Bug 48080 - Teacher's computer is locked out of internet access due to exam mode/computer room settings
Teacher's computer is locked out of internet access due to exam mode/computer...
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: UMC - Exam mode
UCS@school 4.3
Other Linux
: P5 normal (vote)
: UCS@school 4.4 v2-errata
Assigned To: Ole Schwiegert
Jürn Brodersen
:
: 49629 (view as bug list)
Depends on: 49608
Blocks: 50323
  Show dependency treegraph
 
Reported: 2018-10-30 12:00 CET by Sönke Schwardt-Krummrich
Modified: 2019-10-07 11:55 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018102421000426, 2019061121000841
Bug group (optional):
Max CVSS v3 score:


Attachments
Technical changes to filter out defined teacher pc's (4.88 KB, patch)
2019-05-23 10:53 CEST, Ole Schwiegert
Details | Diff
posible patch (3.60 KB, patch)
2019-06-19 15:01 CEST, Jürn Brodersen
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2018-10-30 12:00:04 CET
At least one customer has run into a concept problem with the computer rooms/exam mode:

Teacher computers must be members of the computer rooms if they want to use iTALC functions such as presentation mode. However, these computers are currently subject to the same restrictions as the student computers. This means that access to shares will be restricted and, even worse, Internet access will also be restricted/prevented.

This can lead to the teacher locking himself out because, for example, the client systems are configured via a firewall so that HTTP/HTTPS access can only take place via the proxy. If the proxy prohibits any access by the rule "No Internet", the teacher is locked out.

If ucsschoolRoles is set, teacher computers may be given their own role (e.g. "computer-teacher" or "windows-teacher"), which will allow our code to better distinguish on a case-by-case basis whether or not the teacher computer is considered part of the group for certain functions.
Comment 1 Ole Schwiegert univentionstaff 2019-05-23 10:53:46 CEST
Created attachment 10043 [details]
Technical changes to filter out defined teacher pc's

On the backend we can easily do this by introducing a school role as proposed. The attached patch shows this. Then we just filter the computers in the given computer room and exclude any PC marked with that role.
Comment 2 Christina Scheinig univentionstaff 2019-06-12 09:10:59 CEST
And an other customer ran into this problem, getting locked out from the UMC in the exam mode
Comment 3 Daniel Tröder univentionstaff 2019-06-12 09:17:31 CEST
*** Bug 49629 has been marked as a duplicate of this bug. ***
Comment 5 Ole Schwiegert univentionstaff 2019-06-14 08:45:05 CEST
http://jenkins.knut.univention.de:8080/job/UCSschool-4.4/job/Handbook/18/artifact/webroot/ucsschool-lehrer-handbuch-4.4.html

Package: ucs-test-ucsschool
Version: 6.0.9A~4.4.0.201906140836
Branch: ucs_4.4-0
Scope: ucs-school-4.4

Package: ucs-school-lib
Version: 12.1.2-0A~4.4.0.201906140838
Branch: ucs_4.4-0
Scope: ucs-school-4.4

Package: ucs-school-umc-rooms
Version: 16.1.0-0A~4.4.0.201906140839
Branch: ucs_4.4-0
Scope: ucs-school-4.4

Package: ucs-school-umc-exam
Version: 9.1.0-0A~4.4.0.201906140841
Branch: ucs_4.4-0
Scope: ucs-school-4.4


Teacher computers can now be defined in the room management.
If a computer is in multiple rooms it has the same status in every room.
  * If you set it as teacher computer in one room it is in all
  * If you unset it as teacher computer in one room it is unset in all
  * If a teacher computer is removed from all its rooms without being unset as teacher computer in anyone of them, the computer remains a teacher computer

Technically the ucsschool_role 'teacher_computer' is assigned to the computer object.

During an exam a teacher computer should be able to access shares and internet normally, even if restrictions are in place

Italc should work as is.
Comment 6 Ole Schwiegert univentionstaff 2019-06-17 12:38:18 CEST
Package: ucs-school-umc-exam
Version: 9.0.1-7A~4.4.0.201906171142
Branch: ucs_4.4-0
Scope: ucs-school-4.4

Fixed wrong versioning in ucs-school-umc-exam
Comment 7 Jürn Brodersen univentionstaff 2019-06-19 15:01:40 CEST
Created attachment 10074 [details]
posible patch

101_exam_mode_group_members fails
Comment 8 Ole Schwiegert univentionstaff 2019-06-21 08:01:31 CEST
Package: ucs-test-ucsschool
Version: 6.0.24A~4.4.0.201906210801
Branch: ucs_4.4-0
Scope: ucs-school-4.4

Applied Jürns fix
Comment 9 Ole Schwiegert univentionstaff 2019-06-21 11:18:35 CEST
Package: ucs-school-umc-exam
Version: 9.0.1-8A~4.4.0.201906211118
Branch: ucs_4.4-0
Scope: ucs-school-4.

