Just to let everyone know, Moodle 1.9.3 includes a new capability, moodle/role:safeoverride, which allows a user to override capabilities that do not have major risks attached to them. Thus, admins can enable teachers to make safe overrides in their courses, such as allowing students to rate forum posts, or creating an archive forum etc.
For more details, please see Capabilities/moodle/role:safeoverride, Override permissions and Allow role overrides in the documentation. (Further page updates still to do. )
Finally, a big THANK YOU to Petr for developing this roles improvement!
I just created MDL-15841 "moodle/role:safeoverride should be Not set by default in the Teacher role"
Let me explain some of the background that led to this particular question, which is:
"Should teachers have the ability to safely override roles in their own courses BY DEFAULT in new installations of Moodle (or should they wait until the administrator allows them to do this)?"
I think they should be able to, because:
- I generally want to empower teachers with all the features of Moodle
- There was much criticism previously about the way some settings "disappeared" in Moodle 1.7 when we added roles (In forums, database activities, course settings etc) because they were moved to the overrides page.
- That move was made for security to protect teachers from some risks, but the new safeoverride option now only allows teachers to override capabilities that are without risks so that reason is gone.
- We only do it on new sites. Sites with roles who are upgrading from 1.6 or any other version prior to 1.9.3 will not have any defaults changed.
- Administrators can still decide what they want - we are just talking about a default for an existing checkbox.
- Teachers who don't understand it don't have to use it, but having it available does at least give them a chance to learn about overrides and permissions
- Overrides at module level are not anywhere near as complex as the situations Administrators have to deal with.
So that was my reasoning. If there is some obvious consensus that this was a bad decision then I'm happy to leave this default to off!
Thank you for starting this discussion! I hope we get lots of input, especially from people who have a stake in teacher training and consulting because this is going affect them most.
I'll start off the discussion by saying that I take issue with the way the question is phrased. You say
"Should teachers have the ability to safely override roles ...
I think the definition "safe" implicit in your question is too narrow. Yes, safeoverride eliminates cross-site scripting risk, spamming risk, etc. by removing the ability to override certain permissions. This leaves the presumably "safe" permissions that teachers can change, the ones that you refer to as "capabilities that are without risks." But how are they "without risks" when their misuse can lead to chaos in the classroom? We are neglecting perhaps the most important risk of all: "Ruining the learning experience risk."
The only way to avoid RLE risk (apologies to Richard Enison ) is to not allow safeoverriding by default. The administrator can grant safeoverride ability selectively to teachers who have been trained and tested. It's done using a simple delegation pattern.
When you can override, you can see the inner workings of roles, and you need a sophisticated understanding role internals. IMO you need to understand roles at the same level as the administrator. I can't think of a counterexample, i.e., something that the administrator needs to know that you don't.
Saying this will "give [teachers] a chance to learn about overrides and permissions" is like saying we should give car keys to our children so they can learn about driving. Administrators have had plenty of time (almost a year!) to learn about roles and capabilities, and I'm still waiting to meet the admin who really knows what he or she is doing.
OK, administrators, Quiz time: What do the highlighted cells on the override permissions page mean? What is "Inherit"? Now if administrators can't answer these questions, what makes us think teachers will be able to? On day one, with no training whatever?
I should also point out that we have many administrators who are using Moodle in compatibility mode (predefined roles only, everything as it comes "out of the box"). Now their teachers are going to be able to override roles?
Since RLE risk doesn't seem to be that much of a concern, let's consider risks that we can all agree are serious ones. I guess the ones that are considered "safe" are the ones without risk icons. OK, here's one: moodle/site:accessallgroups ("Access all groups"). Scenario: Teacher overrides Student in activity context, setting moodle/site:accessallgroups = Allow. A student discovers that Sally is a "classified" student and tells all his friends. Sally's parents sue the school. It is clearly not the students' fault. It is also not the teacher's fault; her lawyer successfully argues that she did not receive any safety training. The administrator argues that he never checked the default, since Moodle defaults always err on the side of safety. The school pays a fortune in damages and the administrator is looking for a new job.
