Forum archive 2000-2006

Ben Pollina - email and guest logins

Ben Pollina - email and guest logins

by Arnold Pizer -
Number of replies: 0
inactiveTopicemail and guest logins topic started 11/22/2004; 9:57:18 AM
last post 1/14/2005; 12:55:40 AM
userBen Pollina - email and guest logins  blueArrow
11/22/2004; 9:57:18 AM (reads: 1933, responses: 6)
All of our WW courses are set up with practice users. Over the weekend, someone logged in as a practice user and used the feedback mechanism to send an offensive email anonymously. So far, this is a single isolated incident. Is there a way to prevent this short of deleting all practice users?

Any suggestions would be appreciated.

Ben Pollina

<| Post or View Comments |>


userMichael Gage - Re: email and guest logins  blueArrow
11/22/2004; 11:17:39 AM (reads: 2248, responses: 0)
I don't believe you can without changing the webwork code. The global.conf file does allow you to restrict who the feedback mail is sent to, so one can't anonymously spam large numbers of users. (set by $mail{feedbackRecipients} ) You can also restrict the submit feedback rights using $permissonLevel{submit_feedback}, but at the moment I don't think you can restrict it to non-practice students.

We've found it useful to allow practice users to send us feeback -- they often point out mistakes in problems or in the course. If it becomes a problem we can arrange to have the feedback privileges turned off for practice users. The new permission subroutines coming up in forthcoming versions of WeBWorK will make it possible to do this customization from a configuration file, without altering code.

<| Post or View Comments |>


userSam Hathaway - Re: email and guest logins  blueArrow
11/22/2004; 11:41:42 AM (reads: 2217, responses: 0)
I think you can use the permissions system to restrict only practice users. First, apply the attached patch to your global.conf file. Then, change the permission level of each practice user to -5.
-sam

 

@@ -411,13 +432,14 @@
# action, >=5 will allow a TA to, and >=0 will allow a student to perform an
# action (almost never what you want).

+my $guest = -5;
my $student = 0;
my $ta = 5;
my $professor = 10;
my $nobody = undef;

%permissionLevels = (
- login => $student,
+ login => $guest,
report_bugs => $student,
submit_feedback => $student,
change_password => $student,
@@ -453,9 +475,9 @@
avoid_recording_answers => $ta,
check_answers_before_open_date => $ta,
check_answers_after_open_date_with_attempts => $ta,
- check_answers_after_open_date_without_attempts => $student,
- check_answers_after_due_date => $student,
- check_answers_after_answer_date => $student,
+ check_answers_after_open_date_without_attempts => $guest,
+ check_answers_after_due_date => $guest,
+ check_answers_after_answer_date => $guest,
record_answers_when_acting_as_student => $nobody,
# "record_answers_when_acting_as_student" takes precedence
# over the following for professors acting as students:

<| Post or View Comments |>


userBen Pollina - Re: email and guest logins  blueArrow
11/22/2004; 3:43:55 PM (reads: 2213, responses: 0)
Sam,

Thanks for the suggestion, but it didn't work. My current global.conf file did not have the login, submit_feedback and change_password flags to start with. I added them to no effect. Do I need to update some other code or perhaps restart the server?

Ben

<| Post or View Comments |>


userSam Hathaway - Re: email and guest logins  blueArrow
11/22/2004; 5:15:59 PM (reads: 2203, responses: 0)
Did you reset the permission lever for the practice users to -5? What version are you running? Those instructions were tested under WW 2.1. What did your %permissionLevels hash look like before applying the patch?

<| Post or View Comments |>


userBen Pollina - Re: email and guest logins  blueArrow
11/23/2004; 11:42:46 AM (reads: 2195, responses: 0)
Sam,

I did set the permission level to -5 for practice users. Our version of WeBWorK is 2.0.1. Below is a copy of the code referring to permissionLevels in the global.conf file.