Applied second part of Jürns fix
Comment 10 Jürn Brodersen univentionstaff 2019-06-21 11:42:46 CEST
This might have been fixed by the last commits, but please check it :)

90_ucsschool/25_room_management_module fails on slave

https://jenkins.knut.univention.de:8181/job/UCSschool-4.4/job/Install%20Multiserver/lastCompletedBuild/Config=s4,TestGroup=base1/testReport/90_ucsschool/25_room_management_module/slave2032/


Traceback:
'''
(2019-06-21 02:44:11.051788) univention.lib.umc.HTTPError: 591 on slave2032.autotest203.local (command/schoolrooms/add): {"status": 591, "message": "Interner Server-Fehler in \"schoolrooms/add\".", "traceback": "Interner Server-Fehler in \"schoolrooms/add\".\nRequest: schoolrooms/add\n\nTraceback (most recent call last):\n  File \"/usr/lib/pymodules/python2.7/univention/management/console/base.py\", line 260, in execute\n    function.__func__(self, request, *args, **kwargs)\n  File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 192, in _response\n    return function(self, request)\n  File \"/usr/lib/pymodules/python2.7/ucsschool/lib/schoolldap.py\", line 145, in wrapper_func\n    return func(*args, **kwargs)\n  File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/schoolrooms/__init__.py\", line 108, in add\n    self._set_teacher_computers(group_props.get('computers', []), group_props.get('teacher_computers', []), ldap_user_read, ldap_user_write)\n  File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/schoolrooms/__init__.py\", line 157, in _set_teacher_computers\n    computer.modify(ldap_user_write)\n  File \"/usr/lib/pymodules/python2.7/ucsschool/lib/models/base.py\", line 533, in modify\n    success = self.modify_without_hooks(lo, validate, move_if_necessary)\n  File \"/usr/lib/pymodules/python2.7/ucsschool/lib/models/computer.py\", line 232, in modify_without_hooks\n    return super(SchoolComputer, self).modify_without_hooks(lo, validate, move_if_necessary)\n  File \"/usr/lib/pymodules/python2.7/ucsschool/lib/models/base.py\", line 559, in modify_without_hooks\n    self.do_modify(udm_obj, lo)\n  File \"/usr/lib/pymodules/python2.7/ucsschool/lib/models/base.py\", line 593, in do_modify\n    udm_obj.modify(ignore_license=1)\n  File \"/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py\", line 642, in modify\n    dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)\n  File \"/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py\", line 1312, in _modify\n    self.dn = self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response)\n  File \"/usr/lib/pymodules/python2.7/univention/admin/uldap.py\", line 891, in modify\n    raise univention.admin.uexceptions.permissionDenied\npermissionDenied", "location": "https://slave2032.autotest203.local/univention/command"}
'''
Comment 11 Daniel Tröder univentionstaff 2019-06-21 17:10:49 CEST
OK: update of manual
OK: tests 25_room_management_module and 101_exam_mode_group_members pass
OK: code change in ucsschool.lib to allow custom roles: roles are not required anymore to be in <model>.default_roles.
Hint: Add/keep a comma after last item of dict definitions that span multiple lines, to reduce the diff when adding/removing dict items.
OK: manual functional test:
* singleserver with 2 join windows clients
* room with both clients, one of them marked as a teacher computer
* started exam with that room with internet access rule "no internet"
* users on teacher computer can browse the web
* users on other computer are blocked from accessing the web
Comment 12 Daniel Tröder univentionstaff 2019-06-24 11:15:07 CEST
Test still fails
Comment 13 Daniel Tröder univentionstaff 2019-06-24 11:20:08 CEST
Probably computer_obj.modify() executed on slave.
Comment 14 Ole Schwiegert univentionstaff 2019-06-26 15:47:48 CEST
Package: ucs-school-umc-rooms
Version: 16.1.0-1A~4.4.0.201906261544
Branch: ucs_4.4-0
Scope: ucs-school-4.4

Package: ucs-school-ldap-acls-master
Version: 17.0.1-2A~4.4.0.201906261540
Branch: ucs_4.4-0
Scope: ucs-school-4.4

Fixed

OU-Admins can now write ucsschoolRole on computer objects in their OU
ldap_write is now also used to open computer objects
Comment 15 Jürn Brodersen univentionstaff 2019-07-09 12:25:35 CEST
OK tests are working now

Otherwise the QA is already done:

(In reply to Daniel Tröder from comment #11)
> OK: update of manual
> OK: tests 25_room_management_module and 101_exam_mode_group_members pass
> OK: code change in ucsschool.lib to allow custom roles: roles are not
> required anymore to be in <model>.default_roles.
> Hint: Add/keep a comma after last item of dict definitions that span
> multiple lines, to reduce the diff when adding/removing dict items.
> OK: manual functional test:
> * singleserver with 2 join windows clients
> * room with both clients, one of them marked as a teacher computer
> * started exam with that room with internet access rule "no internet"
> * users on teacher computer can browse the web
> * users on other computer are blocked from accessing the web
Comment 16 Jürn Brodersen univentionstaff 2019-07-26 13:55:50 CEST
4.4 v3 released