catalyst / moodle-mod_scormremote Goto Github PK

In some testing I got an upgrade error, didn't grab the stack trace but it was barfing because the primarydomain column can't be null and it was I believe temporarily null during the upgrade. I had to fix it manually:

ALTER TABLE mdl_scormremote_clients ALTER COLUMN primarydomain DROP NOT NULL;

scormremote_clients
Unexpected index 'mdl_scorclie_pri_ix'.

Mostly consider the security downsides of doing this
Alternative add a runtime check if it isn't set

ie if someone puts in a full url with https then just strip this out and accept the domain gracefully

The MOODLE_39_STABLE is not actually compatible with Moodle 3.9 as it depends on core_files\archive_writer

I've pushed a version that works to https://github.com/andrewhancox/moodle-mod_scormremote/tree/39_compatible

https://adlnet.gov/projects/scorm/#scorm-versions-and-resources

https://wiki.creativecommons.org/wiki/ShareAlike_compatibility:_GPLv3

Should just be docs and third party xml

• This would be something you opt into at the site level
• Each student the first time they load any scorm would get the consent
• It could be either a consent or just a notification that data will be collected
• On later views it won't show

#5

This is as a result of the refactoring to meet type-safe equality operators

Not exactly sure what this means, might just be docs. Might be a new option

Scorm 1.2 has limit of 4096
Scorm 2004 has limit of 64000

Many scorms hit this limit

Most LMS's don't care about the limit

scorm again has it hard coded

We should make scorm again just emit a warning to the console but still accept it

This should actually log the user in via complete_user_login() and leave them logged in for this request (same as web services and token logins)

lib.php:scormremote_pluginfile() calls exit($OUTPUT->render_from_template(...)) to render output which results in a warning if debugging is enabled for the site: Debugging: Coding problem: $PAGE->context was not set....

Using Moodle 4.1.4+ (Build: 20230623) and mod_scormremote 2023070600 (44d5d9d).

Steps to reproduce issue

1. Step up a SCORM hosted on Moodle, generate the wrapper and add the wrapper to a remote LMS.
2. On the Moodle hosting the SCORM enable debugging.
3. On the remote LMS enter the SCORM.

Expected results

No warning in PHP error log on the server hosting Moodle.

Actual results

Warning in PHP error log on the server hosting Moodle:

[31-Aug-2023 16:13:22 Europe/London] Debugging: Coding problem: $PAGE->context was not set. You may have forgotten to call require_login() or $PAGE->set_context(). The page may not display correctly as a result in 
* line 567 of /lib/pagelib.php: call to debugging()
* line 1696 of /lib/pagelib.php: call to moodle_page->magic_get_context()
* line 1972 of /lib/setuplib.php: call to moodle_page->initialise_theme_and_output()
* line 250 of /mod/scormremote/lib.php: call to bootstrap_renderer->__call()
* line 5212 of /lib/filelib.php: call to scormremote_pluginfile()
* line 44 of /pluginfile.php: call to file_pluginfile()

Does a scorm which has 10 resources really need to have a wrapper which contains 10 stub SCO's? This means the wrapper has a lot more information encoded into it which ideally isn't present at all. This would limit the ability to swap out a scorm which has 10 sco's to one which has 11 seamlessly.

Before this issue kicks off lets be guided by real world scorms that this client will actually use. If all of their scorms use a single SCO then this issue will be back burner.

If a remote student completes the SCORM, on the Moodle site their completion status is not set to "Completed".

This appears to be because submit_completion.php has require_login(0, false) so the POST /mod/scormremote/submit_completion.php gets 303 See Other: /login/index.php.

mod_scormremote 2023070600 with Moodle 4.1.5+ (Build: 20230929).

The js at the top is a blocking load, so nothing under it will load until it has executed. Which means we could:

1. remove all the css and make the js file inject this
2. all of the div's and the onload init can all be done from the js file

OR

If we want something genuine to show if the js itself fails then

1. leave the css in place
2. move the js to the very last thing to load
3. have an animated loader, either more inline css, or maybe a single image so it's all off loaded back to the host

line 134 of /mod/scormremote/classes/client.php: ArgumentCountError thrown
line 39 of /mod/scormremote/submit_completion.php: call to mod_scormremote\client::get_record_by_domain

This does record data from it doesn't send it anywhere, it is import only from the other site. So I think technically this doesn't store user data even though it does.

I think the best next option is to implement it in a way that allows an admin to login as to this person and make data requests on behalf of that person. Or if the psuedo users ever get turned into real accounts then it will magically just work.

Tasks:

• implement a privacy provider that behaves correctly if somebody does a login as to the fake user
• or same same - if the user is converted from a fake user into a real manual account

Scorm Again is loaded here.
https://github.com/catalyst/moodle-mod_scormremote/blob/MOODLE_39_STABLE/lib.php#L242

eslint reports no-undef
https://github.com/catalyst/moodle-mod_scormremote/blob/MOODLE_39_STABLE/amd/src/layer3.js#L36

Skipping this test from WR #398963.
Check if this test is still needed. The class \mod_scormremote\client no longer has the 'domain' param.
https://github.com/catalyst/moodle-mod_scormremote/blame/1346fa3e6d304d9a6cff6c88b0df5c633eaac9d3/classes/client.php#L46

• firstly serve the unminified file to make it easier to debug
• when the moodle core settings are on for serving js unminified the server the original
• make sure the map file is working so we can always see the proper source

When loading in some envs the js is served as html and so won't load:

console message ' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled

The error pages are not actually error pages:

These should have a proper http error code, and it should probably be a 403 instead of a 401 which is going to ask for basic auth and isn't right

The third layer loads Javascript from jssource, which is liked as a .js file. When attempting to load this file errors end up loading init.mustache instead, which is returning the MIME type (“text/html”).

