Hi, I just noticed that you are able to see anyone lesson results even if you are not logged in, if you just write the precise url address to the result-page. For example: http://dev.opigno.org/node/13/results/1098 Is this working as designed? Of course it's not showing who has taken the lesson but I feel that it's too exposed at the moment...
Thank you very much for finding this issue, we had not notice it, it is a typo on our partInside the og_quiz_module, just substitute $items['node/%node/results/%quiz_rid']['access callback'] = 'og_quiz_get_user_results'; by $items['node/%node/results/%quiz_rid']['access callback'] = 'og_quiz_access_results'; I will create a major issue for this. Will be included in our next version (coming out later this week or next week)
In reply to Hi major, by James Aparicio
You are talking about the user/quiz/%/userresults?
Can you check that % is a valid result? (If the % exists in the table node_quiz_results as result_id)
If it is, do you mind checking if the quiz has been finished? and try accessing the result of a quiz that has been finished?
I suspect the access denied is for quizes that the user has not finished.