Students view all text for all questions in a course

Students view all text for all questions in a course

by Nate Hartmann -
Number of replies: 12
Hi, this is my first question on Moodle forums. I am running Moodle 1.8.3 on Apache 2.2.6 on Fedora 8, but have also reproduced this behavior on today's build of 1.8.4.

Perhaps this is a bug, perhaps this is working as designed, perhaps it is a local configuration issue.

It appears to me that any student who is enrolled in any course on my Moodle can view the text of all questions in all categories for the entire course, regardless of their availability in quizzes.

To reproduce,
1) login as a student in any course.
2) Notice the course id in the URL ( course/view.php?id=4 )
3) Browse directly to question/edit.php?courseid=4
4) Pick a category from the list
5) Check "Show question text in the question list"

As a workaround, I've copied some code from question/preview.php to lock out users who aren't a teacher of any course, and added it to question/edit.php like so:

***************
*** 14,23 ****
--- 14,29 ----
 require_once("../config.php");
 require_once("editlib.php");

 require_login();

+ // this might break things in the future
+ if (!isteacherinanycourse()) {
+ error('This page is for teachers only');
+ }
+
+
 $courseid = required_param('courseid', PARAM_INT);

 // The optional parameter 'clean' allows us to clear module information,
I don't know what customizations may have been done to the Moodle.org instance, but it does not suffer from this bug ( I enrolled in course ID 34, and http://moodle.org/question/edit.php?courseid=34 correctly denies me access to the list of questions. )


How about you? Can an enrolled student in your Moodle's course 1 access http://yourmoodle.dom/moodle/question/edit.php?courseid= ?
-Nate
Average of ratings: -
In reply to Nate Hartmann

Re: Students view all text for all questions in a course

by Joseph Rézeau -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers Picture of Translators
Hi Nate,
I can confirm your findings. However, the probability that a student would find out this way of looking at the text of questions in a course must be near zero. I don't think we should worry. But I'm sure Tim will provide a fix anyway.
Joseph
Average of ratings: -
In reply to Joseph Rézeau

Re: Students view all text for all questions in a course

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
I am worried. Can someone file this in the tracker please.
Average of ratings: -
In reply to Joseph Rézeau

Re: Students view all text for all questions in a course

by Ray Lawrence -
Unless they read this discussion.... wink
Average of ratings: -
In reply to Ray Lawrence

Re: Students view all text for all questions in a course

by Joseph Rézeau -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers Picture of Translators
You're right, Ray. Maybe someone with teacher rights in these forums should delete this thread immediately?
Average of ratings: -
In reply to Joseph Rézeau

Re: Students view all text for all questions in a course

by Ray Lawrence -
...but of course it's still visible in the tracker, which references this discussion... thoughtful
Average of ratings: -
In reply to Ray Lawrence

Re: Students view all text for all questions in a course

by Joseph Rézeau -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers Picture of Translators
... oh well, maybe Nate should never has posted this remark in the forum nor in the bug tracker, after all.tongueout
Joseph
Average of ratings: -
In reply to Joseph Rézeau

Re: Students view all text for all questions in a course

by Ray Lawrence -
Not at all. smile Open processes are good, but problematic sometimes...tongueout
Average of ratings: -
In reply to Ray Lawrence

Re: Students view all text for all questions in a course

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Well, thinks marked as serious security issues in the tracker are hidden from everyone except developers. And I could edit the forum post here to take out the instructions, but I don't think it is worth it.
Average of ratings: -
In reply to Tim Hunt

Re: Students view all text for all questions in a course

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Turns out that this problem was already fixed in 1.9.

I have now fixed it in 1.8 and 1.7. The fix is just to add:

require_capability('moodle/question:manage', $context);

after

require_login($course->id, false);

near the top of question/edit.php.

 
                                    

                
                
                
                                        
                
                
                                            

                                                    
Average of ratings:  - 

                                                    
                                            

                
                                        
                                

                            

                        

                    

                
        

                
        

                

        

                

        

                

        

                

        

                

        

                

        

                

                

                    

                        
                
                        

                            

                                        

                                                
                                        

                                

                                        In reply to Joseph Rézeau
                                        
Re: Students view all text for all questions in a course

                                        

                                            by Mark Miller - 
                        

                                

                
                                        

                                        

                            

                
                            

                
                                

                                    

                                        I wouldn't want to loose the capability of sharing quizzes. We're a high school and have several teachers teaching the same class. We split up the workload so that we don't have all the teachers entering the same quiz/test questions. It works great for us.

mark
 
                                    

                
                
                
                                        
                
                
                                            

                                                    
Average of ratings:  -