Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

give better information to certin users who are denied entry #2252

Merged
merged 1 commit into from
Nov 20, 2023

Conversation

Alex-Jordan
Copy link
Contributor

Currently, if you are a user with a role of Dropped or Proctor, when you try to log in, you get the message Invalid user ID or password. This is particularly confusing/misleading for a student who was dropped who tries to get back in to WeBWorK using the username/password that worked for them in the past.

You also get the same message if the login permission level has been set high. I sometimes do this if I want to temporarily deny all students access to a course. Seeing Invalid user ID or password. is again misleading.

This PR changes things so that if one of the above situations happens, if that person gets past the point of entering a valid username/password combination, they are told more specifically This user is not allowed to log in to this course. It lets them know they have the right credentials, but for some reason are denied access right now.

I don't believe this leaks information, since they have to have the correct username/password to get this message.

Copy link
Member

@drgrice1 drgrice1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is okay. However, note that this does not apply to any authentication module that overrides the get_credentials or check_user methods. Both of the LTI authentication modules do this. Furthermore, both of those modules have similar code for this. They should probably be modified in the same way.

Although, it seems that there is a missing step in the authentication modules in general. Authentication should not be checking permissions before verifying credentials to begin with (so the change in order here is correct). It would be better if the permission checks would be in an additional method that comes after the verification. Then the other modules could just call that even if they override the verification method. This is easy to implement. Just add another step in the do_verify method, and the authentication procedure becomes

  • get_credentials
  • check_user
  • verify_user
  • check_user_permissions

@drgrice1
Copy link
Member

By the way, there is something odd here. I checked out this branch from GitHub and got access_denied. 😜

@pstaabp
Copy link
Member

pstaabp commented Nov 20, 2023

I changed the login permission level to professor and got the new login message.

@pstaabp pstaabp merged commit 730c704 into openwebwork:develop Nov 20, 2023
1 check passed
drgrice1 added a commit to drgrice1/webwork2 that referenced this pull request Feb 15, 2024
This was broken by openwebwork#2252.  The issue is that `login_proctor` users with
`Proctor` status do not have the `allow_course_access` behavior.  Thus
the check on line 509 of `lib/WeBWorK/Authen.pm` fails.  So this skips
that check if the `login_type` starts with "proctor".  This will only be
true if the `WeBWorK::Authen::Proctor` module is the current
authentication module and the `proctor_user` parameter is set.  Note
that the proctor authen module already checks all of the necessary
permissions, so this check is not needed.  When the check on line 509 of
`lib/WeBWorK/Authen.pm` was in the `check_user` method of
`WeBWorK::Authen` this check was not even done by the
`WeBWorK::Authen::Proctor` module because that module overrides the
`check_user` method.

To test this create a proctored test that is set with a "Proctor
Authorization Type" of "Both Start and Grade", and create a
`login_proctor` user with the `Proctor` status. Proctor authentication
should succeed if the `login_proctor` user's credentials are entered on
the proctor login page.  For the develop branch this not only fails, but
the message "This user is not allowed to log in to this course" is
shown.  While that message is true, it is not applicable here.  That is
the whole point of a `login_proctor`.  Note that set level proctors
(hidden users created if you set the "Password" in the "Proctoring
Parameters" for a test) automatically have "Proctor" status.  So set
level proctoring is completely broken.
drgrice1 added a commit to drgrice1/webwork2 that referenced this pull request Feb 15, 2024
This was broken by openwebwork#2252.  The issue is that `login_proctor` users with
`Proctor` status do not have the `allow_course_access` behavior.  Thus
the check on line 509 of `lib/WeBWorK/Authen.pm` fails.  So this skips
that check if the `login_type` starts with "proctor".  This will only be
true if the `WeBWorK::Authen::Proctor` module is the current
authentication module and the `proctor_user` parameter is set.  Note
that the proctor authen module already checks all of the necessary
permissions, so this check is not needed.  When the check on line 509 of
`lib/WeBWorK/Authen.pm` was in the `check_user` method of
`WeBWorK::Authen` this check was not even done by the
`WeBWorK::Authen::Proctor` module because that module overrides the
`check_user` method.

To test this create a proctored test that is set with a "Proctor
Authorization Type" of "Both Start and Grade", and create a
`login_proctor` user with the `Proctor` status. Proctor authentication
should succeed if the `login_proctor` user's credentials are entered on
the proctor login page.  For the develop branch this not only fails, but
the message "This user is not allowed to log in to this course" is
shown.  While that message is true, it is not applicable here.  That is
the whole point of a `login_proctor`.  Note that set level proctors
(hidden users created if you set the "Password" in the "Proctoring
Parameters" for a test) automatically have "Proctor" status.  So set
level proctoring is completely broken.

Also move session creation and setting of `$self->{initial_login}` to 1
until after the checks now on lines 509-521 of `lib/WeBWorK/Authen.pm`.
Those things should not be done if `verify_normal_user` is returning 0.
drgrice1 added a commit to drgrice1/webwork2 that referenced this pull request Feb 21, 2024
This was broken by openwebwork#2252.  The issue is that `login_proctor` users with
`Proctor` status do not have the `allow_course_access` behavior.  Thus
the check on line 509 of `lib/WeBWorK/Authen.pm` fails.  So this skips
that check if the `login_type` starts with "proctor".  This will only be
true if the `WeBWorK::Authen::Proctor` module is the current
authentication module and the `proctor_user` parameter is set.  Note
that the proctor authen module already checks all of the necessary
permissions, so this check is not needed.  When the check on line 509 of
`lib/WeBWorK/Authen.pm` was in the `check_user` method of
`WeBWorK::Authen` this check was not even done by the
`WeBWorK::Authen::Proctor` module because that module overrides the
`check_user` method.

To test this create a proctored test that is set with a "Proctor
Authorization Type" of "Both Start and Grade", and create a
`login_proctor` user with the `Proctor` status. Proctor authentication
should succeed if the `login_proctor` user's credentials are entered on
the proctor login page.  For the develop branch this not only fails, but
the message "This user is not allowed to log in to this course" is
shown.  While that message is true, it is not applicable here.  That is
the whole point of a `login_proctor`.  Note that set level proctors
(hidden users created if you set the "Password" in the "Proctoring
Parameters" for a test) automatically have "Proctor" status.  So set
level proctoring is completely broken.

Also move session creation and setting of `$self->{initial_login}` to 1
until after the checks now on lines 509-521 of `lib/WeBWorK/Authen.pm`.
Those things should not be done if `verify_normal_user` is returning 0.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants