Access to Scorm Zip File

[Sean Duffy]

Hi all, we have installed the Numbas application on our own internal servers. 
Our system architects have commented...
"the uploaded Scorm exam content is not protected by authentication; it looks like all the content of the exams can be accessed without being logged in. I’m not sure if this is an issue or not, as you can’t save your answers if you’re not logged in; but people might try to iterate through exams to see what they can see."

Can anyone confirm that the Numbas Scorm exam content can be found by URL hunting...?

Thanks in advance

Sean 

[Christian Lawson-Perfect]

Hi Sean,

I also replied to your email to num...@ncl.ac.uk, but now I've seen this so I'll copy my reply here for everyone else's benefit:

Yes, that's the case. We have an open issue on GitHub about this: https://github.com/numbas/numbas-lti-provider/issues/85. The past year has been pretty relentless, so I haven't had time to come up with a solution yet.

Christian

--
You received this message because you are subscribed to the Google Groups "Numbas Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to numbas-users...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/numbas-users/c5de9543-8dca-4f12-abe2-bb791adcf717n%40googlegroups.com.

[Christian Lawson-Perfect]

This turned out to be much easier to fix than I thought. I've pushed some code to our master branch on GitHub which adds a UUID field to each exam, which is used in its URL instead of the sequential database key. I'll make this into an official release in a couple of weeks when our exam period is over, but if you want to try upgrading now, you can. There's a migration to move existing content, and a backwards one in case it doesn't work, so this should be safe to try.