Moodle
  1. Moodle
  2. MDL-19145

Moodle extension for Safe Exam Browser

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.9.4
    • Fix Version/s: 1.9.6
    • Component/s: Quiz
    • Labels:
      None
    • Environment:
      Any
    • Database:
      Any
    • Affected Branches:
      MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_19_STABLE
    • Rank:
      24914

      Description

      The university of Giessen and the ETH Zurich developed a software for secure online exams called "Safe Exam Browser" (http://www.safeexambrowser.org). This open-source software comes with an extension for Moodle. Features:

      • Fullscreen mode (without any navigation elements).
      • Prohibits close or leave the window with the quiz
      • Disables shortcuts/keys as Win, Ctrl+Alt+Del, Alt+F4, F1, Ctrl+p, Printscreen, ...
      • Disables right-click
      • Disables switch to other applications
      • Prohibits surf the internet

      Extension for Moodle quiz:

      • Disables navigation to other resources in the Moodle quiz
      • Assures that a quiz can be taken with the Safe Exam Browser exclusively
      • Adds a new entry in the security settings of a quiz in Moodle (see attachment)

      There is a discussion topic in the quiz forum of Moodle: http://moodle.org/mod/forum/discuss.php?d=111732

      T. Hunt reviewed a first version of the Moodle extension and gave us some inputs for improvements:

      >>> In principle, I am happy to add the necessary hooks to Moodle core
      >>> to support this, though it would require some changes to the current
      >>> patch first:
      >>>
      >>> 1) We need an overall admin setting
      >>> $CFG->enablesafebrowserintegration, probably under Administration ->
      >>> Miscellaneous -> Experimental for now, which is disabled by default.
      >>> That way, the new options only show up on sites where they might be
      >>> relevant.

      Done.

      >>> 2) It would be nice to avoid having to change the database. I think
      >>> we should us the existing 'secure window' column (which is actually
      >>> called popup in the database). We should rename the setting (I can't
      >>> think of a good name now. 'Browser security' is the best I can do,
      >>> but I don't think it is good enough) with three settings:
      >>> - None
      >>> - Full screen pop-up with added JavsScript 'security'
      >>> - Require the use of the Safe browser
      >>> those would be stored as 0, 1, 2 in the existing database column.
      >>> The third option only appears if $CFG->enablesafebrowserintegration
      >>> is set.
      >>> That then requires reviewing all the checks on ->popup in the code
      >>> and changing them.

      Done. 'Browser security' seems a good suggestion for these settings.

      >>> 3) I don't think 'mod/quiz:manage' is the right capability for
      >>> avoiding the check. For secure window, we check 'mod/quiz:preview'

      Done.

      >>> 4) I would move the user-agent check into a function in
      >>> mod/quiz/locallib.php, or even see whether we could user/modify the
      >>> existing browser check functions in weblib/moodlelib or wherever
      >>> they are.

      Done. The user-agent check is now a function in mod/quiz/locallib.php.

      >>> 5) The way you are hiding the breadcrumbs by injecting CSS into the
      >>> header is pretty ugly (and not very secure). Isn't the way the
      >>> existing secure window does it, but using a different call to
      >>> print_header, better?

      Done. The breadcrumbs are now hidden by calling a print_header with different parameters.

      >>> 6) Obviously, you don't have the '//START/END quiz_for_safe_browser'
      >>> comments in a patch intended for core code.

      Done.

      >>> If you can
      >>> * get a patch that does that (especially the admin setting to turn
      >>> it off completely, and no database changes) attached to a tracker
      >>> issue,
      >>> * get at least some people to vote on that issue, and
      >>> * if you can make patches for both moodle 1.9 and 2.0, which will
      >>> necessarily be quite different, becuase I have been changing things.

      A patch of the extension for Moodle 1.9 and for Moodle 2.0 is attached to this issue.

