-
-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
give better information to certin users who are denied entry #2252
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is okay. However, note that this does not apply to any authentication module that overrides the get_credentials
or check_user
methods. Both of the LTI authentication modules do this. Furthermore, both of those modules have similar code for this. They should probably be modified in the same way.
Although, it seems that there is a missing step in the authentication modules in general. Authentication should not be checking permissions before verifying credentials to begin with (so the change in order here is correct). It would be better if the permission checks would be in an additional method that comes after the verification. Then the other modules could just call that even if they override the verification method. This is easy to implement. Just add another step in the do_verify
method, and the authentication procedure becomes
- get_credentials
- check_user
- verify_user
- check_user_permissions
By the way, there is something odd here. I checked out this branch from GitHub and got |
I changed the login permission level to professor and got the new login message. |
This was broken by openwebwork#2252. The issue is that `login_proctor` users with `Proctor` status do not have the `allow_course_access` behavior. Thus the check on line 509 of `lib/WeBWorK/Authen.pm` fails. So this skips that check if the `login_type` starts with "proctor". This will only be true if the `WeBWorK::Authen::Proctor` module is the current authentication module and the `proctor_user` parameter is set. Note that the proctor authen module already checks all of the necessary permissions, so this check is not needed. When the check on line 509 of `lib/WeBWorK/Authen.pm` was in the `check_user` method of `WeBWorK::Authen` this check was not even done by the `WeBWorK::Authen::Proctor` module because that module overrides the `check_user` method. To test this create a proctored test that is set with a "Proctor Authorization Type" of "Both Start and Grade", and create a `login_proctor` user with the `Proctor` status. Proctor authentication should succeed if the `login_proctor` user's credentials are entered on the proctor login page. For the develop branch this not only fails, but the message "This user is not allowed to log in to this course" is shown. While that message is true, it is not applicable here. That is the whole point of a `login_proctor`. Note that set level proctors (hidden users created if you set the "Password" in the "Proctoring Parameters" for a test) automatically have "Proctor" status. So set level proctoring is completely broken.
This was broken by openwebwork#2252. The issue is that `login_proctor` users with `Proctor` status do not have the `allow_course_access` behavior. Thus the check on line 509 of `lib/WeBWorK/Authen.pm` fails. So this skips that check if the `login_type` starts with "proctor". This will only be true if the `WeBWorK::Authen::Proctor` module is the current authentication module and the `proctor_user` parameter is set. Note that the proctor authen module already checks all of the necessary permissions, so this check is not needed. When the check on line 509 of `lib/WeBWorK/Authen.pm` was in the `check_user` method of `WeBWorK::Authen` this check was not even done by the `WeBWorK::Authen::Proctor` module because that module overrides the `check_user` method. To test this create a proctored test that is set with a "Proctor Authorization Type" of "Both Start and Grade", and create a `login_proctor` user with the `Proctor` status. Proctor authentication should succeed if the `login_proctor` user's credentials are entered on the proctor login page. For the develop branch this not only fails, but the message "This user is not allowed to log in to this course" is shown. While that message is true, it is not applicable here. That is the whole point of a `login_proctor`. Note that set level proctors (hidden users created if you set the "Password" in the "Proctoring Parameters" for a test) automatically have "Proctor" status. So set level proctoring is completely broken. Also move session creation and setting of `$self->{initial_login}` to 1 until after the checks now on lines 509-521 of `lib/WeBWorK/Authen.pm`. Those things should not be done if `verify_normal_user` is returning 0.
This was broken by openwebwork#2252. The issue is that `login_proctor` users with `Proctor` status do not have the `allow_course_access` behavior. Thus the check on line 509 of `lib/WeBWorK/Authen.pm` fails. So this skips that check if the `login_type` starts with "proctor". This will only be true if the `WeBWorK::Authen::Proctor` module is the current authentication module and the `proctor_user` parameter is set. Note that the proctor authen module already checks all of the necessary permissions, so this check is not needed. When the check on line 509 of `lib/WeBWorK/Authen.pm` was in the `check_user` method of `WeBWorK::Authen` this check was not even done by the `WeBWorK::Authen::Proctor` module because that module overrides the `check_user` method. To test this create a proctored test that is set with a "Proctor Authorization Type" of "Both Start and Grade", and create a `login_proctor` user with the `Proctor` status. Proctor authentication should succeed if the `login_proctor` user's credentials are entered on the proctor login page. For the develop branch this not only fails, but the message "This user is not allowed to log in to this course" is shown. While that message is true, it is not applicable here. That is the whole point of a `login_proctor`. Note that set level proctors (hidden users created if you set the "Password" in the "Proctoring Parameters" for a test) automatically have "Proctor" status. So set level proctoring is completely broken. Also move session creation and setting of `$self->{initial_login}` to 1 until after the checks now on lines 509-521 of `lib/WeBWorK/Authen.pm`. Those things should not be done if `verify_normal_user` is returning 0.
Currently, if you are a user with a role of
Dropped
orProctor
, when you try to log in, you get the messageInvalid user ID or password.
This is particularly confusing/misleading for a student who was dropped who tries to get back in to WeBWorK using the username/password that worked for them in the past.You also get the same message if the
login
permission level has been set high. I sometimes do this if I want to temporarily deny all students access to a course. SeeingInvalid user ID or password.
is again misleading.This PR changes things so that if one of the above situations happens, if that person gets past the point of entering a valid username/password combination, they are told more specifically
This user is not allowed to log in to this course
. It lets them know they have the right credentials, but for some reason are denied access right now.I don't believe this leaks information, since they have to have the correct username/password to get this message.