This can potentially cause the error page to not load based on how the browser handles this. A few examples:

• Firefox: xxx was blocked due to MIME type (“text/html”) mismatch (X-Content-Type-Options: nosniff)
• Chrome: Failed to load xxx because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.

• Have option to auto create a grouping called something like 'remote scorm clients'
• when you enrol auto create a group based on the client domain or id in the wrapper
• add the student to this group

ie we could redact the incoming data from the remote site so we have enough to identify and link records but do not record any personal identifying information PII

https://github.com/catalyst/moodle-mod_scormremote/blob/MOODLE_39_STABLE/classes/utils.php#L174-L201

If a user has already been created for one tier they can access other tiers even if the seat limit has been reached.

Steps to reproduce issue

1. In Moodle set up two courses, for example, Scormremote1 and Scormremote2.
2. Add a mod_scormremote instance to each course and upload a SCORM file.
3. Add tiers for each course, Scormremote1 and Scormremote2, with one seat each.
4. Add a client for the remote site (on mod/scormremote/clients.php) with course subscriptions to Scormremote1 and Scormremote2.
5. Download the wrapper files for both mod_scormremote instances.
6. On the remote site add two courses, Scorm1 and Scorm2.
7. Add one SCORM activity to each course with the wrapper from the corresponding Moodle course.
8. Add two students and enrol them on both courses.
9. Log into the remote site as student1 and enter the SCORM in course Scorm1.
10. Exit the SCORM and log out.
11. Log in student2 and access the SCORM in course Scorm2.
12. Exit the SCORM and log out.
13. Log in student1 and access the SCORM in course Scorm2.

Expected results

Error 402 | Subscription limit reached because there is only one seat for tier Scormremote2 and that is in use by student2.

Actual results

The SCORM is displayed. The Moodle site admin sees ( 2 / 1) for the seats in use for tier Scormremote2 under Manage clients (mod/scormremote/clients.php)

• split the admin UI into 2 forms, one for clients and one for a subscription
• each client subscription will be 1 client and 1 tier, but the tier could be changed. This means the 'subscription' has a unique internal id independent of the tier
• when you create or update a subscription, then auto create a cohort to match it which is tightly linked to this subscription id
• update its description so its obvious it is a 'managed' cohort BUT don't make it a real managed cohort as this means you can't manually edit the membership
• in the desc of the cohort have a link to the client subscription management ui
• remove all the existing logic which looks at enrollments in all the courses and unions them, this is complicated and overkill
• When auto enrolling check cohort size for seat counts first
• When enrolling add the person to the cohort
• The numbers inside a specific course should not matter
• If the cohort is emptied the users will still be in the courses and this is a way of resetting the seats each year

If I'm not wrong, the plugging fails -cannot read the database- when the tables prefix is different from mdl_ -the moodle default prefix. It occurs when downloading the wrapper

Added generic privacy provider. This needs to be reviewed.

• for when multiple clients use a 3rd party scorm host like scorm cloud
• under this it will mean that the list of domains is an allow list, so the scorm must match the client and it must also match the domain
• domains will now be able to be linked to more than one client
• cosmetic: make domains listed on new lines in admin ui
• we need a concept of a primary domain. So this could either be a new field, or perhaps it could be the first domain in the textarea. Latter is probably easier
• when auto creating a user if using a specific client id then make it based off the primary domain and not the domain in use (because its usually a generic one which isn't useful)

• all the errors in layer2 are just log or nothing, split these into errors or info etc like layer3
• each message should declare its level and use the right console method
• the default log level should be errors
• there seems to be a ton of red herring errors in the console even when it is working correctly. This might be a bootstrap order of operations issue?

The README says As learners on the remote site use the scorm, you will see accounts created in your Moodle and enrolments and completion status for those accounts. I want to make sure I understand the plugin's functionality and I don't think that's correct. Is there completion tracking of remote learners on the hosting Moodle?

Or is this an error in the README?

(Also asked this question on the plugin comments page).

Version information says mod_scormremote supports Moodle 3.9 to 4.0. But mod_scormremote\packagefile->download_wrapper() uses core_files\archive_writer which was introduced in Moodle 3.11 (MDL-68533).

Consequently clicking the Download button on mod/scormremote/wrapper.php?cmid=<ID> with Moodle 3.9 results in:

Exception - Class 'core_files\archive_writer' not found

More information about this error
Debug info:
Error code: generalexceptionmessage
Stack trace:

    line 139 of /mod/scormremote/classes/packagefile.php: Error thrown
    line 92 of /mod/scormremote/wrapper.php: call to mod_scormremote\packagefile::download_wrapper()

Maybe the lms admins of the N other embedding LMS's could have accounts in the host lms and could directly access the latest versions of all of the packages. Even better we could have a report which show all of the packages which have been used by a certain domain, AND which version they are on and what version is available and prompt them to download any which are newer, or which are not yet in use.

• Even simpler this page could be public but not advertised, and it accepts a client id and then produces the list of wrappers for that client.
• In the config for the client there could be a flag which says if the client id should be embedded in the wrappers or not

mod/scormremote/error.php sets the HTTP status with a corresponding message, for example, 402 | Subscription limit reached. But error.php has require_login() at the top (line 30) so the student never sees the error, just the login page of the Moodle site hosting the SCORM.

If I remove the require_login() students see any error messages (401, 402, etc.) as expected.

We know the sha1hash for each package and can use that in the pluginfile url so that all real scorm files can be served as immutable and public