Moodle
  1. Moodle
  2. MDL-26260

Loophole in quiz 'secure mode' in some themes

    Details

    • Testing Instructions:
      Hide

      1. Create a quiz with Browser security set to "... popup ..."

      2. Attempt the quiz as a student. Try to defeat the security by clicking the the few pixels around the edge of the screen. In particular try to

      • get the context menu to appear
      • start to drag to select some text

      3. Ignore the fact that in Moodle 2.0, you get multiple alerts for each click. That seems to be a YUI bug. If it is causing you problems, you need to upgrade to Moodle 2.1 or later.

      Show
      1. Create a quiz with Browser security set to "... popup ..." 2. Attempt the quiz as a student. Try to defeat the security by clicking the the few pixels around the edge of the screen. In particular try to get the context menu to appear start to drag to select some text 3. Ignore the fact that in Moodle 2.0, you get multiple alerts for each click. That seems to be a YUI bug. If it is causing you problems, you need to upgrade to Moodle 2.1 or later.
    • Affected Branches:
      MOODLE_20_STABLE, MOODLE_21_STABLE, MOODLE_22_STABLE, MOODLE_23_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE, MOODLE_21_STABLE, MOODLE_22_STABLE
    • Pull from Repository:
    • Pull Master Branch:
    • Rank:
      15873

      Description

      When attempting a quiz in secure mode as a student, it attempts to disable right click by using JavaScript. When a right click is detected, a popup box comes up, but then gets stuck in a loop which forces the user to have to close the page which cancels the quiz attempt. Added a detach call in to the function so it does not loop until another right click event is called. Also disabled the double alert boxes appearing by disabling the message from appearing when the context menu tries to appear.

      Whilst testing this, another loophole was detected where you could right click on the boundary of the page and the right click context menu would appear just fine. This was because it was only triggering the event on 'document.body'. Changing this to 'document' seems to have patched this.

        Issue Links

          Activity

            People

            • Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: