[ARCHIVED] Security/permissions problem: Why does the STUDENT app allow you (test-student) to edit quizzes??

Jump to solution
patricklin
Community Member
I found a security hole in Canvas that seems to have them stumped, and I'm wondering if anyone else has seen this, given how much more we're all relying on our campus LMS now for virtual classes:

Canvas has two apps for the smartphone, one for teachers and one for students. (You can see what the student sees by clicking the bottom button on the teacher app called "Student View", which automatically opens the student app.

When you view your own course as this "test-student" in the student app, go to one of your quizzes and click "Take Quiz." Instead of seeing the quiz as a student would see it, the app gives the test-student options to edit and even unpublish your quiz!

This doesn't happen on the Chrome browser version of Canvas. And the test-student role doesn't let you edit any other part of of your course, except for the quizzes; so this seems to be a glitch in the app.

It could be that this is a problem with only the test-student and doesn't affect real students. But since no one seems to know why this is happening—neither Canvas nor my school—they can't confidently say that there won't be a similar glitch with an actual student.  

Anyone else experience this problem??  I'm using the iOS apps, and I'd be curious if this also happens with the Android apps...
 
Should teachers plan to use a different app or LMS to run quizzes, if this security hole is unexplained and possibly broader?
 
For any Canvas employees reading this—since your helpdesk hasn't followed up yet with a diagnosis—you can see my chat history as well as phone screen recording that shows the problem in case #06154385, started on Aug 12, 2020. 
Labels (1)
0 Likes
1 Solution
narmstrong
Instructure Alumni
Instructure Alumni

This is a bug with Student View, not a security hole for real students.

Student View is tricky business because what it is is the Teacher "acting" as a student. All of the requests being made are as the teacher but they include an "as_user_id" param. What can happen is sometimes some views might not be looking at the "as_user_id" param and are only looking at the token for the user making the request.

Which, in some ways, makes this the opposite of a security hole because we are treating the request as a teacher, not a student.

So keep in mind that Student View is very different than logging in as a student. As you pointed out, there are bugs but they are not security holes.

Also, find comfort in the fact that the mobile apps use the public API. The apps in-and-of-themselves are not capable of causing security holes such as this.

Thank you for the bug report, I will follow-up with support and make sure we take a look at it.

 

Nate

Mobile Engineer

View solution in original post