[LON-CAPA-users] Restricting Resources By IP Address

Raeburn, Stuart raeburn at msu.edu
Tue Feb 5 15:39:15 EST 2019 

Doug,

The syntax Carl described in his reply to Lee, in which ! is used to indicate a "deny from" IP or range of IPs, is not in LON-CAPA 2.11, but will be in 2.12.

As noted in my earlier reply to Lee's original post, LON-CAPA 2.12 will support both "allow from IP" and "deny from IP" for both IP restrictions for slots and also the client IP/Name Access Control parameter (acc) which can be set for resources and/or folders to control access without using slots.

In 2.12 you would use the acc parameter to deny access from the IP addresses of the testing center computers to all resources except those which are to be included in the exam.  There would not be a need to use slots.

This functionality is flagged for 2.12, because if it is enabled in a course, selecting a role in the course will require that the user session is hosted on a 2.12 LON-CAPA server/VM.  

That is enforced by this addition to the /home/httpd/lonTabs/releaseslist.xml file:

<parameter name="acc" valuematch="_denyfrom_">2.12</parameter>

Of course LON-CAPA is open source, and given the uiuc domain is configured to only permit uiuc users to have their sessions hosted on LON-CAPA nodes in the uiuc domain, you could choose to run a modified 2.11 which included the code needed to support the denyfrom option in the acc parameter.  But at the present time, the syntax using ! is not supported for the acc parameter, (or for slots) in any official LON-CAPA release.

Stuart Raeburn
LON-CAPA Academic Consortium

________________________________________
From: LON-CAPA-users <lon-capa-users-bounces at mail.lon-capa.org> on behalf of Mills, Douglas G <dmills at illinois.edu>
Sent: Tuesday, February 5, 2019 3:13:48 PM
To: Discussion list for LON-CAPA users
Cc: Mills, Douglas G
Subject: Re: [LON-CAPA-users] Restricting Resources By IP Address

Here is what I'm finding. I'm using the IP address of my own computer for testing. At the course level I set !130.126.123.12 for the parameter "Client IP/Name Access Control [Part: 0]"  Then in a folder I choose to represent the exam to be taken in the testing center, I enter 130.126.123.12 for the same parameter at the folder level.

What I find is that with the course coordinator role I continue to see everything. That's no problem but means you have to switch to student role to test the results. As a student on my computer with that IP address, it works as I had hoped: I can access the content of the "exam" folder but everything else in the course shows up as "Not open to be viewed from this location" (note that if "Hide Closed Discussion" is not set to "yes" the discussions attached to problems continue to be visible even though the problems are not).

HOWEVER, when I go to a different computer -- emulating a computer outside of the testing center, NOTHING in the course is accessible. EVERYTHING in the course, the "exam" folder along with everything else, says that it is not open to be viewed from this location.

My theory then is that using the ! operator in front of the IP address either requires a syntax I'm not using (I've tried direction in front of the IP, with a space between ! and IP, and with ! followed by IP wrapped in parens...) or is simply not understood. Thus although it appears to work correctly on my computer because the exam is to be accessed only from my IP and nothing else is to be accessed, from any other IP address Lon-Capa is treating the !IP entry as an IP address to be matched and since nothing matches that, nothing is available...

Is that what's going on or is there yet some way to "blacklist" IPs we don’t want the content accessed from?

 Thank you!

Doug



Douglas Mills

Director of Instructional Technology

Department of Chemistry

University of Illinois




On 2/5/19, 11:35 AM, "LON-CAPA-users on behalf of Mills, Douglas G" <lon-capa-users-bounces at mail.lon-capa.org on behalf of dmills at illinois.edu> wrote:

    To clarify a bit further,  we are looking at presenting exams in a testing center. The testing center eliminates access to other IP addresses, so our interest is indeed eliminating access to other course materials  from the IP address of the student’s computer.  We do use the technique Stuart has outlined in many of our exams, locking out access to other parts of the course via the start timer. The concern in this case is that one thing the testing center would not manage well is the possibility that a student could log into the course and open additional course resources in other tabs before starting the exam timer. The testing center accommodates exams from multiple courses at one time and Lon-Capa will be a new means of delivery for them, so this possibility will not likely be monitored well.

    That said, if putting ! in front of a range of IPs in a slot works then my thought is to essentially put the whole course into a slot which excludes access to the course from the testing center range of IPs and then override that at the folder level for the exams themselves with a slot that only allows access from the testing center IP range. Does that sound feasible?

