Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68632

quizaccess_seb doesnt limit privacy api queries to the quiz course module

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • 3.9
    • 3.9
    • Quiz
    • MOODLE_39_STABLE
    • MOODLE_39_STABLE
    • Hide

      Test that SEB data still gets properly exported:

      • As an admin:
        Enable tool_dataprivacy | automaticdataexportapproval
        Enable tool_dataprivacy | contactdataprotectionofficer
      • Login as a teacher, add an activity of type quiz to a course.
      • In the quiz, edit the settings for 'Require the use of Safe Exam Browser' to be 'Yes – Configure manually'.
      • Save the activity.
      • Under profile > Data requests, request a data export
      • Run adhoc tasks (to process the export): `php admin/cli/adhoc_task.php --execute`
      • As the teacher, download the now available export
      • VERIFY the export contains Safe Exam Browser access rules data
      Show
      Test that SEB data still gets properly exported: As an admin: Enable tool_dataprivacy | automaticdataexportapproval Enable tool_dataprivacy | contactdataprotectionofficer Login as a teacher, add an activity of type quiz to a course. In the quiz, edit the settings for 'Require the use of Safe Exam Browser' to be 'Yes – Configure manually'. Save the activity. Under profile > Data requests, request a data export Run adhoc tasks (to process the export): `php admin/cli/adhoc_task.php --execute` As the teacher, download the now available export VERIFY the export contains Safe Exam Browser access rules data

      The privacy provider for quizaccess_seb looks course modules with just the instance matching the quiz id - it doesnt make sure that the instance actually belongs to a quiz however - polluting the results with non-quizzes.

      Example quizaccess_seb privacy query:

       // SEB quiz settings.
      		 
       $sql = "SELECT qs.id as id,
      		 
       qs.quizid as quizid,
      		 
       qs.usermodified as usermodified,
      		 
       qs.timecreated as timecreated,
      		 
       qs.timemodified as timemodified
      		 
       FROM {quizaccess_seb_quizsettings} qs
      		 
       JOIN {course_modules} cm ON cm.instance = qs.quizid

      And a similar query used by quizreport_group privacy:

               $sql = "SELECT c.id
      		 
                        FROM {context} c
      		 
                        JOIN {course_modules} cm ON cm.id = c.instanceid AND c.contextlevel = :contextlevel
      		 
                        JOIN {modules} m ON m.id = cm.module AND m.name = :modname
      		 
                        JOIN {quiz_group_attempts} qga ON qga.quizid = cm.instance
      		 
                        JOIN {user} u ON u.id = qga.userid
      		 
                       WHERE u.id = :userid";

       

      Note that a JOIN is performed onto the modules table to ensure we limit course_modules to quizzes.

        1. seb_access_rules.png
          seb_access_rules.png
          47 kB

            aolley Adam Olley
            aolley Adam Olley
            Tim Hunt Tim Hunt
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours, 35 minutes
                2h 35m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.