The administrator would vote for a default of Not set!
While the earlier complaints about lost setting were valid, the things have changed since then a bit. The concern of John that many sites won't be aware of this new feature is real. Actually, the fact that this setting will be different when upgrading from 1.5, from 1.8, and new sites speaks for keeping it "off". This can only lead to confusion otherwise.
BTW, I would not refer to this new feature as safely overwriting permissions but as overwriting safe permissions. There is not such a thing as safe overwrite.
I love your distinction between overriding safeley vs. safe overriding. You're right: "safe overriding" is an oxymoron!
In the tracker, I said that there is a better solution to the forum settings problem, one that does not involve overriding. I'll have it in the docs by later today.
I think we would much prefer the default to be off. As admins, you could easily grant the setting on a selective basis. It seems to me that you might base this decision on expected need rather than whether it is possible or not. For example:
My instructors seem to fall into 3 broad categories (as might be expected)--those who will never even look at the setting because they have no need, those who will look and call before they do anything, and a very few who will click a lot of radio buttons and find out they have a problem later! I am not denigrating any of these groups, but I think the largest number fall in the first group and then a very small number into the third group. Either way, the majority of our users would probably be better served by this particular setting not being granted as default.
After all, in time, won't we all acquire a great deal of knowledge about roles and how to use them? This conversation might not even be important in 3 more versions of moodle. It seems to me that it takes a very long time for such knowledge to become transparent for the majority of users (and I count myself in this group). We try, we fail, we discuss, we advise, and it eventually becomes something we take for granted. I am not there yet, and I think a lot of other people are somewhere along the road, but not at the end point!
In summary, I am in favor of having this capability, and I agree with Robert's comment that it be called "overriding safe permissions", but I would prefer to delay making the setting a default.
Just my 2 cents.
this *is* a useful new feature and all you say is true BUT from my experiences supporting (thousands) of real users I think it misses one or two points....
* Teachers have no concept whatsoever of roles for the most part. Even if you provide these facilities they will not use them because they don't know they are there
* Running on from that, the features that where "lost" in 1.7 (for example, the finely grained control over forum use) really where lost for ever. Newer users have no idea that these facilities exist and older ones inevitably decide not to bother when you explain what's involved ("that's nice, can you do that for me?").
As to this default setting, I'm certainly not passionate but I think my vote would be for "off". It's stuff teachers are going to fiddle with that they won't understand and will get into a mess. As an aside, I'd really like to see "restore defaults" buttons every where roles settings lurk. I think this capability would be added to my little list of things to allows turn off before realeasing a new site to make support tollerable.
I guess you could say that this could/should be addressed by user training, but my experience has been that training only ever gets a tiny percentage of the user base however hard you try. For the rest everything needs to be reasonable simple and unthreatening. The simple fact that we are dicussing this means the feature should be off I guess is what I am saying.
Just my $00.02.
I'll make sure the default setting is removed from 1.9.2+ (it won't have been in any weekly build, so no harm done).
For Moodle 2.0 I strongly believe we need to revisit this issue later together with all the other roles-related improvements that are planned and desired. I think we also need to work on educating/informing admins about roles settings to help them set their sites appropriately, perhaps as part of the upgrade/install process.
It would be sad if the combined intelligence of this group can't come up with better interfaces for admins and teachers that can allow us to SAFELY (in all senses of the word) put this sort of power in the hands of teachers!
Further discussion about this probably should be moved to "Moodle.org design"
Hi John, thanks for your invitation to the discussion. I red a print out of the discussion while I was travelling by plane and train last hours.
I didn't agree with most of the argumentation. I really understand some of the discussed problems.
In the discussion I see a difference between a general view (Martin wrote about it) and new roles of teachers and students and the process of learning and teaching. On the other hand relevant argumentations about teaching peoples in organizations that mostly teach in a conventional way.
