dodona icon indicating copy to clipboard operation
dodona copied to clipboard

Published 20 hours ago verified publisher icon dodona-edu

Inaccessible file links from feedback table of private exercises

Open pdawyndt opened this issue 3 years ago • 8 comments
trafficstars

Private exercises again have inaccessible file links from their feedback table, because no token is added to these links. Problem occurred during an end-of-December-2021 evaluation for bash shell scripting exercises, and was resolved by making the exercises public during the evaluation.

pdawyndt avatar Jan 03 '22 08:01 pdawyndt

Failed to reproduce issue in development

Steps I took to reproduce:

As a teacher:

  1. Create new course (accesible to everyone just like computergebruik )
  2. Create new exercise series: access set to hidden as I expect was the case during evaluation
  3. Add exercise Fasta formatter which I set to be "access": "private" in its config.json

As a student:

  1. join course
  2. open exercise series using secret link
  3. submit empty response for Fasta formatter
  4. In feedback table click on the files: they open with the required token (eg: http://dodona.localhost:3000/activities/1255504928/media/workdir/seq.01.fasta?token=y-SqCIcvZEu8vVur)

(Also tried some different python exercises first, but their files opened in popup and didn't cause any issues either)

Is anyone else able to reproduce this issue and if so how?

jorg-vr avatar Jan 13 '22 10:01 jorg-vr

@jorg-vr long shot: the exercises we used in the evaluation were platypus and christmas tree EXEC. Since we never had similar issues before, I thought it might either be exercise-specific or judge-specific (in this case bash judge). We also did not experience the same issues with staff accounts (I could access the files without any problem). The file access problem came from the feedback table (not the description). I guess @pverscha or Jonathan Peck figured out that file links in the feedback table were missing the token needed to provide access as long as the exercise was "access:private". We solved the issue by both setting the series "open" and making the exercises "access:public". I don't know what finally resolved the issue, but those steps resolved it for the students (after page refresh).

pdawyndt avatar Jan 13 '22 10:01 pdawyndt

Tested those two exercises:

  • platypus: I could open the files in the feedback without issues
  • christmas tree: There are no file links present in the feedback (Instead the description specifies to download a zip with all inputs)

jorg-vr avatar Jan 13 '22 11:01 jorg-vr

@jorg-vr have you checked with student rights and also to wget the file using the link taken from the feedback table?

pdawyndt avatar Jan 13 '22 12:01 pdawyndt

I checked with student rights And also did a wget on the link now (which works)

Link also contains the required token: http://dodona.localhost:3000/activities/1669068181/media/workdir/question.01.txt?token=XyhBr7GrxxpC2Fyz

This is all in development of course

jorg-vr avatar Jan 13 '22 12:01 jorg-vr

Maybe this was the issue:

https://github.com/dodona-edu/dodona/pull/1598#issuecomment-571930128 https://github.com/dodona-edu/dodona/pull/1598#issuecomment-571931179

jorg-vr avatar Jan 13 '22 12:01 jorg-vr

We experienced the same issue today, but that also explains what happens (I guess) and also gives a workaround. These are the steps that lead to the issue of inaccessible files:

  1. students are given link to exercises in hidden series or to hidden series while the series is still closed (our mistake because we forgot to set the series access to hidden shortly before sending the mail)
  2. series access is modified from "closed" to "hidden"
  3. students refresh page and get access to the description

Apparently, if step (3) is done very fast after step (2), access is given to a description that still has links that do not provide access to the files (no tokens? invalid tokens?). The issue is resolved if seconds later students simply refresh the page with the description. My guess is that there might be a short delay between providing hidden access to descriptions and to the files. Knowing that students just have to refresh the page is a good workaround (better than given "public" access to the exercises and "open" access to the series as we've done before).

@pverscha Can you check reporting and correct/append where needed

pdawyndt avatar Jan 19 '22 12:01 pdawyndt

potential cause: 2 series containing the same exercises in combination with series visibility change.

bmesuere avatar Mar 03 '22 14:03 bmesuere

This happened again during an evaluation which students first opened when it was still closed. They had to refresh after setting to hidden. But one student still had access problems for a file in the description. (Solved after a second refresh)

As only one student encountered the issue I guess it could need specific timing and or caching to reproduce.

It could be caused by the descriptions being loaded with older settings. (I often experience something similar when switching between light and dark mode, having to trigger an extra refresh to also change the color scheme of the description)

jorg-vr avatar Dec 21 '22 13:12 jorg-vr

How did students open the description while the series was still closed? We've indeed noticed "old" iframes staying cached (especially in firefox, I think there is a closed issue where we link to a bugzilla report). The secret is embedded in the file link and changes upon series visibility setting, so this could indeed lead to old tokens being embedded if a cached iframe from a different visibility setting is shown.

chvp avatar Dec 21 '22 14:12 chvp

Ah, if there is a different series for BST whose visibility is changed while students are opening the description via the non-BST series this could indeed occur (and is the case @bmesuere meant in https://github.com/dodona-edu/dodona/issues/3265#issuecomment-1058096470, I think).

chvp avatar Dec 21 '22 14:12 chvp