kolibri icon indicating copy to clipboard operation
kolibri copied to clipboard
verified publisher icon learningequality

Signed-out user can access a resource URL containing class and lesson ids when users are allowed to explore resources without signing in

Open MisRob opened this issue 3 years ago • 4 comments

Observed behavior

With this device settings

device

I can access a lesson resource page as a signed-out user when I know its URL via pasting it to the address bar, e.g. /en/learn/#/topics/c/69b6ce4071fd54fd82fab705fc89797f?lessonId=ca87af39b5a025cd51d8b87ff2ce95db&classId=68fdf5eca4d9e18cc31b3fe9ef897e9f (note lessonId and classId query parameters that are used for resources in the class context)

page

Expected behavior

Even though users are allowed to explore resources without signing in, giving access to lesson resources still doesn't make sense for anonymous users. For signed-out users, it should rather redirect them to the same resource but outside of the class context (e.g. /en/learn/#/topics/c/69b6ce4071fd54fd82fab705fc89797f). If there are some technical limitations on the routing level for doing this, we should at least check that we account for this URL when deciding between lesson and topic contexts of a resource as @rtibbles noted:

I think the issue I can imagine is that we use the lesson id to contextualise the "more in" side panel and the completion modal too. So at the very least we should be adding extra checks for that as to whether the user is logged in.

User-facing consequences

I haven't noticed any user-facing problems related to this except that the URL might be confusing a bit and as described above, it has the potential for causing problems with lesson/topic contexts.

Steps to reproduce

  1. Select "Allow users to explore resources without signing in" in device settings as an admin
  2. Obtain a URL of a resource from a lesson as a learner
  3. Sign out
  4. Paste the URL to the browser address bar

Context

  • Kolibri version: Kolibri 0.15.1.dev0+git.20220127215827
  • Operating system: Ubuntu 20.04.3 LTS
  • Browser: Version 97.0.4692.99 (Official Build) (64-bit)

MisRob avatar Jan 31 '22 07:01 MisRob

When a lessonId and classId are specified, if the user is not logged in, we should call the redirectBrowser function.

rtibbles avatar Jan 03 '24 21:01 rtibbles

Hi @rtibbles & @MisRob, can i work on this issue?

hubsMIT1 avatar Jan 21 '24 19:01 hubsMIT1

Yes, please work from the develop branch and target any pull request there.

rtibbles avatar Jan 21 '24 19:01 rtibbles

Hello @hubsMIT1, do you work on this or should we unassign?

MisRob avatar Feb 23 '24 13:02 MisRob

Hi, I'd like to give this a try. Can I be assigned to this issue?

GSAprod avatar Mar 04 '24 10:03 GSAprod

Hi @GSAprod, thank you for volunteering, yes.

MisRob avatar Mar 04 '24 16:03 MisRob