Update on the Known Issue Related to Course Files in Item Banks

AlexSlaughter
Instructure
Instructure
23
3048

Canvas.png

Update 06/21/2024

Good news! We have deployed the fix that will restore functionality available before February 2024 to production. This fix is behind the “Use file verifier authentication for New Quiz file links” feature option that is now visible in account settings. The default for the feature option is “enabled.” Administrators will need to disable the feature flag if they do not want verifiers to be added to newly generated or newly copied content.

Update 06/14/2024

By June 21st file verifiers and the feature option will be available in production environments. This will restore functionality available before February 2024 when they were initially removed. This fix will alleviate most issues related to newly generated and newly copied content, including blueprint.

Once available in production environments,  the “Use file verifier authentication for New Quiz file links” feature option will be visible in account settings. The default for the feature option is “enabled”, admins not interested in having file verifiers on, will need to disable the feature option.

With the feature option disabled, new verifiers will not be added but any existing verifiers will continue to work. With the feature option enabled, when you insert new files, the verifiers will be added to course files. If this flag is disabled, using user files is still a viable workaround,as file verifiers have remained in place for user files.

Looking forward, a more general solution is being implemented that does not rely on file verifiers, when this is in place, all existing content will be updated to take advantage of this solution.

Update 05/31/2024

We have some important updates to share on our progress over these last two weeks.

We have decided to restore the functionality of the file verifiers temporarily in order to alleviate the associated concerns as soon as possible. We understand that for many of you this is welcome, but for others it may not be, given the security concerns we previously referenced. Therefore, we are allowing institutions to opt out of file verifiers in New Quizzes via a root account flag that can be turned off by an administrator. The reason we have chosen to go this route is that we have determined that our longer term solution will not be ready as quickly as we’d hoped. While this is not ideal, we do believe it’s the best way to improve the current situation as we work to resolve it longer term. We will enable file verifiers as soon as possible, at which time we’ll document the process to turn off file verifiers if your institution chooses that option. 

For the longer term, we're pursuing a solution that will solve two important problems:

    • Files will still be available in quizzes, even if the file’s original context (course or user) is deleted.
    • Files in shared item banks will be available regardless of if the user is enrolled in the file’s source course. 

We are targeting a late September release for the longer term solution, which will also ensure all old links are corrected.


Please stay tuned for the next update in two weeks.


05/17/2024

The most recent New Quizzes update sparked a lot of feedback, much of it expressing frustration about the known issue related to course files in item banks. Copying a course does not automatically change the links in an item bank, so when you use a question from an item bank in the new course, the links would still refer back to the original course. We know you’ve been anxious for a response, and have appreciated your patience as we’ve investigated internally on how to remedy this issue and to make sure we fully understand the timeline so that we can provide clarity here.

 

When did this issue begin?
We want to be clear that this was an existing issue, as we stated in September 2023, when we added warnings into the workflows to make sure that educators were aware of the limitations and would hopefully leverage the workaround. We have had this on our roadmap to fix, but had not yet addressed it when we unintentionally exacerbated the problem in February 2024 by removing “verifiers” from file links in rich content. 

What are file verifiers and why did we remove them?

Simply put, a file verifier is a secret access token we attach when granting access to a file through a special pathway (i.e. the standard course files linked in course content workflow). When we added files to New Quizzes, these verifiers were inadvertently added and masked the underlying issue with item banks, making it harder for both users and us to recognize the problem's full extent. As a result, a proper workflow wasn’t developed. 

After the RCE change was implemented in New Quizzes, teachers started reporting a security concern: the presence of these verifiers allowed students to access locked files within quizzes, which shouldn't have been possible. In resolving the security issue, it revealed the full extent of the problematic item bank workflow. 

What are we doing about it now? 

We are making this a top priority and currently have engineers working on a solution. Given the security concerns, we decided that adding back the verifiers was not a viable option and are implementing a solution that will rectify the underlying issue that removing them has exposed. We have chosen to move forward with a solution that allows New Quizzes to add a new type of verifier which addresses the pitfalls of the previous version of the verifier without reintroducing the previous security concerns. This change does not require a datafix will now be included as part of the solution. So once the change is deployed, the expected behavior will return for all linked content.  

Our commitment to you

We understand the urgency of this problem and want to make sure you feel we are taking this seriously. While we can’t provide a specific resolution date quite yet, we are committed to posting updates to this blogpost every two weeks on the progress we are making until this issue is resolved. 

23 Comments