      1. moodle1.9_quiz_safe_browser_oliver-tim.patch
        18 kB
        Tim Hunt
      2. moodle1.9_quiz_safe_browser_tim.patch
        21 kB
        Tim Hunt
      3. moodle1.9_quiz_safe_browser.patch
        18 kB
        Oliver Rahs
      4. moodle2.0_quiz_safe_browser_revised.patch
        17 kB
        Oliver Rahs
      5. moodle2.0_quiz_safe_browser.patch
        15 kB
        Oliver Rahs
      1. quiz_security_settings.png
        21 kB

        Activity

        Hide
        Tim Hunt added a comment -

        Thanks. I am on holiday until the middle of next week. I'll look at the patch when I get back. (If I seem to have forgotten, please remind me.)

        Show
        Tim Hunt added a comment - Thanks. I am on holiday until the middle of next week. I'll look at the patch when I get back. (If I seem to have forgotten, please remind me.)
        Hide
        Tim Hunt added a comment -

        Looks good. Nearly ready to commit.

        Just a few minor codind style problems that I will fix myself (but see http://docs.moodle.org/en/Development:Coding_style for future reference):

        1. You have a few tabs for indent. Should be 4 spaces.

        2. Better to use '' for strings instead of "" if you are not interpolating variables.

        3. You should not change existing language strings - the same language packs are used for all versions of Moodle, so instead create a new string and change all references to it. This also makes it easier for translators to know when there is something to be translated. Same for help files.

        Show
        Tim Hunt added a comment - Looks good. Nearly ready to commit. Just a few minor codind style problems that I will fix myself (but see http://docs.moodle.org/en/Development:Coding_style for future reference): 1. You have a few tabs for indent. Should be 4 spaces. 2. Better to use '' for strings instead of "" if you are not interpolating variables. 3. You should not change existing language strings - the same language packs are used for all versions of Moodle, so instead create a new string and change all references to it. This also makes it easier for translators to know when there is something to be translated. Same for help files.
        Hide
        Tim Hunt added a comment -

        The good news is that I have re-worked you patch against Moodle 1.9 to make it a bit better (I think). That is attached as moodle1.9_quiz_safe_browser_tim.patch. I also attach moodle1.9_quiz_safe_browser_oliver-tim.patch which is the difference between Moodle 1.9 with your patch applied, and Moodle 1.9 with my patch applied.

        The bad news is that I have not yet merged this to Moodle 2.0, nor have I tested it enough. And I really ought to be working on other things, even though it would be nice to get this done.

        Is there any chance you could give me revised patch some more testing, and/or make a revised 2.0 patch?

        Also, you are welcome to review what I have changed, and complain about any of the changes that you don't like. Thanks.

        Show
        Tim Hunt added a comment - The good news is that I have re-worked you patch against Moodle 1.9 to make it a bit better (I think). That is attached as moodle1.9_quiz_safe_browser_tim.patch. I also attach moodle1.9_quiz_safe_browser_oliver-tim.patch which is the difference between Moodle 1.9 with your patch applied, and Moodle 1.9 with my patch applied. The bad news is that I have not yet merged this to Moodle 2.0, nor have I tested it enough. And I really ought to be working on other things, even though it would be nice to get this done. Is there any chance you could give me revised patch some more testing, and/or make a revised 2.0 patch? Also, you are welcome to review what I have changed, and complain about any of the changes that you don't like. Thanks.
        Hide
        Tim Hunt added a comment -

        By the way, quiz_check_safe_browser is not very secure (which is lucky for testing!). If you wanted an over-engineered, but secure scheme, I would suggest that SEB should add a custom header to the request:

        X-SEB-Request-Hash:

        {md5hash of something that depends on the rest of the request}

        Then check that the hash is write in the PHP.

        Show
        Tim Hunt added a comment - By the way, quiz_check_safe_browser is not very secure (which is lucky for testing!). If you wanted an over-engineered, but secure scheme, I would suggest that SEB should add a custom header to the request: X-SEB-Request-Hash: {md5hash of something that depends on the rest of the request} Then check that the hash is write in the PHP.
        Hide
        Oliver Rahs added a comment -

        Thanks.
        Ok, I will start to test the patch for Moodle 1.9 and make a new patch for Moodle 2.0.

