View All Responses Security Issue

View All Responses Security Issue

by Alex Negron -
Number of replies: 2

Setting Students can view ALL responses to NEVER does not prevent students from accessing the View All Responses report of a questionnaire. The setting seems to only remove the hyperlink from the student role and not prevent access.

This is a big security issue since, under certain scenarios, a student could easily figure out how to access the view all responses report without that hyperlink.

One example is if a course uses 2 types of questionnaires where 1 questionnaire View all responses is set to never and another questionnaire where View all responses is set to visible. It wouldn't take much for a student to figure out that changing the instance parameter from the questionnaire where view all responses is visible will take you to another questionnaire and the View all set to never will not restrict the student from viewing the report.

The security problem was first reported back in 2011 here https://moodle.org/mod/forum/discuss.php?d=166492.

Average of ratings: -
In reply to Alex Negron

Re: View All Responses Security Issue

by John Provasnik -
Picture of Particularly helpful Moodlers Picture of Testers
Question - was the setting changed to "never" before or after a student submitted a response? 

I did a test on my 3.5 system -- 

I created a questionnaire, set the View all Responses setting to 'Never,' and then logged in as a sample student to submit  a response. 
There was no "view all" link, but when I attempted to use the teacher URL see the "view all" (when logged in as a test student), and i got the message that I dont have the permission to View all responses. 

However, in a separate test, I created the another questionnaire, left the View all Responses setting set to 'immediately after submission', then I submitted a  response as a test student , then I logged in as the teacher and changed the "view all" setting to "Never". When I logged back in as a student, that "Never" setting was not respected -- the test student could still see and view the responses with the teacher URL as you have noted.
Average of ratings: -
In reply to John Provasnik

Re: View All Responses Security Issue

by Alex Negron -
Hi John,

I investigated this a little more and I was able to replicate your first test and got the same result with the Don't have permission to view all responses message.
However it seems that the reason you got a different result on your second test is that you submitted a response.

To test this I created a brand new questionnaire from a template with the View all responses set to Never from the get go. These are the steps I took:

I made a submission with Student A ---> Then I logged in as Student B and pasted the view all link copied from teacher's role and I got the permission error you described ---> I then made a submission with Student B and pasted the same view all link that gave me a permission error but this time I got through and could see all responses.

The only variable from getting a permission error and getting through to view the View all report was that I made a submission.

For now the only way to prevent this seems to manually set the role permissions for each questionnaire to prevent viewing all responses from the student role.
Average of ratings: Useful (1)