Univention Bugzilla – Bug 48080
Teacher's computer is locked out of internet access due to exam mode/computer room settings
Last modified: 2019-10-07 11:55:03 CEST
At least one customer has run into a concept problem with the computer rooms/exam mode: Teacher computers must be members of the computer rooms if they want to use iTALC functions such as presentation mode. However, these computers are currently subject to the same restrictions as the student computers. This means that access to shares will be restricted and, even worse, Internet access will also be restricted/prevented. This can lead to the teacher locking himself out because, for example, the client systems are configured via a firewall so that HTTP/HTTPS access can only take place via the proxy. If the proxy prohibits any access by the rule "No Internet", the teacher is locked out. If ucsschoolRoles is set, teacher computers may be given their own role (e.g. "computer-teacher" or "windows-teacher"), which will allow our code to better distinguish on a case-by-case basis whether or not the teacher computer is considered part of the group for certain functions.
Created attachment 10043 [details] Technical changes to filter out defined teacher pc's On the backend we can easily do this by introducing a school role as proposed. The attached patch shows this. Then we just filter the computers in the given computer room and exclude any PC marked with that role.
And an other customer ran into this problem, getting locked out from the UMC in the exam mode
*** Bug 49629 has been marked as a duplicate of this bug. ***
http://jenkins.knut.univention.de:8080/job/UCSschool-4.4/job/Handbook/18/artifact/webroot/ucsschool-lehrer-handbuch-4.4.html Package: ucs-test-ucsschool Version: 6.0.9A~4.4.0.201906140836 Branch: ucs_4.4-0 Scope: ucs-school-4.4 Package: ucs-school-lib Version: 12.1.2-0A~4.4.0.201906140838 Branch: ucs_4.4-0 Scope: ucs-school-4.4 Package: ucs-school-umc-rooms Version: 16.1.0-0A~4.4.0.201906140839 Branch: ucs_4.4-0 Scope: ucs-school-4.4 Package: ucs-school-umc-exam Version: 9.1.0-0A~4.4.0.201906140841 Branch: ucs_4.4-0 Scope: ucs-school-4.4 Teacher computers can now be defined in the room management. If a computer is in multiple rooms it has the same status in every room. * If you set it as teacher computer in one room it is in all * If you unset it as teacher computer in one room it is unset in all * If a teacher computer is removed from all its rooms without being unset as teacher computer in anyone of them, the computer remains a teacher computer Technically the ucsschool_role 'teacher_computer' is assigned to the computer object. During an exam a teacher computer should be able to access shares and internet normally, even if restrictions are in place Italc should work as is.
Package: ucs-school-umc-exam Version: 9.0.1-7A~4.4.0.201906171142 Branch: ucs_4.4-0 Scope: ucs-school-4.4 Fixed wrong versioning in ucs-school-umc-exam
Created attachment 10074 [details] posible patch 101_exam_mode_group_members fails
Package: ucs-test-ucsschool Version: 6.0.24A~4.4.0.201906210801 Branch: ucs_4.4-0 Scope: ucs-school-4.4 Applied Jürns fix
Package: ucs-school-umc-exam Version: 9.0.1-8A~4.4.0.201906211118 Branch: ucs_4.4-0 Scope: ucs-school-4. Applied second part of Jürns fix
This might have been fixed by the last commits, but please check it :) 90_ucsschool/25_room_management_module fails on slave https://jenkins.knut.univention.de:8181/job/UCSschool-4.4/job/Install%20Multiserver/lastCompletedBuild/Config=s4,TestGroup=base1/testReport/90_ucsschool/25_room_management_module/slave2032/ Traceback: ''' (2019-06-21 02:44:11.051788) univention.lib.umc.HTTPError: 591 on slave2032.autotest203.local (command/schoolrooms/add): {"status": 591, "message": "Interner Server-Fehler in \"schoolrooms/add\".", "traceback": "Interner Server-Fehler in \"schoolrooms/add\".\nRequest: schoolrooms/add\n\nTraceback (most recent call last):\n File \"/usr/lib/pymodules/python2.7/univention/management/console/base.py\", line 260, in execute\n function.__func__(self, request, *args, **kwargs)\n File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 192, in _response\n return function(self, request)\n File \"/usr/lib/pymodules/python2.7/ucsschool/lib/schoolldap.py\", line 145, in wrapper_func\n return func(*args, **kwargs)\n File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/schoolrooms/__init__.py\", line 108, in add\n self._set_teacher_computers(group_props.get('computers', []), group_props.get('teacher_computers', []), ldap_user_read, ldap_user_write)\n File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/schoolrooms/__init__.py\", line 157, in _set_teacher_computers\n computer.modify(ldap_user_write)\n File \"/usr/lib/pymodules/python2.7/ucsschool/lib/models/base.py\", line 533, in modify\n success = self.modify_without_hooks(lo, validate, move_if_necessary)\n File \"/usr/lib/pymodules/python2.7/ucsschool/lib/models/computer.py\", line 232, in modify_without_hooks\n return super(SchoolComputer, self).modify_without_hooks(lo, validate, move_if_necessary)\n File \"/usr/lib/pymodules/python2.7/ucsschool/lib/models/base.py\", line 559, in modify_without_hooks\n self.do_modify(udm_obj, lo)\n File \"/usr/lib/pymodules/python2.7/ucsschool/lib/models/base.py\", line 593, in do_modify\n udm_obj.modify(ignore_license=1)\n File \"/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py\", line 642, in modify\n dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)\n File \"/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py\", line 1312, in _modify\n self.dn = self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response)\n File \"/usr/lib/pymodules/python2.7/univention/admin/uldap.py\", line 891, in modify\n raise univention.admin.uexceptions.permissionDenied\npermissionDenied", "location": "https://slave2032.autotest203.local/univention/command"} '''
OK: update of manual OK: tests 25_room_management_module and 101_exam_mode_group_members pass OK: code change in ucsschool.lib to allow custom roles: roles are not required anymore to be in <model>.default_roles. Hint: Add/keep a comma after last item of dict definitions that span multiple lines, to reduce the diff when adding/removing dict items. OK: manual functional test: * singleserver with 2 join windows clients * room with both clients, one of them marked as a teacher computer * started exam with that room with internet access rule "no internet" * users on teacher computer can browse the web * users on other computer are blocked from accessing the web
Test still fails
Probably computer_obj.modify() executed on slave.
Package: ucs-school-umc-rooms Version: 16.1.0-1A~4.4.0.201906261544 Branch: ucs_4.4-0 Scope: ucs-school-4.4 Package: ucs-school-ldap-acls-master Version: 17.0.1-2A~4.4.0.201906261540 Branch: ucs_4.4-0 Scope: ucs-school-4.4 Fixed OU-Admins can now write ucsschoolRole on computer objects in their OU ldap_write is now also used to open computer objects
OK tests are working now Otherwise the QA is already done: (In reply to Daniel Tröder from comment #11) > OK: update of manual > OK: tests 25_room_management_module and 101_exam_mode_group_members pass > OK: code change in ucsschool.lib to allow custom roles: roles are not > required anymore to be in <model>.default_roles. > Hint: Add/keep a comma after last item of dict definitions that span > multiple lines, to reduce the diff when adding/removing dict items. > OK: manual functional test: > * singleserver with 2 join windows clients > * room with both clients, one of them marked as a teacher computer > * started exam with that room with internet access rule "no internet" > * users on teacher computer can browse the web > * users on other computer are blocked from accessing the web
4.4 v3 released