Questions are nodes, meaning they can be searched for, listed by taxonomy and otherwise viewed outside the quiz framework. This seems to be a pretty big hole for a classroom environment where someone wants to use this as a test-giving application.

It should not be too hard to deny access to anyone without the proper permissions, but is there some way we can remove them from the taxonomy lists and search results entirely?

This has come up before in 4.6 and I've never really solved this one in a satisfactory way. Has anyone had any luck with 4.7? I know that taxonomy access does a pretty good job, but I'd first like to look for a way to do it without requiring additional modules.

A quick search didn't turn up much.

Marked critical because it deals with security issues.

Comments

nicholasthompson’s picture

nicholasthompson
Primary language English
commented

Just a though - could it to do with hook_view?

The only time the question needs to be shown is when its called by quiz which does so by directly calling the [question_type]_render_question($node) "hook". The hook_view already says not to be viewed independantly for the teaser view - why not apply that to the main view - even if only to see what happens?

seanbfuller’s picture

seanbfuller commented

That'd work fine for viewing the content, but I think we'd still have a situation where students could get a list of question titles. I'll try to dig through taxonomy access to figure out exactly what it does to remove results from list.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented

This gets into hook_node_access stuff. And that gets into all kinds of headaches. In 4.7 you can't have multiple node_access modules in a system... so you can either pick from taxonomy_access, organic groups, node privacy by role, etc. but can't use more than that. In 5.0, these can co-exist.

Not sure the way to solve this for 4.7. We could have quiz module implement its own node access scheme. But then you can't use quizzes with any of the other node access modules. Or we could say that if you need this functionality, you need to also install a node access module such as X, Y, Z.

In 5.0 we could do either though.

seanbfuller’s picture

seanbfuller commented

webchick: That's exactly what I was looking for!

For small 4.7 sites with just one or two quizzes, I think accidentally finding the question and getting an access_denied page if you don't have proper permissions is fine. I think a "If you have more than a few quizzes we strongly recommend you get an access module" in the module description and documentation will do.

As it stands, you have to have the 'create multichoice' permission to view a question, meaning that quiz takers (students) get an access_denied when trying to view a question node.

Feel free to close this or mark it postponed.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented

Hm. Actually. Would making create and view two different permissions solve this problem without having to use the node_access table?

seanbfuller’s picture

seanbfuller commented

Well, it seems to work now, as is. Searching as an anonymous user I can't see the questions at all (title or otherwise) in search or on taxonomy pages. I know I had issues in 4.6, but 4.7 might have just fixed this issue? Pulling those permissions apart might be a good idea, but I don't think it would be neccessary. Maybe we want to put that in with the permissions issue?

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
Status: Active » Postponed

Wow, really? Ok then. :) Postponed it is.

wmostrey’s picture

wmostrey commented
Status: Postponed » Closed (fixed)