Provides independent, toggleable restrictions for student messaging, submission comments, announcement replies, and group messaging in Canvas LMS.
Clone this repo into gems/plugins and restart the server.
Login with a site admin account and head over to /plugins in the browser.
Find the plugin Canvas Security Enhancements Plugin and click into it. Enable the plugin and check the desired restrictions.
Each restriction is configured independently in the plugin settings. Enable only the ones you need.
Affects: Students only (users with only a student enrollment and no teacher, TA, designer, or admin roles)
- Students cannot create new conversations
- Students cannot add recipients to existing conversations
- Students cannot forward messages
- Students can reply to a message, but only to the original sender
- The address book (recipient search) returns no results for students
- Enforced on REST, GraphQL, and the UI
Affects: Students only
- Students cannot delete conversations or individual messages
- Enforced on REST and GraphQL endpoints
Affects: Students only
- Students cannot add comments on assignment submissions
- Comment input controls are hidden from the UI; existing teacher feedback remains visible
- Enforced on REST API and GraphQL endpoints
Affects: Students only
- Students cannot reply to announcements (REST, GraphQL, and UI all blocked)
- When enabled globally, announcement reply/comment controls are also hidden for all users via UI injection (admins and teachers can still post via the editor, but the reply buttons are suppressed)
- Regular discussion topic replies are unaffected
Affects: All users (excluding Site Admins)
- When composing a message to multiple recipients, the "Send an individual message to each recipient" checkbox is forced on and hidden — group conversations cannot be created
- Enforced on REST (
ConversationsController#create) and GraphQL (createConversationmutation) - Any client-side attempt to send
group_conversation: trueis silently overridden tofalseon the server