Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-34862

Question preview session checks sometimes fail

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.2.4, 2.3.1, 2.4
    • Fix Version/s: 2.2.5, 2.3.2
    • Component/s: Questions
    • Labels:
    • Testing Instructions:
      Hide
      1. Go into the question bank in a course and preview a question.
      2. Verify that previewing the question works.

      I am struggling to think of anything else that needs testing here. These things might be worth trying:

      1. In the course settings, try forcing the theme or the language, then reload the preview window. Verify that the preview respects the course settings.
      2. Try a preview from the quiz editing page instead.
      3. Preview a question in adaptive mode. After Checking some answers, copy and paste the URL from the preview window into another web browser. You should be able to continue from where you left off. (Previously, this would have failed.)
      Show
      Go into the question bank in a course and preview a question. Verify that previewing the question works. I am struggling to think of anything else that needs testing here. These things might be worth trying: In the course settings, try forcing the theme or the language, then reload the preview window. Verify that the preview respects the course settings. Try a preview from the quiz editing page instead. Preview a question in adaptive mode. After Checking some answers, copy and paste the URL from the preview window into another web browser. You should be able to continue from where you left off. (Previously, this would have failed.)
    • Affected Branches:
      MOODLE_22_STABLE, MOODLE_23_STABLE, MOODLE_24_STABLE
    • Fixed Branches:
      MOODLE_22_STABLE, MOODLE_23_STABLE
    • Pull from Repository:
    • Pull Master Branch:

      Description

      The question preview pop-up window (question/preview.php) uses the session in a weird way as a security measure.

      On the OU's system, with multiple web servers, this test is failing even when it should not, which many be some sort of race condition / concurrency problem.

      Anyway, the use of session here is weird, and I cannot remember why I did it that way. A better way to make this secure is to change the preview code so that the $quba belongs to the user's context. Then we can validate that the preview belongs to the current user in a robust way.

        Attachments

          Activity

            People

            • Assignee:
              timhunt Tim Hunt
              Reporter:
              timhunt Tim Hunt
              Integrator:
              Eloy Lafuente (stronk7)
              Tester:
              Andrew Davis
              Participants:
              Component watchers:
              Tim Hunt, Andrew Nicols, Mathew May, Michael Hawkins, Shamim Rezaie, Simey Lameze
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                10/Sep/12