PrairieLearn / PrairieTest-feedback

Public repo to house PrairieTest bug reports, feature requests, and more
0 stars 0 forks source link

User access to LMS while in testing center when relying on deny_access API for access control #31

Open wadefagen opened 1 year ago

wadefagen commented 1 year ago

In pre-semester testing, we found a access control violation in a testing center with the following steps in with a fully implemented API:

  1. Start the LMS platform
  2. User enters the testing center
  3. User accesses the LMS in the testing center before the proctor has started the exam

Result: User has access to LMS since no deny_access packet being present to restrict the user. The first deny_access is only sent with the exam session is started. The API provides no mechanism to receive deny_access until PT sends it.

As a workaround, we have directly configured the IP address ranges of the testing center to prevent this access control violation from occurring.