Update on the Known Issue Related to Course Files in Item Banks

The content in this blog is over six months old, and the comments are closed. For the most recent product updates and discussions, you're encouraged to explore newer posts from Instructure's Product Managers.

AlexSlaughter
Instructure
Instructure
34
8285

Canvas.png

 

Update: 10/30/2024

Since our last update in late September, our engineering team has continued working diligently on the long-term solution for Image File issues identified in IA-100. Although we were hopeful for an October release, unforeseen technical challenges have pushed our anticipated release date back to November 12. We understand this is not the news you were hoping for, and we truly appreciate your patience as we work to get it right. Please know we’re committed to delivering a fully vetted and reliable solution that meets the needs of all of our customers, as quickly as possible.We’ll continue to keep you updated as we approach this final release date. Thank you again for your continued patience and partnership as we work through this issue.


Update 9/24/2024

Thanks to all of you who have raised the importance of the course files in item banks issue and for following along in our blog post as we rolled out the short-term fix. We’re excited to share that the long-term fix for this issue is nearing code completion. However, after careful consideration, we’ve decided not to push for our original end-of-September production release date.

Given the size and complexity of this update, we believe thorough testing is essential to ensure a smooth rollout and a high-quality experience for all users. To allow for comprehensive testing, we’re adjusting the release timeline and now plan to move to production at the end of October. Once it is in production, we will also run a datafix for all affected files dating back to February 2024. 

Thank you for your continued patience and understanding as we finalize this important update.


Update 6/28/2024

Now that file verifiers have been restored, we are moving forward with the long-term fix. We are still on track for the promised late September timeline.
Since our update last Friday we have heard from some of you that things aren’t working as expected. Please contact support so that they can get more information from you and we can investigate.


Update 06/21/2024

Good news! We have deployed the fix that will restore functionality available before February 2024 to production. This fix is behind the “Use file verifier authentication for New Quiz file links” feature option that is now visible in account settings. The default for the feature option is “enabled.” Administrators will need to disable the feature flag if they do not want verifiers to be added to newly generated or newly copied content.


Update 06/14/2024

By June 21st file verifiers and the feature option will be available in production environments. This will restore functionality available before February 2024 when they were initially removed. This fix will alleviate most issues related to newly generated and newly copied content, including blueprint.

Once available in production environments,  the “Use file verifier authentication for New Quiz file links” feature option will be visible in account settings. The default for the feature option is “enabled”, admins not interested in having file verifiers on, will need to disable the feature option.

With the feature option disabled, new verifiers will not be added but any existing verifiers will continue to work. With the feature option enabled, when you insert new files, the verifiers will be added to course files. If this flag is disabled, using user files is still a viable workaround,as file verifiers have remained in place for user files.

Looking forward, a more general solution is being implemented that does not rely on file verifiers, when this is in place, all existing content will be updated to take advantage of this solution.


Update 05/31/2024

We have some important updates to share on our progress over these last two weeks.

We have decided to restore the functionality of the file verifiers temporarily in order to alleviate the associated concerns as soon as possible. We understand that for many of you this is welcome, but for others it may not be, given the security concerns we previously referenced. Therefore, we are allowing institutions to opt out of file verifiers in New Quizzes via a root account flag that can be turned off by an administrator. The reason we have chosen to go this route is that we have determined that our longer term solution will not be ready as quickly as we’d hoped. While this is not ideal, we do believe it’s the best way to improve the current situation as we work to resolve it longer term. We will enable file verifiers as soon as possible, at which time we’ll document the process to turn off file verifiers if your institution chooses that option. 

For the longer term, we're pursuing a solution that will solve two important problems:

    • Files will still be available in quizzes, even if the file’s original context (course or user) is deleted.
    • Files in shared item banks will be available regardless of if the user is enrolled in the file’s source course. 

We are targeting a late September release for the longer term solution, which will also ensure all old links are corrected.


Please stay tuned for the next update in two weeks.


Update 05/17/2024

The most recent New Quizzes update sparked a lot of feedback, much of it expressing frustration about the known issue related to course files in item banks. Copying a course does not automatically change the links in an item bank, so when you use a question from an item bank in the new course, the links would still refer back to the original course. We know you’ve been anxious for a response, and have appreciated your patience as we’ve investigated internally on how to remedy this issue and to make sure we fully understand the timeline so that we can provide clarity here.

 

When did this issue begin?
We want to be clear that this was an existing issue, as we stated in September 2023, when we added warnings into the workflows to make sure that educators were aware of the limitations and would hopefully leverage the workaround. We have had this on our roadmap to fix, but had not yet addressed it when we unintentionally exacerbated the problem in February 2024 by removing “verifiers” from file links in rich content. 

What are file verifiers and why did we remove them?

Simply put, a file verifier is a secret access token we attach when granting access to a file through a special pathway (i.e. the standard course files linked in course content workflow). When we added files to New Quizzes, these verifiers were inadvertently added and masked the underlying issue with item banks, making it harder for both users and us to recognize the problem's full extent. As a result, a proper workflow wasn’t developed. 

After the RCE change was implemented in New Quizzes, teachers started reporting a security concern: the presence of these verifiers allowed students to access locked files within quizzes, which shouldn't have been possible. In resolving the security issue, it revealed the full extent of the problematic item bank workflow. 

What are we doing about it now? 

We are making this a top priority and currently have engineers working on a solution. Given the security concerns, we decided that adding back the verifiers was not a viable option and are implementing a solution that will rectify the underlying issue that removing them has exposed. We have chosen to move forward with a solution that allows New Quizzes to add a new type of verifier which addresses the pitfalls of the previous version of the verifier without reintroducing the previous security concerns. This change does not require a datafix will now be included as part of the solution. So once the change is deployed, the expected behavior will return for all linked content.  

Our commitment to you

We understand the urgency of this problem and want to make sure you feel we are taking this seriously. While we can’t provide a specific resolution date quite yet, we are committed to posting updates to this blogpost every two weeks on the progress we are making until this issue is resolved. 

The content in this blog is over six months old, and the comments are closed. For the most recent product updates and discussions, you're encouraged to explore newer posts from Instructure's Product Managers.

34 Comments