emasters
commented
4 years ago A copy of authorizestudent.php is at https://github.com/CCALI/CALI-Author-Viewer-5/blob/master/lessons/web/authorizestudent.php. It's focus was on blocking links where the referrer was not www.cali.org so that would capture browser bookmark links along with run links (of which LessonLink is one type) we want to allow. It doesn't set any variables that are passed on to the viewer. Everything runs just fine without this file.
The viewer needs to detect deep links directly, something of the form https://d7.calidev.org/lessons/web/cpy01/jq.php?own#About%20this%20lesson for example, and not allow those.
sgoshorn
The Viewer relied on AuthorizeStudent.php to ensure everything was in place before running a lesson (student information, lesson score run id, etc.). A student starting from a bookmark instead of the proper method would have just been redirected to the lesson's description page. Now that AuthorizeStudent.php has been disabled to solve a lessonlink issue, the Viewer itself needs to determine if it's starting correctly.
A proper start should define a runid in the Viewer landing page. When the Viewer starts up, check if
runid > 0. If not, redirect to a page about how to run lessons rather than the lesson description page because it's possible for a student to bookmark a lesson link lesson and if they start that, their run would not be attached to their course. We force them to refind the lesson either with resuming a lesson, finding the lesson again or visiting their lesson link course.