl/src/main/sql/hsqldb/sakai_realm.sql
echo "---"
echo "=== Check for any SAKAI_REALM_RL_FN inserts in HSQLDB ==="
rg -c 'SAKAI_REALM_RL_FN' kernel/kernel-impl/src/main/sql/hsqldb/sakai_realm.sql
echo "---"
echo "=== Check for any maintain/Instructor role grants in HSQLDB ==="
rg -n 'maintain|Instructor' kernel/kernel-impl/src/main/sql/hsqldb/sakai_realm.sql | head -20

Length of output: 6684

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Check HSQLDB for template.course grants and any assessment functions
echo "=== HSQLDB: !site.template.course grants ==="
rg -n 'site\.template\.course' kernel/kernel-impl/src/main/sql/hsqldb/sakai_realm.sql
echo "---"
echo "=== HSQLDB: Any assessment functions at all ==="
rg -n 'assessment\.' kernel/kernel-impl/src/main/sql/hsqldb/sakai_realm.sql | head -20

Length of output: 77424

---

Add assessment.all.groups grant to HSQLDB course template for Instructor role.

Verification confirms MySQL (line 899) and Oracle (line 916) both have the Instructor + assessment.all.groups grant on !site.template.course with TA intentionally excluded. However, HSQLDB is missing:

• The assessment.all.groups function definition
• The Instructor grant for assessment.all.groups on !site.template.course

Note: PostgreSQL does not exist in the codebase; only hsqldb, mysql, and oracle variants are present.

Add to kernel/kernel-impl/src/main/sql/hsqldb/sakai_realm.sql the grant matching lines 899 (MySQL) and 916 (Oracle).

🤖 Prompt for AI Agents

In kernel/kernel-impl/src/main/sql/hsqldb/sakai_realm.sql (add near the function
definitions and realm-role-function inserts corresponding to the course template
entries), HSQLDB is missing the assessment.all.groups function and the
Instructor grant on !site.template.course; add the FUNCTION row for
'assessment.all.groups' (matching the name used in MySQL/Oracle) and add an
INSERT into SAKAI_REALM_RL_FN that selects the REALM_KEY for
'!site.template.course', the ROLE_KEY for 'Instructor', and the FUNCTION_KEY for
'assessment.all.groups' (mirror the MySQL line at
kernel/.../mysql/sakai_realm.sql:899 and Oracle at line 916). Ensure the SQL
syntax matches HSQLDB conventions and the surrounding entries (use the same
select-subquery pattern used for other grants in this file).