acbart
commented
4 years ago As discussed via email, the security model for BlockPy may allow students to submit a score that they did not earn. However, the system logs all code, which should be periodically analyzed to detect inconsistencies. There are many mechanisms that students have to cheat - custom POST requests are, if anything, a less savvy solution than just hiring someone to complete problems for you or getting the solution from your friends, given the digital paper trail.
As for the "potentially others" part, the server does not allow users to modify submissions for others unless they are a grader for the course (checked server side). You can pass along whatever extra information you want, but fundamentally the system's checking who you are and whether you own that submission. It would be more expedient to just bribe a TA.
By manipulating post data client users may access potentially privileged information and can set the status of their own assignments, and potentially others, at will.