I remember Moodle pre 1.7 . Every teacher could give each student full teacher permissions and nobody had problems about this. Now we have an option that teacher can define it , if they want. I don't see the risks you and others described very drastical.
Did we really need such control about teachers? Didn't we trust that teachers know what they do? Teacher can teach the students every day and every lesson and nobody controls in detail what they really do.
But I think there is an other problem behind the discussion. We need a more transparent list of changes for new versions. I know, there is complete list of changes in the docs. But this list is a mix of relevant changes of features and bug fixe. Most admins didn't read this detailled list. We need a better readable list for normal admins that contains version changes and descriptions. My idea is that this list is more interesting for standard admins and a good starting point for internal training plans
But whilst I think that having the capability is absolutely great, and I know we are indebted to Petr, I'm with John Isner on this one: it should not be a default in the Teacher role!
Almost every single HELP! - IN DIRE DISTRESS post in General Problems forum falls into one of two, no three, categories, either: 'I've changed a role and things don't work the way they should', 'I've deleted something I shouldn't have!', or 'I haven't read/understood the documentation'.
Either way, Moodle is amazingly powerful, but with that power comes an awful lot of responsibility. And it is a steep enough learning curve for new Admins, without passing some of these responsibilities on to hard-pressed teaching staff.
So I too would appreciate a re-think, even if the consensus produces the same result.
Very best regards to all,
If we start with the premise that the people i.e. teachers, trainers, instructors, course designers, facilitators that we allow to create courses or engage with our learners are competent to do so then surely we should have sufficient confidence in them to allow them to modify the permissions for their online spaces and activities.
I imagine it’s fair to assume that the majority of teachers (I use this term as shorthand for all of the roles above) who encounter Moodle come with prior experience in face to face or ODL where the expectation is to be able to set parameters carefully with the outcomes of the activity/course/programme in mind and to be able to adapt (often within agreed boundaries) in order to best meet the needs of a particular cohort.
If we accept that teachers (again used as shorthand) are competent in other mediums for learning then why (oh, why) should they be hamstrung in an online medium – Moodle in this instance? Why restrict their ability to adapt and react here?
Addressing some of the points raised so far in this discussion:
1. @Martin, Petr
I’m not convinced that an arbitrary list of capabilities is appropriate. Who is to decide what is safe? This will vary based on a host of issues by organisation.
From Martin’s list:
1. I generally want to empower teachers with all the features of Moodle.
2. There was much criticism previously about the way some settings "disappeared" in Moodle 1.7 when we added roles (In forums, database activities, course settings etc) because they were moved to the overrides page.
Yes, this is an issue. But mainly because site admins (through lack of understanding, fear, or some unspoken objection) do not allow teachers the option to override permissions.
3. That move was made for security to protect teachers from some risks, but the new safeoverride option now only allows teachers to override capabilities that are without risks so that reason is gone.
As above, “safe” is in the eye of the beholder.
5. Administrators can still decide what they want - we are just talking about a default for an existing checkbox.
Refer to my “safe” comments above.
6. Teachers who don't understand it don't have to use it, but having it available does at least give them a chance to learn about overrides and permissions
Even more than that, teachers who don’t understand it will probably run a mile. Absolutely! Why should the defaults restrict the imagination and enthusiasm of teachers?
7. Overrides at module level are not anywhere near as complex as the situations Administrators have to deal with.
Agree. Overrides are very context specific.
@ John I
There is a case for selective release of the ability to override, but I’m still uneasy about a predefined view of what is safe/unsafe.
When you can override, you can see the inner workings of roles, and you need a sophisticated understanding role internals. IMO you need to understand roles at the same level as the administrator.
Owing to the specific nature of the capabilities available in overrides I don’t agree that this is enough in itself to not allow the ability override. For overrides does the understanding of the roles system need to be that sophisticated?
