-
Bug
-
Resolution: Fixed
-
Minor
-
2.2.4, 2.3.1, 2.4
-
MOODLE_22_STABLE, MOODLE_23_STABLE, MOODLE_24_STABLE
-
MOODLE_22_STABLE, MOODLE_23_STABLE
-
The question preview pop-up window (question/preview.php) uses the session in a weird way as a security measure.
On the OU's system, with multiple web servers, this test is failing even when it should not, which many be some sort of race condition / concurrency problem.
Anyway, the use of session here is weird, and I cannot remember why I did it that way. A better way to make this secure is to change the preview code so that the $quba belongs to the user's context. Then we can validate that the preview belongs to the current user in a robust way.