[MDL-34862] Question preview session checks sometimes fail - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.2.4, 2.3.1, 2.4
Fix Version/s: 2.2.5, 2.3.2
Component/s: Questions
Labels:
- triaged

Affected Branches:
MOODLE_22_STABLE, MOODLE_23_STABLE, MOODLE_24_STABLE
Fixed Branches:
MOODLE_22_STABLE, MOODLE_23_STABLE
Pull from Repository:
git://github.com/timhunt/moodle.git
Pull Master Branch:
~~MDL-34862~~
Pull Master Diff URL:
https://github.com/timhunt/moodle/compare/master...MDL-34862
Testing Instructions:
Hide

Go into the question bank in a course and preview a question.

Verify that previewing the question works.

I am struggling to think of anything else that needs testing here. These things might be worth trying:

In the course settings, try forcing the theme or the language, then reload the preview window. Verify that the preview respects the course settings.

Try a preview from the quiz editing page instead.

Preview a question in adaptive mode. After Checking some answers, copy and paste the URL from the preview window into another web browser. You should be able to continue from where you left off. (Previously, this would have failed.)
Show
Go into the question bank in a course and preview a question. Verify that previewing the question works. I am struggling to think of anything else that needs testing here. These things might be worth trying: In the course settings, try forcing the theme or the language, then reload the preview window. Verify that the preview respects the course settings. Try a preview from the quiz editing page instead. Preview a question in adaptive mode. After Checking some answers, copy and paste the URL from the preview window into another web browser. You should be able to continue from where you left off. (Previously, this would have failed.)

Description

The question preview pop-up window (question/preview.php) uses the session in a weird way as a security measure.

On the OU's system, with multiple web servers, this test is failing even when it should not, which many be some sort of race condition / concurrency problem.

Anyway, the use of session here is weird, and I cannot remember why I did it that way. A better way to make this secure is to change the preview code so that the $quba belongs to the user's context. Then we can validate that the preview belongs to the current user in a robust way.

Attachments

Activity

People

Assignee:: Tim Hunt

Reporter:: Tim Hunt

Integrator:: Eloy Lafuente (stronk7)

Tester:: Andrew Davis

Participants:: Andrew Davis, Eloy Lafuente (stronk7), Tim Hunt

Component watchers:: Safat Shahin, Tim Hunt, Ilya Tregubov, Kevin Percy, Mathew May, Mihail Geshoski, Shamim Rezaie

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 14/Aug/12 7:52 AM

Updated:: 17/Aug/12 3:25 PM

Resolved:: 17/Aug/12 3:25 PM

Fix Release Date:: 10/Sep/12