Saying this will "give [teachers] a chance to learn about overrides and permissions" is like saying we should give car keys to our children so they can learn about driving.
Surely they can already drive. To stretch the analogy isn’t this more about them being able to decide whether to be able to turn left or right?
Training: Yes, and perhaps I have a partial view as most of the Moodle users and organisations I meet have decided that training and or consultancy would be a good idea and that’s why I’m talking to them and discussing the issues. It’s absolutely clear that the vast majority of those tens of thousands of sites that use Moodle (and the unknown number of unregistered sites) don’t bother with informed help. That’s open source, that the way of the world and I’d swap the ability to “just do it” for any enforced training programme any day.
The legal scenario hat you have painted is one that has a much wider organisational failing at the heart of it. Should Moodle users in general be constrained because some organisations, bodies etc. don’t think through, plan and resource their online exploration adequately?
And what’s wrong with simply advising the that if they don’t understand what they are doing with overrides to leave them alone until they do?
Teachers have no concept whatsoever of roles for the most part. Even if you provide these facilities they will not use them because they don't know they are there.
Yes, sadly I have to concur with this but it’s not a Moodle issue in itself. I think Alicia’s breakdown of potential behaviour is also usual here too.
…the finely grained control over forum use) really where lost for ever.
Isn’t it the case that they actually became more fine grained but were hidden (deliberately or otherwise) by site admins?
Training: Yes, sadly this is probably an accurate analysis. If keeping things simple equates to removing teachers’ ability to fine tune as required then the online experience for learners is destined to be formulaic, sterile and predictable. Better to focus all of our energies to make this degree of flexibility easy to master than off limits (and here I’m referring to the ability to override in general, having still not bought into “safe” overrides as a concept).
I've changed a role and things don't work the way they should
Teachers can’t change roles, they an only override permissions in a very specific way. I can’t see the distinction between this and a face-to-face situation of a where a teacher would be culpable if they embarked upon a course of action where they have not considered the consequences or lack the experience or training.
One size fits all safe overrides for teachers – I don’t get it.
Default on or of?: It probably won’t make much difference either way.
Should teachers ability to function on a Moodle site always be approached from a lowest common denominator standpoint – No.
Exactly! I had been thinking about the same thing, and moments before I read your post, I added a comment to MDL-15841 suggesting a way to let the administrator decide which capabilities are safe.
In fact, the question "Who is to decide what is safe?" is the very essence of this debate. Who is to decide if teacher overriding is safe, the administrator or moodle.com?
I say it is the administrator because he has ultimate responsibility for what happens on his site. When there is a question about the safety of a software feature, the feature is disabled by default and must be enabled by the user. By enabling the feature, the user assumes responsibility (think about the dialog boxes you have to click to get to certain pages with Internet Explorer). The software designer knows that the user is probably not reading the warnings and has no idea what he is doing. But the user also understands that by clicking "Yes" he accepts responsibility for anything bad that happens. It may be just a formality, but it is an essential one. Now the fact that so many users have expressed concern about the safety of allowing teachers to override roles tells me that this is at feature that should follow the same pattern. There must be a formal acceptance by the administrator, not just an advisory notice.
Now in your post, you say things like safety being in the eye of the beholder and being uneasy about having a predefined idea of what is safe. Again, these are both reasons why the decision should be left to the administrator.
Everybody agrees that teachers need greater flexibility. Everybody agrees that this is achieved by allowing them to override roles. But not everybody agrees that Ergo, all teachers should be allowed to override roles. Since we can't agree, we defer to the administrator.
The sad truth is that no one really understands roles. I just read the Help file and "docs for this page" for the Override permissions page. Both are just plain wrong. We could rewrite them, but it would result in something that few would read, and only a few of those who did read would understand. So why not simplify it? Because you can't simplify something that is inherently complex. You need the entire roles conceptual model in your head before you can understand overrides. We have been over this ground before in other discussions.
