Fix proctor login for login_proctor users with Proctor status.
#2327
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pstaabp
approved these changes
Feb 21, 2024
This was broken by openwebwork#2252. The issue is that `login_proctor` users with `Proctor` status do not have the `allow_course_access` behavior. Thus the check on line 509 of `lib/WeBWorK/Authen.pm` fails. So this skips that check if the `login_type` starts with "proctor". This will only be true if the `WeBWorK::Authen::Proctor` module is the current authentication module and the `proctor_user` parameter is set. Note that the proctor authen module already checks all of the necessary permissions, so this check is not needed. When the check on line 509 of `lib/WeBWorK/Authen.pm` was in the `check_user` method of `WeBWorK::Authen` this check was not even done by the `WeBWorK::Authen::Proctor` module because that module overrides the `check_user` method. To test this create a proctored test that is set with a "Proctor Authorization Type" of "Both Start and Grade", and create a `login_proctor` user with the `Proctor` status. Proctor authentication should succeed if the `login_proctor` user's credentials are entered on the proctor login page. For the develop branch this not only fails, but the message "This user is not allowed to log in to this course" is shown. While that message is true, it is not applicable here. That is the whole point of a `login_proctor`. Note that set level proctors (hidden users created if you set the "Password" in the "Proctoring Parameters" for a test) automatically have "Proctor" status. So set level proctoring is completely broken. Also move session creation and setting of `$self->{initial_login}` to 1 until after the checks now on lines 509-521 of `lib/WeBWorK/Authen.pm`. Those things should not be done if `verify_normal_user` is returning 0.
drgrice1
force-pushed
the
bugfix/login_proctor
branch
from
1cebe43 to
57f13f8
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This was broken by #2252. The issue is that
login_proctorusers withProctorstatus do not have theallow_course_accessbehavior. Thus the check on line 509 oflib/WeBWorK/Authen.pmfails. So this skips that check if thelogin_typestarts with "proctor". This will only be true if theWeBWorK::Authen::Proctormodule is the current authentication module and theproctor_userparameter is set. Note that the proctor authen module already checks all of the necessary permissions, so this check is not needed. When the check on line 509 oflib/WeBWorK/Authen.pmwas in thecheck_usermethod ofWeBWorK::Authenthis check was not even done by theWeBWorK::Authen::Proctormodule because that module overrides thecheck_usermethod.To test this create a proctored test that is set with a "Proctor Authorization Type" of "Both Start and Grade", and create a
login_proctoruser with theProctorstatus. Proctor authentication should succeed if thelogin_proctoruser's credentials are entered on the proctor login page. For the develop branch this not only fails, but the message "This user is not allowed to log in to this course" is shown. While that message is true, it is not applicable here. That is the whole point of alogin_proctor. Note that set level proctors (hidden users created if you set the "Password" in the "Proctoring Parameters" for a test) automatically have "Proctor" status. So set level proctoring is completely broken.Also move session creation and setting of
$self->{initial_login}to 1 until after the checks now on lines 509-521 oflib/WeBWorK/Authen.pm. Those things should not be done ifverify_normal_useris returning 0.