This space is archived
For current information please use the current ExamSys documentation
Securing Pages
A requirement for specific authorisation can easily be added to any page by the inclusion of a relevant authentication script:
Permitted Roles | Include Script |
---|---|
SysAdmin | /include/sysadmin_auth.inc |
SysAdmin, Admin | /include/admin_auth.inc |
SysAdmin, Admin, Staff | /include/staff_auth.inc |
SysAdmin, Admin, Staff, Students | /include/staff_student_auth.inc |
SysAdmin, Admin, Invigilators | /include/invigilator_auth.inc |
Automatic Checks
On all pages secured using staff_auth.inc there are additional automatic checks made if the current user is staff:
$_GET['module'] | Checks the user is a member of the module. |
$_REQUEST['paperID'] | Check user owns the paper or is on a module that the paper is on. |
$_REQUEST['q_id'] | Checks the user owns the question or is on a module that the question is on. |
$_REQUEST['refID'] | Checks the user can access reference material. |
The way that this works is that if a page has staff_auth.inc included and has paperID is set on the URL then the authentication routine will automatically check if the current user is allow access. This saves performing a lot of specific checks within each script.
If the security checks fail the function display_notice_and_exit()
will be called which will display a suitable message to the user and stop the script immediately. It will also record a record of the attempted access in denied_log table.