SOS!How to prevent users from viewing questions of lesson they don't enroll?

SOS!How to prevent users from viewing questions of lesson they don't enroll?

by red tiger -
Number of replies: 14

Hi,

I am using Moodle 1.9.14.

I have one severe problem confusing me.

I created several lessons and lesson questions for my users.

When users enroll in a lesson and access the lesson questions,
the question page address shows like the following:

..../mod/lesson/view.php?id=16&pageid=xx

I find that if user change the pageid number in the address, they can see the questions of other lessons they didn't enroll.

I look up in the database and find that all the lesson questions are stored in the table 'mdl_lesson_pages' with the id number(=pageid)

So if users change the pageid they can see all the lessons questions!

Is it a bug or any setting I missed?

How to prevent users from viewing questions of lessons they don't enroll?

Thank you for your help in advance.


Average of ratings: -
In reply to red tiger

Re: SOS!How to prevent users from viewing questions of lesson they don't enroll?

by Stuart Mealor -

OK, let's just clarify your terminology here - which is perhaps confusing the issue.

Users enrol in a Course (not a Lesson).

So, you have created a Course, with several Lessons.

"I find that if user change the pageid number in the address, they can see the questions of other lessons they didn't enroll."

Well, Students don't enrol in Lessons.
If they are enrolled in a Course, they have access to all Lessons in that Course.
So, if they alter the URL to see a question in a Lesson, how is that different from them accessing the question via the Lesson directly?
They are not gaining access to something they can't get to anyway.

Have you added a password to the Lessons ?
If so, can Students see the questions within the second Lesson when it is password protected?

Average of ratings: -
In reply to Stuart Mealor

Re: SOS!How to prevent users from viewing questions of lesson they don't enroll?

by red tiger -

Hi,Stuart Mealor

Sorry for not explaining clearly earlier on.

Yes, I have created several courses, each course with one lesson.

I find that if user enroll in a course and alter the pageid of the course lesson's URL they can view other lessons in other courses they didn't enroll.

I have set different password for all the lessons, but it does not work for me.

For example:
lesson A(Course1) and lesson B(Course2), all with password added.
User enroll in Course1 but not in Course2.

When they enter the password for lesson A and begin the lesson A pages,
then they alter the pageid of URL
..../mod/lesson/view.php?id=16&pageid=xx ←

they can also view lesson B pages.


What is wrong? How to solve the severe problem?

Thank you.

Average of ratings: -
In reply to red tiger

Re: SOS!How to prevent users from viewing questions of lesson they don't enroll?

by Stuart Mealor -

Hi Red

OK, well first double-check that these Students are not enrolled into Course B as well.
For example, they could be enrolled in a Category (so they have access to all Courses in that Category).
Or, they could be enrolled via a meta course.
Indeed, they could even be assigned a Student role at the site level by accident!

However, if you are certain that these users are not enrolled in Course B then this is clearly a bug.

Please add this to the Tracker - check first that someone else has not already created a bug report for this.  If they have, then you can vote for it to be prioritised for a fix, and perhaps add further comments to help developers smile

(I would be very surprised if there is not 'something else' happening in the background here - because if this behaviour is as described it would mean a Student can gain access to Courses they are not enrolled in - which would be a major issue).

Average of ratings: -
In reply to Stuart Mealor

Re: SOS!How to prevent users from viewing questions of lesson they don't enroll?

by red tiger -

OK,I try to report this issue though i don't know whether it`s a bug or just setting problem.

Average of ratings: -
In reply to red tiger

Re: SOS!How to prevent users from viewing questions of lesson they don't enroll?

by Joseph Rézeau -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers Picture of Translators

Hi "red tiger",

What you describe seems hardly possible to me.

When you say "users", do you mean students or teachers?

It is quite impossible for a student to access a course if they are not enrolled in that course (unless you give free access to your courses to guests).

Have you set all your moodle site courses to be self-enrollable?

Are your courses accessible to guests?

How can your "users" guess the lesson's id?

How do you know your students can access lessons in courses they are not enroled in?

Joseph

Average of ratings: -
In reply to Joseph Rézeau

Re: SOS!How to prevent users from viewing questions of lesson they don't enroll?

by red tiger -

Hi,Joseph

>When you say "users", do you mean students or teachers?

students

>It is quite impossible for a student to access a course if they are not enrolled in that course (unless you give free access to your courses to guests).

All my course is not free,all for payment. It is a severe problem for me.

>Have you set all your moodle site courses to be self-enrollable?

All my course are set to no self-enrollable.

Edit course settings page->Enrolments->Course enrollable-> No

>Are your courses accessible to guests?

I have tested and i am sure that guests can`t access the courses.

>How can your "users" guess the lesson's id?

users don`t need to guess the id.

