Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-512

Unauthorized users can take tests via published assessment urls

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: CLOSED
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.0
    • Fix Version/s: 2.1.0
    • Labels:
      None
    • Environment:
      WINXP IE

      Description

      Every published assessment has a PAU (published assessment url) created for it. If an unauthorized user tries to take an assessment by using the url, they should get a 'permission denied' message and be returned to the Sakai portal page. Right now, anyone can see and take the assessment using the PAU, although their answers are not saved.

      Example assessment: 3.11 Marith Open (released to 1 site only, not to anonymous or authenticated users)

      PAU: http://sakai-stable.mit.edu/xtunnel/samigo/servlet/Login?id=marith1110585021718

      Log into any Sakai account with a student role (student1/student1 will work) and then paste that URL into your browser. You should be able to take the assessment even though you're not a member of the site it is released to.

      However, if you click "Submit for Grading" you get a blank page; if you click "Save and Exit" you get a sort of blank assessment page (see attached image 3.14saveandexit).

        Gliffy Diagrams

          Zeplin

            Attachments

              Issue Links

                Activity

                  People

                  Assignee:
                  marith Margaret Petit (Inactive)
                  Reporter:
                  marith Margaret Petit (Inactive)
                  Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                    Dates

                    Created:
                    Updated:
                    Resolved:

                      Git Integration