apps/quiz
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(student): join-form disclaimer + matrix-driven anti-cheat tests

Browse Source 
The portal's hijack-recovery flow has a non-obvious fairness property —
asking the instructor to reset your slot zeros every already-closed
question (status: missed) regardless of who triggered the reset. That
makes false-hijack claims strictly self-penalising and forecloses
"ask for a reset to retry Q1" as an attack on engagement scoring.

Surface this contract to students before they join: a native
<details>/<summary> accordion under the join form, styled with the
warn-tinted token palette, lays out the rules in plain language. No JS
required; keyboard- and SR-friendly.

tests/test_hijack_matrix.py: 11 end-to-end tests walking the
{hijack y/n} × {reset y/n} matrix:
- Cell A baseline (normal play)
- Cell B1 false-claim self-penalisation (full credit + partial credit)
- Cell B2 self-cleared cookie -> same penalty path
- Cell C hijacker without recovery holds the slot; audit accumulates
- Cell D hijack + recovery zeros closed Qs, kicks hijacker, normal next Q
- D-during-open-Q lets re-claimer use the remaining opened_at clock
- DELETE /admin/api/students/* requires admin auth (otherwise the
  recovery hatch becomes a hijacker tool)
- Repeated 409 attempts each accrue duplicate_join audit rows
- Stale post-recovery cookie cannot pollute the audit log
- Strict non-increase: even an instant-correct (1.00) is zeroed on reset

69/69 pytest green.
This commit is contained in:
ameer
2026-05-04 16:50:11 +08:00
parent 3252ccb2ec
commit 1eadad3228
3 changed files with 355 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
static/quiz.js
View File

@@ -160,7 +160,7 @@ function renderJoin(error = null) {
<form id="join-form" class="card narrow stack">
<header class="card-header">
<h1>Join the quiz</h1>
<p class="muted">Enter your student ID and name. The cookie is per-device; clear it to switch.</p>
<p class="muted">Enter your student ID and name. The cookie is per-device.</p>
</header>
<label class="field">
<span>Student ID</span>
@@ -171,6 +171,17 @@ function renderJoin(error = null) {
<input name="name" autocomplete="name" required>
</label>
${error ? `<p class="alert error">${escapeText(error)}</p>` : ""}
<details class="join-disclaimer">
<summary>Before you join — please read</summary>
<ul>
<li><b>Use only your own student ID.</b> Using another student's ID is academic misconduct and is logged.</li>
<li>If you see <em>"This student ID is already in use"</em>, <b>do not retry</b> — every attempt is recorded. Tell the instructor and they will reset your slot.</li>
<li>Asking the instructor to reset your slot will set <b>all already-closed questions to 0</b> (status: missed). This is permanent and applies whether or not the slot was actually hijacked.</li>
<li>Do not clear your cookies during the quiz. Clearing them locks you out and recovery requires a reset (same penalty as above).</li>
<li>Tab and window switches during a live question are logged for the instructor.</li>
<li>This portal is for in-lecture engagement; attendance is taken on paper.</li>
</ul>
</details>
<button type="submit" class="btn primary block">Join</button>
</form>
`);