Ben Pollina

 

my $student = 0; my $ta = 5; my $professor = 10; my $nobody = undef;

 

%permissionLevels = ( report_bugs => $student,

view_multiple_sets => $ta, view_unopened_sets => $ta, view_unpublished_sets => $ta, view_answers => $ta,

become_student => $professor, access_instructor_tools => $ta, score_sets => $professor, send_mail => $professor, create_and_delete_problem_sets => $professor, assign_problem_sets => $professor, modify_problem_sets => $professor, modify_student_data => $professor, modify_classlist_files => $professor, modify_set_def_files => $professor, modify_scoring_files => $professor, modify_problem_template_files => $professor,

create_and_delete_courses => $professor, fix_course_databases => $professor,

##### Behavior of the interactive problem processor #####

show_correct_answers_before_answer_date => $ta, show_solutions_before_answer_date => $ta, avoid_recording_answers => $ta, check_answers_before_open_date => $ta, check_answers_after_open_date_with_attempts => $ta, check_answers_after_open_date_without_attempts => $student, check_answers_after_due_date => $student, check_answers_after_answer_date => $student,

record_answers_when_acting_as_student => $nobody,

# "record_answers_when_acting_as_student" takes precedence # over the following for professors acting as students: record_answers_before_open_date => $nobody, record_answers_after_open_date_with_attempts => $student, record_answers_after_open_date_without_attempts => $nobody, record_answers_after_due_date => $nobody, record_answers_after_answer_date => $nobody,

);

<| Post or View Comments |>


userSam Hathaway - Re: email and guest logins  blueArrow
1/14/2005; 12:55:40 AM (reads: 2149, responses: 0)
Hi, sorry for the delay.

In WW 2.0.x, password/email changing is allowed for all users. The "change_email_address", "change_password", and "submit_feedback" permissions were added to the 2.1 series of WW. You can upgrade your installation by following the upgrade instructions.

If you don't fell comfortable upgrading to 2.1 right now, you can try applying the following patch to your 2.0.1 tree. I have no idea if it will apply cleanly, since the modifications it contains were made against a later version of WW. If it doesn't, it's probably just a question of the pertinent lines being somewhere other than where patch expects them to be in the file. If nothing works, you can always back out with "patch -R".

 

Index: ContentGenerator.pm
===================================================================
RCS file: /webwork/cvs/system/webwork2/lib/WeBWorK/ContentGenerator.pm,v
retrieving revision 1.116
retrieving revision 1.117
diff -Llib/WeBWorK/ContentGenerator.pm -Llib/WeBWorK/ContentGenerator.pm -u -r1.116 -r1.117
--- lib/WeBWorK/ContentGenerator.pm
+++ lib/WeBWorK/ContentGenerator.pm
@@ -481,13 +481,20 @@
my $logout = $urlpath->newFromModule("${pfx}Logout", %args);

print "\nn";
+
# only users with appropriate permissions can report bugs
- print CGI::p(CGI::a({style=>"font-size:larger", href=>$ce->{webworkURLs}{bugReporter}}, "Report bugs")),CGI::hr() if $authz->hasPermissions($user, "report_bugs");
+ if ($authz->hasPermissions($user, "report_bugs")) {
+ print CGI::p(CGI::a({style=>"font-size:larger", href=>$ce->{webworkURLs}{bugReporter}}, "Report bugs")),CGI::hr();
+ }

print CGI::start_ul({class=>"LinksMenu"});
print CGI::li(CGI::span({style=>"font-size:larger"},
CGI::a({href=>$self->systemLink($sets)}, sp2nbsp($sets->name))));
- print CGI::li(CGI::a({href=>$self->systemLink($options)}, sp2nbsp($options->name)));
+
+ if ($authz->hasPermissions($user, "change_password") or $authz->hasPermissions($user, "change_email_address")) {
+ print CGI::li(CGI::a({href=>$self->systemLink($options)}, sp2nbsp($options->name)));
+ }
+
print CGI::li(CGI::a({href=>$self->systemLink($grades)}, sp2nbsp($grades->name)));
print CGI::li(CGI::a({href=>$self->systemLink($logout)}, sp2nbsp($logout->name)));

Index: global.conf.dist
===================================================================
RCS file: /webwork/cvs/system/webwork2/conf/global.conf.dist,v
retrieving revision 1.105
retrieving revision 1.106
diff -Lconf/global.conf.dist -Lconf/global.conf.dist -u -r1.105 -r1.106
--- conf/global.conf.dist
+++ conf/global.conf.dist
@@ -409,6 +409,9 @@