You see that lesson page address shown as /mod/lesson/view.php?id=xx&pageid=xx

I search the DB and find that all the lesson questions are stored in just one table 'mdl_lesson_pages' with id number(=pageid).

Students can alter the pageid to view all the lessons then.

>How do you know your students can access lessons in courses they are not enroled in?

I created a test account as student to see how it works and found this issue.

Average of ratings: -
In reply to red tiger

Re: SOS!How to prevent users from viewing questions of lesson they don't enroll?

by Joseph Rézeau -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers Picture of Translators

Sorry, but I still maintain that the scenario you describe is not possible. Students can not access a lesson in a course they are not enrolled in.

It is not clear from your posts whether you think students can access Lessons in a course where they are not enroled OR if they can access the questions (i.e. the "Lesson pages") of Lessons.

You say "Students can alter the pageid to view all the lessons then." but my question is : how would they "alter" the pageid? blindly?

You say "I created a test account as student to see how it works and found this issue." Is that "test student" enrolled in any or the course on your moodle site or not? Please describe step by step what you do as "test student" in order to access Lessons or Lesson pages in a course that that test student is not enrolled in.

Joseph

Average of ratings: -
In reply to Joseph Rézeau

Re: SOS! How to prevent users from viewing questions of lesson they don't enroll?

by Stuart Mealor -

I agree with Joseph
- I don't think this is an error with Moodle - because I can't believe no-one else has found this ?

The easiest thing might be to give someone else who knows Moodle very well a Student login to ONE Course on your site, and see if they can do what you describe.  They can look at the Courses they have access to, and report independently.

As I said at the start, I believe 'something else' is happening - like Students being assigned at site level or similar.

Stu

Average of ratings: -
In reply to Joseph Rézeau

Re: SOS!How to prevent users from viewing questions of lesson they don't enroll?

by Joseph Rézeau -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers Picture of Translators

Further to private communication with the OP I confirm that there is a serious bug in the Lesson.

I am investigating and will report here and in the bug tracker ASAP.

Joseph

Average of ratings: -
In reply to Joseph Rézeau

Re: SOS!How to prevent users from viewing questions of lesson they don't enroll?

by red tiger -

Good job!

Hope this issue will be solved ASAP.

I will continue to test it. it is a disaster for those (include me) who sell courses.

Average of ratings: -
In reply to Joseph Rézeau

Re: SOS!How to prevent users from viewing questions of lesson they don't enroll?

by red tiger -

Thanks! Display Default Feedback YES setting is OK.

I still have two problems confusing me.
1. In my case, Students can take the lesson again and again.I need to limit the lesson attempts (Sorry,I mistake the 'Maximum number of attempts' meaning in lesson).
There is Attempts allowed setting in quiz. Is it possible to copy this feature to lesson or any other way to achieve it?
2. I need to create random questions in lesson.Since I have hundreds of questions but want only 50 random questions appear each time. Is it possible to copy the 'add random questions' from quiz to lesson or any other way to achieve it?


Currently I have to add cluster again and again . It really costs me time and do wrong easily.

Average of ratings: -
In reply to red tiger

Re: SOS!How to prevent users from viewing questions of lesson they don't enroll?

by Joseph Rézeau -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers Picture of Translators

Hi red tiger,

Please do not mix up the flow of this forum discussion with the private exchange we are currently having by email. This will only confuse this Moodle forum participants.

Please do not post a new question to an ongoing discussion. Always post new questions to a new thread/discussion.

OK, just to answer your latest question all the same: you are confusing the features available in Quiz and in Lesson, and there is no way to have the Quiz features available to Lesson or vice-versa. You really have to choose which activity suits your needs best between Quiz and Lesson. Each has its strong and week points...

Joseph

Average of ratings: -
In reply to Joseph Rézeau

Re: SOS!How to prevent users from viewing questions of lesson they don't enroll?

by Andrew Lowe -

Hi Joseph,

Did you ever find a patch for this or do you know if there is a trakcer ticket? I have come accross the same issue and am going to be writing a patch my self. Any futher information would be helpful.

Thanks!

Average of ratings: -
In reply to Andrew Lowe

Re: SOS!How to prevent users from viewing questions of lesson they don't enroll?

by Joseph Rézeau -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers Picture of Translators

@Andrew,

The situation where the lesson pages' ID is displayed in the browser's URL is with those settings:

lesson settings: Display Default Feedback NO
question: all Answer Responses are empty

Workaround so that URL does not display lesson ID and page ID in browser:

  • either enter a Response (feedback message) in your questions' Response fields (from a pedagogic point of view, I feel that all Answers should have a matching Response (feedback message) attached, so that the student knows why they got their answer right (or wrong)
  • or set lesson settings: Display Default Feedback YES

Joseph

Average of ratings: -