In pre-semester testing, we found a access control violation in a testing center with the following steps in with a fully implemented API:
Start the LMS platform
User enters the testing center
User accesses the LMS in the testing center before the proctor has started the exam
Result: User has access to LMS since no deny_access packet being present to restrict the user. The first deny_access is only sent with the exam session is started. The API provides no mechanism to receive deny_access until PT sends it.
As a workaround, we have directly configured the IP address ranges of the testing center to prevent this access control violation from occurring.
In pre-semester testing, we found a access control violation in a testing center with the following steps in with a fully implemented API:
Result: User has access to LMS since no deny_access packet being present to restrict the user. The first deny_access is only sent with the exam session is started. The API provides no mechanism to receive deny_access until PT sends it.
As a workaround, we have directly configured the IP address ranges of the testing center to prevent this access control violation from occurring.