H5P: Students result and e-mail shows by changing URL

H5P: Students result and e-mail shows by changing URL

by Bjørn Teistung -
Number of replies: 3

Hi, 

I consider this more as a privacy issue than an H5P issue, so I post it here.
We run Moodle 3.9.

A non-editing teacher can see results and e-mailadress in H5P-activity by changing user-id in URL.

I have a non-editing teacher and students in groups in course. Course is set with separate groups.
The non-editing teacher access the Grades by the navigation meny in the course  to see the students results. By clicking the grade analysis button at a h5p activity, the score is shown, so is the students e-mail-adress.

If the non-editing-teacher changes the user-id in the URL, the teacher will se the results and e-mailadress to an other user, that is not connected to this non-editing teacher, and is in an other group. 

When I try the same in a Moodle quiz, the non-editing teacher get the message:

«You are not allowed to review this attempt.»

Is this a known issue?

Kind regards,
Bjørn

Average of ratings: -
In reply to Bjørn Teistung

Re: H5P: Students result and e-mail shows by changing URL

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
This is a bug. Are you able to report it to the bug tracker? https://docs.moodle.org/dev/Tracker_introduction.
Average of ratings: -
In reply to Bjørn Teistung

Re: H5P: Students result and e-mail shows by changing URL

by Ilya Tregubov -
Picture of Core developers Picture of Moodle HQ Picture of Testers
Hi Bjørn,

I don't have this behavior, but there is smth strange with h5p Grade analysis. So my course has seperate groups 1 and 2 and there are 2 activities - quiz and h5p. And there is non editing teacher in group 1. So I have submissions for both groups and activities for all students. When I am logged in as non editing teacher and I am on gradebook page I am experiencing this (see attached screen recording for Moodle 3.9):

  1. Teacher clicks 'Grade analysis' for grade for quiz for student in group 1 -> Teacher is on Attempt review page and see grade, user info etc
  2. Teacher clicks 'Grade analysis' for grade for h5p for student in group 1 -> There is permission denied page oddly
  3. Teacher changes URL to access grade for quiz for student in group 2 (so not his group) -> Teacher is redirected on review attempts for quiz for group 1
  4. Teacher changes URL to access grade for h5p for student in group 2 (so not his group) -> There is permission denied page

Not sure why I am getting permission denied for case 2. Also case 4 is not consistent with case 3, but I am not able to access userdata for users that are not in my group.

Could you please confirm how it works for you?



 

 


Average of ratings: -