Using your summary points:
One size fits all safe overrides for teachers
The decision as to which capabilities are "safe" should be left to the administrator
Default on or off?
The decision to allow overriding should be left to the administrator
Should teachers ability to function on a Moodle site always be approached from a lowest common denominator standpoint
This is a straw man
I do not like the direction we are heading, could we please stop and think how to improve Moodle instead of poisoning the community, crucifying developers and wasting our precious time?
Nobody has absolute truth - not even John Isner or Martin Dougiamas. I coded this new feature to work around the cross site scripting risks when overriding roles. My work was funded by the Technical University of Liberec. I am planning to merge some more roles related improvements, I hope it will not cause such a big stir again
The major problem is that very few people (including developers) understand the security of Web 2.0 applications - which means that in the end it is very often me who decides what is safe or not when speaking about permissions, I wish there were more people working on security issues in Moodle. My English is not perfect, maybe "safe" is not the right word - the original meaning was "safe for administrators to delegate". Please let's keep this meaning.
I already proposed a solution for safe override limitting in the tracker when all this shouting started. Let's call it:
Limited overrides is a list of capabilities selected by administrator. We can not use current role definition screen, we will need a new admin configuration page. There would be one new capability "moodle/role:limitedoverride" which would be granted the same way as normal or safe overrides. In the end we would have three types of overriding:
- full overrides - all capabilities
- safe overrides - only risk free capabilities
- limited overrides - administrator selects wanted overrides (no XSS and config risks allowed)
How does it sound?
It's a bad, bad day when we can't openly discuss if something is best way forward. These things tend to rumble round, sometimes they go nowhere and sometimes some great new ideas come out of it. I certainly don't mean to be anything but positive - I know a lot of hard work has gone into roles and this provides a lot of exciting functionality but we have to keep one eye on the usability.
I am going to fix some little nasty bugs nobody cares about or better enjoy roller skiing instead
Roller Skiing? Sounds dangerous Better than bug fixing though. Have fun!!
If I contributed to those feelings I'm sorry, however, I think it's important to be candid about important issues such as these.
I think everyone agrees that limited/safe/full override is an excellent idea. But the debate is about a much simpler question:
- Should Moodle by default show teachers an Override tab?
safe = "safe for the administrator to delegate"
This is a perfect definition! I believe that ability to override roles (limited, safe, or full) is something for the administrator to decide: when, how, and to whom to delegate. It should not be delegated in a shotgun manner to all teachers behind the administrator's back.
my +1 to make it off by default now and add the limited overrides and let admins decide what should be allowed to override. The roles docs will need some improvements too.
Thanks, I like the spirit here again
Sort of... Not all administrators are teachers or understand the "front end experience". On too many sites admins don't understand what the options are (let alone the implications of them), consequently teachers have a partial view of what is possible. This has the potential to stifle, well most things. A consensus between site admin and teacher representatives works well in my experience, with compromises on both parts.
I understand your point about disabling potentially problematic features. I don't think that principle can be applied with the rigour you imply here owing to the nature of the medium. For example "Start new discussions" is set to allow for the default Teacher role, the risk flagged for that capability is "Users could send spam to site users or others".
For the record, I accept Petr's point about security and this needs to be considered sensibly, but in a joined up manner and not neceearily by a (implied single) site admin who knows best for everyone.
I just read the Help file and "docs for this page" for the Override permissions page. Both are just plain wrong. We could rewrite them, but it would result in something that few would read, and only a few of those who did read would understand. So why not simplify it? Because you can't simplify something that is inherently complex. You need the entire roles conceptual model in your head before you can understand overrides. We have been over this ground before in other discussions.
This worries me. A lot. It means that there's nowhere I can read up on this and get a handle on it. "You need the entire roles conceptual model in your head before you can understand overrides." Fair enough, but where can I access the entire roles conceptual model in order to understand it? That's what I'm looking for.
