25. Internationale ILIAS-Konferenz

Jetzt Tickets sichern / Order Tickets now!

Feature Wiki

Information about planned and released features

Tabs

Test: Increase flexibility in specification of IP address restrictions

Page Overview

[Hide]

1 Initial Problem

With Test: Add IP Ranges as Access Constraint to Test Settings, we have the ability to restrict test access via IP ranges. While a very neat feature in and of itself, we find that simply restricting IP ranges based on a upper and lower bound can be restrictive or even incompatible with networking setups across different institutions, where a specific exam room might not have a specific coherent segment of IP addresses, but instead simply a set of IP addresses. 

2 Conceptual Summary

To fix this, we propose a rework of the existing Test: Add IP Ranges as Access Constraint to Test Settings feature in order to support the following:

Settings for individual IP addresses need to be reworked in order to only support one IP address or IP address block in CIDR-notation.

Sidenote: While all of the IP addresses in the examples are IPv4 for the sake of readability, we are also advocating for support of IPv6.

3 User Interface Modifications

3.1 List of Affected Views

  • ParticipantTableIpRangeAction (and modal associated with modifying the IP range of an individual participant)
  • SettingsAccess
  • The table displaying individual test participants
  • The search filter for individual test participants

3.2 User Interface Details

In the test settings, it would only be possible to add IP ranges (per name) that are defined in the ILIAS Administration (see Add page for globally defining IP ranges), single IP addresses, and IP addresses in CIDR-notation.It is no longer possible to define IP ranges in the test settings.

For client ranges (the setting is located at the participant tab), it would also only be possible to add IP ranges that are defined in the ILIAS Administration, one(!) single IP address, and IP addresses in CIDR-notation.It is no longer possible to define IP ranges in the client range prompt/modal!

The mockups are showing an IP range, a CIDR notation style, and a single IP address. As of the nature of a mockup, the styling could be changed during the implementation. Also, the IP range shown here, although it is shown as "192.168.178.1-192.168.178.161" this is only the label of the defined IP range from the administration. It is also possible to show "PC Pool 212" as the label of the range.

The views that will need to be modified are

  • the modal for changing allowed IP ranges for individual participants
  • the table displaying individual test participants
  • the search filter for individual test participants
  • the segment of "Access" settings which allows for the specification of IP ranges. 

The new input for IP ranges will be implemented using the "Tag" input field. This allows for the specification of multiple IP ranges. Autocomplete can then be implemented in order to suggest names of predefined IP ranges (see Add page for globally defining IP ranges)

The filter option operates exactly identical to the way it's currently handled with the "From"- or "To"-IP-range filters. When displaying defined IP ranges within the table, they are comma-separated.

In order to achieve this check from a technical standpoint, class.ilTestAccess.php will need to be modified. Instead of checking whether a given client IP address is within the preset range, it will be necessary to iterate over every entry made in the settings process ("every tag") and check the client IP address against every option individually. See the current implementation of the IP access check and our variant for more information.

3.3 New User Interface Concepts

None

3.4 Accessibility Implications

None, as far as we know off.

4 Additional Information

4.1 Involved Authorities

If this request is related to multiple components, please list both authorities for all related components.

4.2 Technical Aspects

With this feature, a database migration will be necessary (as currently there are two columns, "ip_range_from" and "ip_range_to" in the database). This solution would require additional parsing however. In our current mockup, parsing would then encompass:

  1. Splitting the database entry with explode
  2. Checking whether a "-" (dash, for ranges), "/" (slash, for subnets in CIDR-notation) or neither (assume individual IPv4 or IPv6 address) is present
  3. Checking whether the client IP address falls within any of the specified IP ranges.

This would, however, require iterating over all set IP range entries. We acknowledge the presence of performance implications with this, but do conclude them to be negligible (or minor at worst).

Implementing the necessary migration would be trivial (create new column, merge values of old columns into one, separated by "-" (dash), drop old columns). Exports from prior ILIAS versions would also require additional support (effectively the same migration steps) when importing into a version with this feature implemented.

4.3 Privacy

This feature does not introduce any new privacy issues, as it merely expands upon the concepts previously introduced in Test: Add IP Ranges as Access Constraint to Test Settings.

4.4 Security

This feature does not introduce any new security issues, as it merely expands upon the concepts previously introduced in Test: Add IP Ranges as Access Constraint to Test Settings.

4.5 Contact

Author of this request: Meißner, Bastian [simple_oaktree]
This request was created in association with Roeser, Nico [nicoroeser].

Please contact the T&A authority if you plan add this to the JF agenda and/or if the PR needed to be reviewed: Strassner, Denis [dstrassner].

