Hi Abigail
I've tried to replicate this. The way I've done it is by making a directory available - and so students can copy and paste the link to the file, even though it has not been added to the resource list on the course page. Is this what you mean?
Ken
Hi Abigail
I understand the problem now. A couple of points:
$CFG->preventaccesstohiddenfiles = Yes;
- In the course directory folder, create a folder called ".protected" (or anything as long as it has a full-stop as the first character).Hope this helps!
Ken
Hi,
Thanks a lot. I will try and let you know.
Best,
Abigail
Hi,
As far as I understand from the forum you directed me to, it means that the problem still exist. Do you know if there is ane intention to fix it?
It means that to use the "hide tool" is not safe.
In any case if I would like to display the protected file I will have to copy it to another directory, right?
Thanks again,
Abigail
Yes. Create a protected directory as in the previous post and students will not see the files.
Ken
Dear Ken,
Sorry it's me again.
I did exactly how you told me but it did not work.
Any suggestions?
Best,
Abigail
Abigail
Can you please try as follows:
So, this means that only staff can access the files in the .protected folder. I have not tried to copy and paste the URL of a protected file - so please try this also!
Ken
Hi,
Thanks for being so patient. I did exactly what you told me.
Here is the path in my local computer
The address in the administration block : http://127.0.0.1/file.php/2/.protected/moodlep1.ppt
I was able to link this file to the course page
the address is : http://127.0.0.1/mod/resource/view.php?id=39
I entered as a student and could see the file with
http://127.0.0.1/file.php/2/.protected/moodlep1.ppt
I attached my config.php
I am curious.............
Abigail
Ken,
This doesn't work. Below is a link to a file I've uploaded to a course files area. The course is set to allow guest access and autologin guests. So, when you click on the link, it should take you directly to the file.
http://www.kentuckyclassroom.com/teacher/file.php/223/.protected/hello.pdf
Here is the link to that course
http://www.kentuckyclassroom.com/teacher/course/view.php?id=223
Also, my moodle_data directory is outside the public_html folder.
It looks like moodle allows anyone with access to a course, to have access to any file in the files directory...all the student need do is figure out the url.
I don't think this is a security problem as far as Moodle goes, but I do think this in not well understood by most people...I've been working with Moodle for a few years and I didn't understand it until this post. It seems to me that "logic" would lead a person to believe anything they placed in the files folder in the teachers administration area would only be available to teachers of that course (and site admin of course) unless they made the file available to others...but, it seems that is not the way it works. Bottom line....there is no "protected" files storage area in Moodle for teachers (at least in a default install), without maybe creating a closed course (with no students) and using that to store files.
It's logical that teachers would want to store private files in their courses....quiz keys, memos, student evaluations, etc, and it's logical that they would "assume" the files area would be a place to do that....however, as we see here, that will not work....(well, it will work, but their students could access them)
There has always been the warning that files placed in the "site files" area are available to everyone. It seems that files placed in the course files area are available to everyone in the course. This makes more sense to me now...bottom line, if a person has access to a course (and the site--frontpage of Moodle--is just another course--course 1), then they have access to all files stored in that course.
Maybe there is a way to protect a subdirectory in the files area, but it seems that placing a "." at the beginning of the directory doesn't do it.
Now, all of this could be wrong....this is just the the way I understand it from my experimenting.
Steve
Abigail & Steve
After spending the last few days retrying this, I have to apologise and agree that it does not work.
I originally got the idea from these lines of code in edit.php:
// security: some protection of hidden resource files
// warning: it may break backwards compatibility
if ((!empty($CFG->preventaccesstohiddenfiles))
and (count($args) >= 2)
and (!isteacher($course->id))) {
$reference = ltrim($relativepath, "/{$args[0]}/");
$sql = "SELECT COUNT(r.id) " .
"FROM {$CFG->prefix}resource r, " .
"{$CFG->prefix}course_modules cm, " .
"{$CFG->prefix}modules m " .
"WHERE r.course = '{$course->id}' " .
"AND m.name = 'resource' " .
"AND cm.module = m.id " .
"AND cm.instance = r.id " .
"AND cm.visible = 0 " .
"AND r.type = 'file' " .
"AND r.reference = '{$reference}'";
if (count_records_sql($sql)) {
error('Access not allowed');
}
}
When I tried this, it appeared to work - but I can confirm that it was an issue with the server I was using (!) Maybe a developer with greater knowledge than I have can tell me why the code does not work.
From Abigail's initial post, it seems as if this would be a good feature suggestion! Agree?
Ken