%permissionLevels = (
report_bugs => $student,
+ submit_feedback => $student,
+ change_password => $student,
+ change_email_address => $student,

view_multiple_sets => $ta,
view_unopened_sets => $ta,
Index: Options.pm
===================================================================
RCS file: /webwork/cvs/system/webwork2/lib/WeBWorK/ContentGenerator/Options.pm,v
retrieving revision 1.18
retrieving revision 1.19
diff -Llib/WeBWorK/ContentGenerator/Options.pm -Llib/WeBWorK/ContentGenerator/Options.pm -u -r1.18 -r1.19
--- lib/WeBWorK/ContentGenerator/Options.pm
+++ lib/WeBWorK/ContentGenerator/Options.pm
@@ -42,6 +42,9 @@
my $EUser = $db->getUser($eUserID); # checked
die "record not found for effective user '$eUserID'." unless defined $EUser;

+ my $user_name = $User->first_name . " " . $User->last_name;
+ my $e_user_name = $EUser->first_name . " " . $EUser->last_name;
+
my $changeOptions = $r->param("changeOptions");
my $currP = $r->param("currPassword");
my $newP = $r->param("newPassword");
@@ -53,78 +56,89 @@

print CGI::h2("Change Password");

- my $user_name = $User->first_name . " " . $User->last_name;
- my $e_user_name = $EUser->first_name . " " . $EUser->last_name;
-
if ($changeOptions and ($currP or $newP or $confirmP)) {

- my $Password = eval {$db->getPassword($User->user_id)}; # checked
- warn "Can't get password record for user '$userID': $@" if $@ or not defined $Password;
-
- my $EPassword = eval {$db->getPassword($EUser->user_id)}; # checked
- warn "Can't get password record for effective user '$eUserID': $@" if $@ or not defined $EPassword;
-
- if (crypt($currP, $Password->password) eq $Password->password) {
- if ($newP or $confirmP) {
- if ($newP eq $confirmP) {
- $EPassword->password(cryptPassword($newP));
- eval { $db->putPassword($EPassword) };
- if ($@) {
- print CGI::div({class=>"ResultsWithError"},
- CGI::p("Couldn't change $e_user_name\'s password: $@"),
- );
+ if ($authz->hasPermissions($userID, "change_password")) {
+
+ my $Password = eval {$db->getPassword($User->user_id)}; # checked
+ warn "Can't get password record for user '$userID': $@" if $@ or not defined $Password;
+
+ my $EPassword = eval {$db->getPassword($EUser->user_id)}; # checked
+ warn "Can't get password record for effective user '$eUserID': $@" if $@ or not defined $EPassword;
+
+ if (crypt($currP, $Password->password) eq $Password->password) {
+ if ($newP or $confirmP) {
+ if ($newP eq $confirmP) {
+ $EPassword->password(cryptPassword($newP));
+ eval { $db->putPassword($EPassword) };
+ if ($@) {
+ print CGI::div({class=>"ResultsWithError"},
+ CGI::p("Couldn't change $e_user_name\'s password: $@"),
+ );
+ } else {
+ print CGI::div({class=>"ResultsWithoutError"},
+ CGI::p("$e_user_name\'s password has been changed."),
+ );
+ }
} else {
- print CGI::div({class=>"ResultsWithoutError"},
- CGI::p("$e_user_name\'s password has been changed."),
+ print CGI::div({class=>"ResultsWithError"},
+ CGI::p(
+ "The passwords you entered in the ",
+ CGI::b("$e_user_name\'s New Password"), " and ",
+ CGI::b("Confirm $e_user_name\'s New Password"), " fields
+ don't match. Please retype your new password and try
+ again."
+ ),
);
}
} else {
print CGI::div({class=>"ResultsWithError"},
- CGI::p(
- "The passwords you entered in the ",
- CGI::b("$e_user_name\'s New Password"), " and ",
- CGI::b("Confirm $e_user_name\'s New Password"), " fields
- don't match. Please retype your new password and try
- again."
- ),
+ CGI::p("$e_user_name\'s new password cannot be blank."),
);
}
} else {
print CGI::div({class=>"ResultsWithError"},
- CGI::p("$e_user_name\'s new password cannot be blank."),
+ CGI::p(
+ "The password you entered in the ", CGI::b("$user_name's
+ Current Password"), " field does not match your current
+ password. Please retype your current password and try
+ again."
+ ),
);
}
+
} else {
print CGI::div({class=>"ResultsWithError"},
- CGI::p(
- "The password you entered in the ", CGI::b("$user_name's
- Current Password"), " field does not match your current
- password. Please retype your current password and try
- again."
- ),
- );
+ CGI::p("You do not have permission to change your password."))
+ unless $changeOptions and ($currP or $newP or $confirmP); # avoid double message
}
+
}