I was sorry to read John's comments about the overrides help file and override permissions documentation. They both look fine to me, and I notice that the documentation page has been accessed over ten thousand times, so it appears to have been well-read.
Of course the documentation can always be improved (and everyone is welcome to do so), however I don't find overrides so difficult to understand.
If you read the Moodle documentation and come across anything that you don't understand, please use the "page comments" tab and leave a note about it, so that someone can fix it later. Your help in this way would be much appreciated.
I can only reiterate that my personal experience of Moodle users is that at least 95% just want to put up their powerpoints and do a few quizzes. They need the interface to "just work", they certainly don't need or want to be overriding roles to do stuff. I'm not saying that those that do should be prevented from doing so but the administrator for the site needs to decide what's appropriate for his/her site. In some of the very large Moodle sites I administer the level of enthusiastic user is low, they won't thank you for loads of options especially as, in the case of roles, quite a few are unintutive (e.g, nobody knows what the roles tab on a user profile does and not what nearly everybody seems to think it does).
Why not give the teacher the choice? Why must we portect this poor teacher: I add a lot to the pages of my por users (calendar buttons, bookmark buttons and they complain about to much (or not enough) information on their My PAGE...
I built more and more choices on their profile page like:
- show extra (calendar) buttons on My My page (default yes)
- show the messages of the courses on my my page (default yes)
- use the privat page-bookmark system (defalut no)
- set the limit of the courses on the my page ( 20 - 30 -50 100 - 200)
- sort the courses by: last visit/ courseid /courseperiod
So I wish to add under the condition "if you are teacher":
- swith the save override option ON (default off) john and Howard can add here a red warning sign, but please.. please.. let the teacher decide: it opens the road to real e-learning 2.0
I'm reluctant to give this response, having read with concern of the unintended pain this discussion has generated in Petr (at least), when at the outset I acknowledged our indebtedness to Petr, as with other developers, but for clarification only...
With reference to your @John W section: I did not say teachers could change roles.
Regards to all,
Absolutely correct. I've just revisited your post. An unreserved apology is due. Sorry.
<Note to self: Don't draft responses to big topics in the early hours of the morning.>
It seems to me that something very productive can come out of it: making explicit something that may not always be obvious. Most teachers just need a core set of capabilities for managing their courses. Discussion and announcement forums, assignments, resources, a gradebook and maybe quizzes. For some, they will use only a subset of these. Frankly, since these features are Moodle's forte, teachers who use it in that way are already sophisticated users relative to what they could do with a general CMS or a set of web pages.
Our key focus should be to make Moodle be inviting for this first group of users. An hour of training together with a peer mentor and some example courses should put them well on their way if things are done well. Incremental training for this group would be helpful when innovative practices starting happening within an institution that should be shared. But they probaly don't need an increase in the feature set, nor the complexity that comes with it.
But there are always the "Power Users" on a faculty that want to take things to their limits and have a mind-set to explore and do things differently. It is for them that role-overrides and other sophisticed capabilities are helpful, but we should recognize that it is for less than 10% of the users (albiet important users for keeping a program on the cutting edge).
For such individuals, this feature should probably be implemented as asupplemental role within course, perhaps bundled with other advanced capabilities. There does not need to be a different type of Teacher. Faculty that show such an inclination might get additional training or otherwise demonstrate that they are best served by added features. And the administrator could then assign the Power User role in addition to the Editing Teacher role to such individuals.
Note that this new role does not need to be a selection in the core distribution, but can instead be covered in the Docs. Different institutions might define the capabilities of a Power User differently, and that might change over time as their faculty develop a set of appropriate skills.
So, I guess I share the view of many others that this should not be added to the standard set of features of the editing teacher. But I see it in a positive way that it hilights the ability to have a supplemental role for "Power User" teachers that enables the experince to be satisifying for standard educator while enabling advanced features for those who have the needs and inclinaton.
I understand this approach in, say, a school. All I would add is that we all need to remember that Moodle's user base is much more diverse than that.