        You are right, that quiz_check_safe_browser is not very secure at the moment -> a custom header to the request seems a better solution for this. I try to implement it this way.

        Show
        Oliver Rahs added a comment - Thanks. Ok, I will start to test the patch for Moodle 1.9 and make a new patch for Moodle 2.0. You are right, that quiz_check_safe_browser is not very secure at the moment -> a custom header to the request seems a better solution for this. I try to implement it this way.
        Hide
        Oliver Rahs added a comment -

        Revised patch for Moodle 2.0

        Show
        Oliver Rahs added a comment - Revised patch for Moodle 2.0
        Hide
        Oliver Rahs added a comment -

        I've tested and reviewed the patch for Moodle 1.9 with your customizations.
        -> it looks very good, we couldn't find any bugs.

        A revised version of the patch for Moodle 2.0 is added to this issue. Tests were successful for Moodle 2.0, too.
        -> moodle2.0_quiz_safe_browser_revised.patch.
        (I really like the new software design of the quiz module in Moodle 2.0)

        Show
        Oliver Rahs added a comment - I've tested and reviewed the patch for Moodle 1.9 with your customizations. -> it looks very good, we couldn't find any bugs. A revised version of the patch for Moodle 2.0 is added to this issue. Tests were successful for Moodle 2.0, too. -> moodle2.0_quiz_safe_browser_revised.patch. (I really like the new software design of the quiz module in Moodle 2.0)
        Hide
        Tim Hunt added a comment -

        Ah cool. Thanks.

        (I am in the middle of some big change at the moment, and so am liable to forget about this bug. If I have not done anything with this in a week or so, please send me a tactful reminder.)

        Show
        Tim Hunt added a comment - Ah cool. Thanks. (I am in the middle of some big change at the moment, and so am liable to forget about this bug. If I have not done anything with this in a week or so, please send me a tactful reminder.)
        Hide
        Tim Hunt added a comment -

        I know I have been ignoring this. Sorry about that. Today is my last day at Moodle HQ in Perth, then I fly back to the UK on Sunday. I start work again at the Open University at the start of September. I will probably do some miscellaneous Moodle work during August, including finishing this. Anyway, just to say that I have not forgotten about you, it is just that I am busy.

        Show
        Tim Hunt added a comment - I know I have been ignoring this. Sorry about that. Today is my last day at Moodle HQ in Perth, then I fly back to the UK on Sunday. I start work again at the Open University at the start of September. I will probably do some miscellaneous Moodle work during August, including finishing this. Anyway, just to say that I have not forgotten about you, it is just that I am busy.
        Hide
        Tim Hunt added a comment -

        Thank you for your patience. I have finally had time to commit this. I have also added it to the 1.9.6 release notes.

        Show
        Tim Hunt added a comment - Thank you for your patience. I have finally had time to commit this. I have also added it to the 1.9.6 release notes.
        Hide
        Marco Lehre added a comment -

        This is a feature request:

        In the secure window for Safe Exam Browser, the name of the student who is logged in and takes the exam is not visible during the test. Authentication is a problem because it is not possible to check if the student in front of the computer is the same who is logged in at Moodle.

        Would it be possible to show the name and surmane of the student in the upper right corner of the window during a test with Safe Exam Browser?

        Best regards
        Marco

        Show
        Marco Lehre added a comment - This is a feature request: In the secure window for Safe Exam Browser, the name of the student who is logged in and takes the exam is not visible during the test. Authentication is a problem because it is not possible to check if the student in front of the computer is the same who is logged in at Moodle. Would it be possible to show the name and surmane of the student in the upper right corner of the window during a test with Safe Exam Browser? Best regards Marco
        Hide
        Tim Hunt added a comment -

        This feature is there in Moodle 2.0. You can choose to show the student's name and avatar during the quiz attempt.

        Show
        Tim Hunt added a comment - This feature is there in Moodle 2.0. You can choose to show the student's name and avatar during the quiz attempt.

          People

          • Votes:
            9 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: