feat(student): join-form disclaimer + matrix-driven anti-cheat tests
The portal's hijack-recovery flow has a non-obvious fairness property —
asking the instructor to reset your slot zeros every already-closed
question (status: missed) regardless of who triggered the reset. That
makes false-hijack claims strictly self-penalising and forecloses
"ask for a reset to retry Q1" as an attack on engagement scoring.
Surface this contract to students before they join: a native
<details>/<summary> accordion under the join form, styled with the
warn-tinted token palette, lays out the rules in plain language. No JS
required; keyboard- and SR-friendly.
tests/test_hijack_matrix.py: 11 end-to-end tests walking the
{hijack y/n} × {reset y/n} matrix:
- Cell A baseline (normal play)
- Cell B1 false-claim self-penalisation (full credit + partial credit)
- Cell B2 self-cleared cookie -> same penalty path
- Cell C hijacker without recovery holds the slot; audit accumulates
- Cell D hijack + recovery zeros closed Qs, kicks hijacker, normal next Q
- D-during-open-Q lets re-claimer use the remaining opened_at clock
- DELETE /admin/api/students/* requires admin auth (otherwise the
recovery hatch becomes a hijacker tool)
- Repeated 409 attempts each accrue duplicate_join audit rows
- Stale post-recovery cookie cannot pollute the audit log
- Strict non-increase: even an instant-correct (1.00) is zeroed on reset
69/69 pytest green.
This commit is contained in:
ameer
@@ -160,7 +160,7 @@ function renderJoin(error = null) {
|
||||
<form id="join-form" class="card narrow stack">
|
||||
<header class="card-header">
|
||||
<h1>Join the quiz</h1>
|
||||
<p class="muted">Enter your student ID and name. The cookie is per-device; clear it to switch.</p>
|
||||
<p class="muted">Enter your student ID and name. The cookie is per-device.</p>
|
||||
</header>
|
||||
<label class="field">
|
||||
<span>Student ID</span>
|
||||
@@ -171,6 +171,17 @@ function renderJoin(error = null) {
|
||||
<input name="name" autocomplete="name" required>
|
||||
</label>
|
||||
${error ? `<p class="alert error">${escapeText(error)}</p>` : ""}
|
||||
<details class="join-disclaimer">
|
||||
<summary>Before you join — please read</summary>
|
||||
<ul>
|
||||
<li><b>Use only your own student ID.</b> Using another student's ID is academic misconduct and is logged.</li>
|
||||
<li>If you see <em>"This student ID is already in use"</em>, <b>do not retry</b> — every attempt is recorded. Tell the instructor and they will reset your slot.</li>
|
||||
<li>Asking the instructor to reset your slot will set <b>all already-closed questions to 0</b> (status: missed). This is permanent and applies whether or not the slot was actually hijacked.</li>
|
||||
<li>Do not clear your cookies during the quiz. Clearing them locks you out and recovery requires a reset (same penalty as above).</li>
|
||||
<li>Tab and window switches during a live question are logged for the instructor.</li>
|
||||
<li>This portal is for in-lecture engagement; attendance is taken on paper.</li>
|
||||
</ul>
|
||||
</details>
|
||||
<button type="submit" class="btn primary block">Join</button>
|
||||
</form>
|
||||
`);
|
||||
|
||||
@@ -1256,6 +1256,54 @@ h2.question-text.small {
|
||||
.options.student-reveal li.yours.correct::before { color: var(--correct-border); }
|
||||
.options.student-reveal li.yours.wrong-pick::before { color: var(--wrong-border); }
|
||||
|
||||
/* ---------- Join-form disclaimer accordion ---------- */
|
||||
|
||||
.join-disclaimer {
|
||||
border: 1px solid var(--border);
|
||||
border-left: 3px solid var(--warn);
|
||||
border-radius: 2px;
|
||||
background: color-mix(in srgb, var(--warn) 4%, var(--surface));
|
||||
padding: 0;
|
||||
font-size: 0.86rem;
|
||||
line-height: 1.45;
|
||||
}
|
||||
.join-disclaimer > summary {
|
||||
cursor: pointer;
|
||||
list-style: none;
|
||||
padding: 11px 14px;
|
||||
font-family: var(--font-sans);
|
||||
font-size: 0.74rem;
|
||||
font-weight: 700;
|
||||
letter-spacing: 0.16em;
|
||||
text-transform: uppercase;
|
||||
color: var(--warn);
|
||||
display: flex;
|
||||
align-items: center;
|
||||
justify-content: space-between;
|
||||
gap: 10px;
|
||||
}
|
||||
.join-disclaimer > summary::-webkit-details-marker { display: none; }
|
||||
.join-disclaimer > summary::after {
|
||||
content: "+";
|
||||
font-family: var(--font-mono);
|
||||
font-weight: 600;
|
||||
font-size: 0.95rem;
|
||||
letter-spacing: 0;
|
||||
color: var(--warn);
|
||||
transition: transform 0.18s ease;
|
||||
}
|
||||
.join-disclaimer[open] > summary::after { content: "−"; }
|
||||
.join-disclaimer > ul {
|
||||
margin: 0;
|
||||
padding: 0 18px 14px 32px;
|
||||
display: grid;
|
||||
gap: 6px;
|
||||
color: var(--text-soft);
|
||||
}
|
||||
.join-disclaimer > ul li { padding-left: 2px; }
|
||||
.join-disclaimer > ul li b { color: var(--text); font-weight: 600; }
|
||||
.join-disclaimer > ul li em { font-style: italic; color: var(--text); }
|
||||
|
||||
/* ---------- Live presence panel (admin) ---------- */
|
||||
|
||||
.presence-panel { padding: 18px 20px 16px; }
|
||||
|
||||
Reference in New Issue
Block a user