Remove the filtering of large courses on the course admin "Manage OTP Secrets" page and fix security vulnerability. #2718
Conversation
|
Note that I haven't tested copying a large number of OTP secrets. Looking at the code I can see that that is going to need work. I expect that this will be exceedingly slow in fact. I see that there not only is heavy database access in for loops, but there is even construction of database objects inside user loops. Unfortunately, getting a large number of users with OTP secrets to work with and test things is a problem in itself. |
|
Actually, it wasn't so hard to set up a basic test case. I just copied one OTP secrect to all the users in the database. With initial testing it seems that things aren't that bad. There may be some improvement that could be done, but things are not drastically slow. I realized that @somiaj implemented caching of constructed database objects in the loop (I missed that in my quick assessment before), so that part doesn't actually slow things down. I am not sure that it is worth it to do much here since things are not that bad. |
|
I just noticed that there is a security vulnerability on this page. The page should prevent the current user in the admin course from modifying there own OTP secret in the admin course in any way. They should not be able to reset their own OTP secret and should not be able to overwrite their OTP secret with one for any user in another course by copying from that course. It is probably okay to allow them to copy their OTP secret to another course I suppose. Although that is certainly questionable. |
drgrice1
force-pushed
the
manage-otp-remove-large-course-restrictions
branch
3 times, most recently
from
7028aa4 to
2a5146a
Compare
|
This now also prevents a user in the admin course from modifying their own OTP secret. So this is now a security vulnerability pull request as well. |
drgrice1
changed the title
… Secrets" page. This page loads quickly regardless of if these courses are filtered out. Furthermore the menus are generally responsive even when these large courses are included. The only case where something is a bit slow is in the case that on the "Copy Single Secret" tab the selected "Source Course ID" is one of these large courses. In that case if you click on the "Source User ID" it takes some time for the dropdown menu to appear and even then it has to be an astronomically large course for that to be slow (more than 20,000 users). However, even if the large courses are included as long as a large course is not selected the menus are quick. It is interesting that the multiple select elements on the "Copy Multiple Secrets" tab are still fast even with astronomically large courses. It is just the single select elements on the "Copy Single Secret" tab that experience a noticeable slowdown. In any case, the point is that there is no reason to filter these courses. Doing so just adds unnecessary steps for the user.
drgrice1
force-pushed
the
manage-otp-remove-large-course-restrictions
branch
from
8841730 to
8b735a0
Compare
…r own OTP secret.
drgrice1
force-pushed
the
manage-otp-remove-large-course-restrictions
branch
from
8b735a0 to
84e1e17
Compare
This page loads quickly regardless of if these courses are filtered out. Furthermore the menus are generally responsive even when these large courses are included. The only case where something is a bit slow is in the case that on the "Copy Single Secret" tab the selected "Source Course ID" is one of these large courses. In that case if you click on the "Source User ID" it takes some time for the dropdown menu to appear and even then it has to be an astronomically large course for that to be slow (more than 20,000 users). However, even if the large courses are included as long as a large course is not selected the menus are quick.
It is interesting that the multiple select elements on the "Copy Multiple Secrets" tab are still fast even with astronomically large courses. It is just the single select elements on the "Copy Single Secret" tab that experience a noticeable slowdown.
In any case, the point is that there is no reason to filter these courses. Doing so just adds unnecessary steps for the user.
@somiaj: This is probably not the direction you though this would go!