- print CGI::table({class=>"FormLayout"},
- CGI::Tr(
- CGI::td("$user_name\'s Current Password"),
- CGI::td(CGI::password_field("currPassword")),
- ),
- CGI::Tr(
- CGI::td("$e_user_name\'s New Password"),
- CGI::td(CGI::password_field("newPassword")),
- ),
- CGI::Tr(
- CGI::td("Confirm $e_user_name\'s New Password"),
- CGI::td(CGI::password_field("confirmPassword")),
- ),
- );
+ if ($authz->hasPermissions($userID, "change_password")) {
+ print CGI::table({class=>"FormLayout"},
+ CGI::Tr(
+ CGI::td("$user_name\'s Current Password"),
+ CGI::td(CGI::password_field("currPassword")),
+ ),
+ CGI::Tr(
+ CGI::td("$e_user_name\'s New Password"),
+ CGI::td(CGI::password_field("newPassword")),
+ ),
+ CGI::Tr(
+ CGI::td("Confirm $e_user_name\'s New Password"),
+ CGI::td(CGI::password_field("confirmPassword")),
+ ),
+ );
+ } else {
+ print CGI::p("You do not have permission to change your password.");
+ }

print CGI::h2("Change Email Address");

- if ($changeOptions) {
- if ($newA) {
+ if ($changeOptions and $newA) {
+ if ($authz->hasPermissions($userID, "change_email_address")) {
+
my $oldA = $EUser->email_address;
$EUser->email_address($newA);
eval { $db->putUser($EUser) };
@@ -138,19 +152,29 @@
CGI::p("Your email address has been changed."),
);
}
+
+ } else {
+ print CGI::div({class=>"ResultsWithError"},
+ CGI::p("You do not have permission to change email addresses."),
+ );
}
}

- print CGI::table({class=>"FormLayout"},
- CGI::Tr(
- CGI::td("$e_user_name\'s Current Address"),
- CGI::td($EUser->email_address),
- ),
- CGI::Tr(
- CGI::td("$e_user_name\'s New Address"),
- CGI::td(CGI::textfield("newAddress", $newA)),
- ),
- );
+ if ($authz->hasPermissions($userID, "change_email_address")) {
+ print CGI::table({class=>"FormLayout"},
+ CGI::Tr(
+ CGI::td("$e_user_name\'s Current Address"),
+ CGI::td($EUser->email_address),
+ ),
+ CGI::Tr(
+ CGI::td("$e_user_name\'s New Address"),
+ CGI::td(CGI::textfield("newAddress", $newA)),
+ ),
+ );
+ } else {
+ print CGI::p("You do not have permission to change email addresses.")
+ unless $changeOptions and $newA; # avoid double message
+ }

print CGI::br();
print CGI::submit("changeOptions", "Change User Options");
Index: Feedback.pm
===================================================================
RCS file: /webwork/cvs/system/webwork2/lib/WeBWorK/ContentGenerator/Feedback.pm,v
retrieving revision 1.23
retrieving revision 1.24
diff -Llib/WeBWorK/ContentGenerator/Feedback.pm -Llib/WeBWorK/ContentGenerator/Feedback.pm -u -r1.23 -r1.24
--- lib/WeBWorK/ContentGenerator/Feedback.pm
+++ lib/WeBWorK/ContentGenerator/Feedback.pm
@@ -144,6 +144,11 @@
$returnURL = "";
}

+ unless ($authz->hasPermissions($userName, "submit_feedback")) {
+ $self->feedbackNotAllowed($returnURL);
+ return "";
+ }
+
if (defined $r->param("sendFeedback")) {
# get verbosity level
my $verbosity = $ce->{mail}->{feedbackVerbosity};
@@ -274,6 +279,13 @@
return "";
}



+sub feedbackNotAllowed {
+ my ($self, $returnURL) = @_;
+
+ print CGI::p("You are not allowed to send feedback.");
+ print CGI::p(CGI::a({-href=>$returnURL}, "Cancel Feedback")) if $returnURL;
+}
+
sub feedbackForm {
my ($self, $user, $returnURL, $message) = @_;
my $r = $self->r;
@@ -301,7 +313,7 @@
);
print CGI::submit("sendFeedback", "Send Feedback");
print CGI::end_form();
- print CGI::p(CGI::a({-href=>$returnURL}, "Cancel Feedback"));
+ print CGI::p(CGI::a({-href=>$returnURL}, "Cancel Feedback")) if $returnURL;
}



1;

<| Post or View Comments |>