Security and privacy

 
 
Picture of Jamison Hyman
Enable "Require the Use of Safe Exam Browser" on SCORM package
 

I see when I set up a "quiz", I am able to select from the Browser Security dropdown menu the option to require the use of safe exam browser.  Unfortunately, I am making a quiz in Adobe Captivate and the only way I see that I can get it over to Moodle is by publishing it as a SCORM package.  I don't see the option to require the safe exam browser when I am uploading a SCORM package.  Does anyone know a way around this?  Thank you!


 
Average of ratings: -
Walking on the snow towards Lago Nero...
Re: Enable "Require the Use of Safe Exam Browser" on SCORM package
Group DevelopersGroup Particularly helpful Moodlers

Hi Jamison,
what do you expect to be disallowed?

  1. The access to the package entry point (view.php)
  2. The possibility to save the tracking data (but the users will pre-view the test)
  3. The access to any content file belonging to any SCORM activity

Guessing the 3rd, you could hack the code of the SCORM module as below:

$ git diff
diff --git a/mod/scorm/lib.php b/mod/scorm/lib.php
index 06ffdca..c6779cd 100644
--- a/mod/scorm/lib.php
+++ b/mod/scorm/lib.php
@@ -925,6 +925,11 @@ function scorm_pluginfile($course, $cm, $context, $filearea, $args, $forcedownlo
         return false;
     }

+    // Allow content to be accessed ONLY from a 'Safe Browser'.
+    if (strpos($_SERVER['HTTP_USER_AGENT'], 'SEB') === false) {
+        return false;
+    }
+
     require_login($course, true, $cm);

     $lifetime = isset($CFG->filelifetime) ? $CFG->filelifetime : 86400;

HTH,
Matteo

 
Average of ratings:Useful (1)
Tim at Lone Pine Koala Sanctuary
Re: Enable "Require the Use of Safe Exam Browser" on SCORM package
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers

Note that when they finish version 2.0 of SEB, there will be a much more robust way of verifying that the student is using SEB. See the code in https://github.com/moodleou/moodle-quizaccess_safeexambrowser

 
Average of ratings:Useful (2)
Walking on the snow towards Lago Nero...
Re: Enable "Require the Use of Safe Exam Browser" on SCORM package
Group DevelopersGroup Particularly helpful Moodlers

TNX Tim.

It should be an option, in case of adding that setting per - only SCORM? - Activity, to get full benefits from those rules and their maintenance life cycle.

Matteo

 
Average of ratings:Useful (1)
Tim at Lone Pine Koala Sanctuary
Re: Enable "Require the Use of Safe Exam Browser" on SCORM package
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers

I don't know enough about the SCORM code to comment on that.

It has occurred to me that some of the things done by quiz access rule plugins would be useful for other types of activity, but at the moment the access rules are specific to the quiz.

I did write the SEB access rule is such a way that you could call the basic "check the user is using the right web browser" check from anywhere. This is because we have one system at the OU where we want all users to be using SEB all the time (not just for attempting quizzes) so I call the access rule logic from within the theme to ensure it applies on every page.

 
Average of ratings:Useful (1)
Walking on the snow towards Lago Nero...
Re: Enable "Require the Use of Safe Exam Browser" on SCORM package
Group DevelopersGroup Particularly helpful Moodlers

That's a good starting point Tim!

What I'm just thinking is a new setting, per activity, that could be included by any activity interested in providing some access rules, those already defined for quiz.

In case of SCORM, the implementation of this setting could mean:

  • avoid the access to the main entry to the content, preventing the user to see the TOC of the SCORM course or;
  • avoid deliverying the content, allowing users to see the TOC of the SCORM course without having the possibility to see the content, where all the quiz logics are defined - SCORM == HTML app talking with the LMS using a Data Model via JS calls.

While the implementation of the "deny action" is pretty simple regardless the selected option above, it could be "less" easy to provide a new general activity setting to configure the access rules. Spare time permitted I'll dive into the code, maybe to propose something for 2.6.

Matteo

 
Average of ratings:Useful (1)
Picture of Jamison Hyman
Re: Enable "Require the Use of Safe Exam Browser" on SCORM package
 

Whoa this is awesome!  I'm trying to implement it in the code.  The screen is just white when I go to the SCORM page in any browser (including Safe Exam Browser).  If it worked in the Safe Exam Browser, then everything would be perfect.  Here's the relevant code from lib.php.  Thank you!

function scorm_pluginfile($course, $cm, $context, $filearea, $args, $forcedownload, array $options=array()) {
global $CFG;

if ($context->contextlevel != CONTEXT_MODULE) {
return false;
}

// Allow content to be accessed ONLY from a 'Safe Browser'.
if (strpos($ SERVER['HTTP_USER_AGENT'], 'SEB') == false){
return false;
}

require_login($course, true, $cm);

$lifetime = isset($CFG->filelifetime) ? $CFG->filelifetime : 86400;

.....

 
Average of ratings: -
Walking on the snow towards Lago Nero...
Re: Enable "Require the Use of Safe Exam Browser" on SCORM package
Group DevelopersGroup Particularly helpful Moodlers

Hi Jamison,
my fault: it's "$_SERVER" and not "$ SERVER". I'm not sure how I deleted the underscore char, could it be done by the glossary filter?

Matteo

 
Average of ratings:Useful (1)
Picture of Jamison Hyman
Re: Enable "Require the Use of Safe Exam Browser" on SCORM package
 

Thanks for all of your help Matteo!  Now, the page loads on SEB but also every browser.  The code looks like this now, is there something wrong that's allowing it on every browser?

function scorm_pluginfile($course, $cm, $context, $filearea, $args, $forcedownload, array $options=array()) {
global $CFG;

if ($context->contextlevel != CONTEXT_MODULE) {
return false;
}

// Allow content to be accessed ONLY from a 'Safe Browser'.
if (strpos($_SERVER['HTTP_USER_AGENT'], 'SEB') == false){
return false;
}

require_login($course, true, $cm);

$lifetime = isset($CFG->filelifetime) ? $CFG->filelifetime : 86400;

 
Average of ratings: -
Walking on the snow towards Lago Nero...
Re: Enable "Require the Use of Safe Exam Browser" on SCORM package
Group DevelopersGroup Particularly helpful Moodlers

Hi Jamison,
try to delete the browser local cache: Moodle by default tries to minimize the bandwidth impacts by asking the browser to cache the content, SCORM files included, so if you already accessed that content before applying the patch you should be able to see it until the local cache will expire.

Note: as mentioned by Tim, the current SEB securing implementation is weak in the sense that most of the browsers today are able to rewrite User Agent information so this hack is just a proof of concept before being the real solution for securing the content.

HTH,
Matteo

 
Average of ratings:Useful (1)
Picture of Jamison Hyman
Re: Enable "Require the Use of Safe Exam Browser" on SCORM package
 

Awesome! Worked perfectly.  Thanks so much. 

 

/thread

 
Average of ratings: -