Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68632

quizaccess_seb doesnt limit privacy api queries to the quiz course module

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 3.9
    • 3.9
    • Quiz
    • MOODLE_39_STABLE
    • MOODLE_39_STABLE
    • Hide

      Test that SEB data still gets properly exported:

      • As an admin:
        Enable tool_dataprivacy | automaticdataexportapproval
        Enable tool_dataprivacy | contactdataprotectionofficer
      • Login as a teacher, add an activity of type quiz to a course.
      • In the quiz, edit the settings for 'Require the use of Safe Exam Browser' to be 'Yes – Configure manually'.
      • Save the activity.
      • Under profile > Data requests, request a data export
      • Run adhoc tasks (to process the export): `php admin/cli/adhoc_task.php --execute`
      • As the teacher, download the now available export
      • VERIFY the export contains Safe Exam Browser access rules data
      Show
      Test that SEB data still gets properly exported: As an admin: Enable tool_dataprivacy | automaticdataexportapproval Enable tool_dataprivacy | contactdataprotectionofficer Login as a teacher, add an activity of type quiz to a course. In the quiz, edit the settings for 'Require the use of Safe Exam Browser' to be 'Yes – Configure manually'. Save the activity. Under profile > Data requests, request a data export Run adhoc tasks (to process the export): `php admin/cli/adhoc_task.php --execute` As the teacher, download the now available export VERIFY the export contains Safe Exam Browser access rules data

    Description

      The privacy provider for quizaccess_seb looks course modules with just the instance matching the quiz id - it doesnt make sure that the instance actually belongs to a quiz however - polluting the results with non-quizzes.

      Example quizaccess_seb privacy query:

       // SEB quiz settings.
       $sql = "SELECT qs.id as id,
       qs.quizid as quizid,
       qs.usermodified as usermodified,
       qs.timecreated as timecreated,
       qs.timemodified as timemodified
       FROM {quizaccess_seb_quizsettings} qs
       JOIN {course_modules} cm ON cm.instance = qs.quizid

      And a similar query used by quizreport_group privacy:

               $sql = "SELECT c.id
                        FROM {context} c
                        JOIN {course_modules} cm ON cm.id = c.instanceid AND c.contextlevel = :contextlevel
                        JOIN {modules} m ON m.id = cm.module AND m.name = :modname
                        JOIN {quiz_group_attempts} qga ON qga.quizid = cm.instance
                        JOIN {user} u ON u.id = qga.userid
                       WHERE u.id = :userid";
      

       

      Note that a JOIN is performed onto the modules table to ensure we limit course_modules to quizzes.

      Attachments

        Issue Links

          Activity

            People

              aolley Adam Olley
              aolley Adam Olley
              Tim Hunt Tim Hunt
              Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
              Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
              Tim Hunt, Amaia Anabitarte, Brett Dalton, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Kevin Percy, Laurent David, Mathew May, Mihail Geshoski, Sabina Abellan, Sara Arjona (@sarjona), Shamim Rezaie
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                15/Jun/20

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 hours, 35 minutes
                  2h 35m