4.6 Funding

Funding status and funding parties are listed in the block 'Status of Feature' in the right column of this page.

If you are interested to give funding for this feature, please get into contact with the person mentioned above as 'Contact'.

The University of Regensburg is planning to implement this (incl. Unit tests and suggestions for test cases). After discussing with the relevant authorities, funding will still be required for reviewing this feature upon completion.

Strassner, Denis [dstrassner], 21 MAY 2026: Currently the University of Regensburg, the University of Bonn, and the KIT have offered funding. I contacted them to specify the concrete amount of funding they are willing to provide.Please contact me if your institution could also provide funding.

5 Discussion

Kergomard, Stephan [skergomard], 24. FEB 2026: As I understand this, this would introduce a place to administrate IP ranges in the administration settings of the Test. From where I stand this would be completely out of scope: The Test should never administrate IP ranges. From where I stand this should be two requests: One to introduce an administration for IP ranges in ILIAS in general and a second one to then use it in the Test (and then, to even remotely justify implementing this feature, probably more to introduce it in all places where IPs can be specified). This IP ranges could e.g. also be used to administrate access to the platform as a whole. I'm strictly against introducing the ranges in the administration of the test.

Sesterhenn, Fabian [sesterhenn], 25. FEB 2026: Please explain further why this request is "completely out of scope" for the test. As of right now, the test already supports limiting access to itself via IP address. Because of that I would say this request falls within the scope of the test.

Kergomard, Stephan [skergomard], 25. FEB 2026: If I'm understanding my post correctly, I didn't write that. I wrote that the administration of the IP ranges is out of scope for the test. A test allows to administer questions, responses, and grading, but not IP ranges. The article already specifies that there might be other uses for this option which is another strong hint that this doesn't belong inside the Test. But this request is labeled as pertaining to the Test and I'm specifying that most of it doesn't and that thus there are actually two requests with different scopes inside this one.

Rabah, Rachid [rabah], 27. FEB 2026:  I fully back Fabian's point. The Test already restricts access by IP, so supporting multiple ranges is a natural evolution of existing functionality and not a new concept. The need is real and shared across several institutions. Splitting this into a global IP administration plus a separate Test integration may be architecturally cleaner in therory, but delay a feature that is needed now for exam operations. Nothing in this FR prevents a system-wide approach later; but that possibility should not block a concrete, well-defined, and funded request.

Sesterhenn, Fabian [sesterhenn], 27. FEB 2026: My argument would be that users already can enter "ranges" of IP addresses by simply stringing them together. Not the same I know and I can see Stephans point. For us at THK this FR would be very welcome, but it isn't time-critical. And if there are indeed more use cases for a clean administration of IP ranges we should push this approach.

Meißner, Bastian [simple_oaktree], 26. MAR 2026: We have rewritten this feature suggestion to only include further customization options for IP ranges. Naming for such IP ranges will be handled through Add page for globally defining IP ranges.

Nishino, Kenji [kentoni], 20. APR 2026: We consider this feature to be very useful and already have a corresponding plugin that allows us to manage IP addresses flexibly during an examination. Having the IP address restriction within the test object makes sense, as it allows us to control access from different rooms within our examination pool. At the same time, students requiring special arrangements can sit the exam from external locations. This ensures maximum flexibility whilst maintaining security. 

Hoyer, Philip [philiphoyer], 04. MAY 2026: I agree to Kenjis comment. KIT does very much welcome the ability to include multiple IP ranges in CIDR-notation for IPv4 and IPv6 addresses for restricting access to tests. This would allow as to conduct examinations in the specified pool rooms without having to lock the examination instance via web server config change or taking other measures. The same applies to the https://docu.ilias.de/go/wiki/wpage_8863_1357, which should enable trained examiners to restrict access to the exams by themself. If funding or testing for this feature is needed, please do not hesitate to contact me.

Strassner, Denis [dstrassner], 21 MAY 2026: Please note that this feature will only be part of trunk if his partner's feature, Add page for globally defining IP ranges also approved through the JourFixe and merged to trunk before this feature. We have discussed this condition with Nico and Bastian, and they agreed upon this. 

6 Implementation

Feature has been implemented by {Please add related profile link of this person}

6.1 Description and Screenshots

{ Description of the final implementation and screenshots if possible. }

6.2 Test Cases

Test cases completed at {date} by {user}

  • {Test case number linked to Testrail} : {test case title}

6.3 Privacy

Information in privacy.md of component: updated at {date} by {user} | no change required

6.4 Approval

Approved at {date} by {user}.

Full Screen

Last edited: Yesterday, 15:10, Strassner, Denis [dstrassner]