Forums | Mahara Community
Support
/
Secret URLs - access denied error?
27 February 2013, 11:46
I'm trying to determine if this is a bug, user error, or something mixed up with our system (I suspect a bug). Here is the issue:
Students create pages, insert journal blocks onto those pages, generat a "secret url" for the page, and then email that secret url to their instructor. Usually this works fine. But I'm getting more reports that when the instructor clicks the link, they get an "access denied" error message (in Mahara), and the page does not open.
Some of these pages which are being shared via secret URLs, but students might also share them using the normal process, and the pages may be in a collection. Maybe there's some buggy conflict happening? Aren't secret URLs supposed to completely bypass any other access rights that may or may not have been set in the Mahara by the page owner?
Students are not submitting "for assessment" to groups. The instructor, and other teaching assistants who view the link, are Mahara users.
Any help would be greatly appreciated, as this seems to happen quite often.
Thank you.
PS: Here are related posts in the forum... which don't seem to offer a definite answer:
https://mahara.org/interaction/forum/topic.php?id=1478
28 February 2013, 16:15
Hi Sean,
If everything's working correctly, it shouldn't matter whether the user is logged in or not, or whether the page is part of a collection or not. When you access a page via a "secret URL", it sets a session cookie in your browser which allows you to access that page until you close your browser. Even if you log in as a user who would not otherwise have access to the page, or if you log out and log back in as a different user, you still keep access to the secret URL'ed page until you end your browser session.
(Come to think of it, that might be worth changing -- perhaps if you log out it should clear your "secret URL" cookie.)
There are a few configuration settings that can block access to a secret URL:
- The user can delete the secret URL
- The user can put an end date on the secret URL
- if the view's owner is suspended
- $cfg->allowpublicviews = false
- The Instution setting "no public views"
But if none of those are causing your problem, then it may be a bug.
Cheers,
Aaron
01 March 2013, 10:50
Right, but even if the viewer ends their browser session, they can re-access that secret URL page by clicking the link again... correct?
Thank you for the ideas, and it looks like everything is in order as it should be. The strange thing, is that the issue pops up once in while, so it's not something that I can nail down and find a cause... which leads me back to the bug idea.
I think I'll ask the instructor to tell students to create a separate page, not put it in a collection or turn on/off end dates, and share it via secret url - and not doing anything else with the page. Maybe that will fix it.
Unless.... it has something to do with the Journals inside the pages that are being share... Hmm.