    Doug

    -sent from mobile-

    > On Feb 5, 2019, at 11:05 AM, Bynum, Lee Hamilton <leebynum at illinois.edu> wrote:
    >
    > It isn't a perfect match, but it's definitely a step in the right direction.  Thanks Stuart!
    >
    >> -----Original Message-----
    >> From: LON-CAPA-users <lon-capa-users-bounces at mail.lon-capa.org> On
    >> Behalf Of lira at egr.msu.edu
    >> Sent: Tuesday, February 5, 2019 10:55 AM
    >> To: 'Discussion list for LON-CAPA users' <lon-capa-users at mail.lon-capa.org>
    >> Subject: Re: [LON-CAPA-users] Restricting Resources By IP Address
    >>
    >> Slots block the IP address student where the student can log in, not the IP
    >> ranges that they access AFTER they are logged in. Just precede the IP address
    >> range with !. However, that does not do what you are seeking, which is to
    >> block browser access to certain IP ranges AFTER they are logged in.
    >>
    >> From: LON-CAPA-users [mailto:lon-capa-users-bounces at mail.lon-capa.org]
    >> On Behalf Of Bynum, Lee Hamilton
    >> Sent: Tuesday, February 05, 2019 11:31 AM
    >> To: lon-capa-users at mail.lon-capa.org
    >> Subject: [LON-CAPA-users] Restricting Resources By IP Address
    >>
    >> Hello Everyone,
    >>
    >> We've been working with Lon-Capa's ability to grant access to a resource by
    >> IP address in order to allow an exam to only be accessed when a student is in
    >> an exam room.  This can be done with slots and resources parameters.
    >> However, we would also like to deny access to resources (or courses)  by IP
    >> address.  That way when a student is in the exam room they have access to
    >> the exam but do not have access to the rest of the course.
    >>
    >> Does anyone know if there is a way to blacklist IP addresses for Lon-Capa
    >> resources or slots?
    >>
    >> Lee
    >>
    >> _______________________________________________
    >> LON-CAPA-users mailing list
    >> LON-CAPA-users at mail.lon-capa.org
    >> https://urldefense.proofpoint.com/v2/url?u=http-3A__mail.lon-2Dcapa.org_mailman_listinfo_lon-2Dcapa-2Dusers&d=DwIGaQ&c=nE__W8dFE-shTxStwXtp0A&r=VsGo3jOm8tGLd6f-KlhT-g&m=s8IOejp6nN6YJThbefI-mhf51S-K1nL8RfE4kC51Hm4&s=C5by9b4vH_ZzqbGs_dVJqBc750X_jgSxivIDIHH5iG4&e=
    > _______________________________________________
    > LON-CAPA-users mailing list
    > LON-CAPA-users at mail.lon-capa.org
    > https://urldefense.proofpoint.com/v2/url?u=http-3A__mail.lon-2Dcapa.org_mailman_listinfo_lon-2Dcapa-2Dusers&d=DwIGaQ&c=nE__W8dFE-shTxStwXtp0A&r=VsGo3jOm8tGLd6f-KlhT-g&m=s8IOejp6nN6YJThbefI-mhf51S-K1nL8RfE4kC51Hm4&s=C5by9b4vH_ZzqbGs_dVJqBc750X_jgSxivIDIHH5iG4&e=
    _______________________________________________
    LON-CAPA-users mailing list
    LON-CAPA-users at mail.lon-capa.org
    https://urldefense.proofpoint.com/v2/url?u=http-3A__mail.lon-2Dcapa.org_mailman_listinfo_lon-2Dcapa-2Dusers&d=DwIGaQ&c=nE__W8dFE-shTxStwXtp0A&r=VsGo3jOm8tGLd6f-KlhT-g&m=s8IOejp6nN6YJThbefI-mhf51S-K1nL8RfE4kC51Hm4&s=C5by9b4vH_ZzqbGs_dVJqBc750X_jgSxivIDIHH5iG4&e=


_______________________________________________
LON-CAPA-users mailing list
LON-CAPA-users at mail.lon-capa.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__mail.lon-2Dcapa.org_mailman_listinfo_lon-2Dcapa-2Dusers&d=DwIGaQ&c=nE__W8dFE-shTxStwXtp0A&r=VsGo3jOm8tGLd6f-KlhT-g&m=s8IOejp6nN6YJThbefI-mhf51S-K1nL8RfE4kC51Hm4&s=C5by9b4vH_ZzqbGs_dVJqBc750X_jgSxivIDIHH5iG4&e=

More information about the LON-CAPA-users mailing list