-
Bug
-
Resolution: Fixed
-
Minor
-
3.9.1
-
MOODLE_39_STABLE
-
MOODLE_39_STABLE
-
MDL-69645-master -
When a quiz is configured with "Require the use of Safe Exam Browser: YES – Configure manually", on Mac clients, the Safe Exam Browser's Preferences window can be opened during the quiz, without having to enter a Safe Exam Browser (SEB) administrator password. When the Preferences window is open, then SEB temporarily switches off its kiosk (single app) mode. Students then can switch to any app on their Mac, including the Finder and web browsers and communication applications.
Normally an SEB exam configuration MUST have an administrator password set, because it protects the Preferences menu to be opened on SEB for macOS. It also prevents an SEB configuration to be opened for editing in the SEB Config Tool on Windows. Editing config files isn’t the issue here, as the Config Key request header hash value check prevents students to access a quiz with an edited SEB configuration. Also Moodle generated SEB configuration files are not encrypted, therefore setting an administrator password to prevent editing the file isn't relevant. In this case only opening the Preferences window during a quiz is a problem, this can easily be prevented by including the SEB setting allowPreferencesWindow = false in the configuration generated by Moodle.
Steps to reproduce:
- Create a quiz and set "Require the use of Safe Exam Browser: YES – Configure manually"
- Open the quiz with SEB for macOS (either SEB 2.1.5pre2 or SEB 2.2.1 for macOS)
- Select "Preferences" from the "SafeExamBrowser" menu in the macOS menu bar or press cmd-,
- The Preferences menu is displayed, without having to enter any password. Now you can switch to other running applications using cmd-Tab
Expected behavior:
- Preferences window in SEB for macOS cannot be opened during a quiz
Actual behavior:
- Preferences window can be opened during the quiz
To test the mitigating setting allowPreferencesWindow = false, you can select the "Config File" tab in the Preferences window and deselect (disable) "Allow to open preferences window on client", then tap "Apply and Restart SEB". Now you cannot open the Preferences menu anymore.
