We wish to permit parents to access any course as a guest without a key. This is easily accomplished in the settings for each course. However, this course setting allows all authenticated users to access the course as a guest without a key including, for example, visitors from another school. We wish to prevent this.
Fortunately for us, community members are authenticated via LDAP whilst the Moodle accounts of non-community members are created manually. This distinction makes it possible for us to treat the two types of users differently with a couple hacks which are documented below.
1. Definitions
- 'community' means students, parents and staff members of the school.
- 'non-community' means everyone who does not belong to the 'community'.
- 'authenticated user' means anyone who has a Moodle user account at the school.
- 'LDAP account' means the Moodle user account, created via an LDAP server, of a community authenticated user.
- 'manual account' means the Moodle user account, created manually, of a non-community authenticated user.
| 2. Access Rules |
Comments |
Method |
| 2.1 Allow only authenticated users to access courses. | Moodle default |
|
| 2.2 Allow all community members to become an authenticated user, i.e. to have an LDAP account. | Parents, students, staff of the school |
LDAP accounts |
| 2.3 Allow selected non-community members (e.g. students or teachers from other schools) to become an authenticated user, i.e. to have a manual account. | For example, collaborating students or teachers from other schools. |
manual accounts |
| 2.4 Allow teachers to assign roles to community or non-community authenticated users in the context of a course. |
Allowed by default in Moodle |
|
| 2.5 Allow all community authenticated users to enter courses as a guest, unless there are exceptional circumstances, e.g. new courses without content. |
Allow community authenticated users, including parents, to visit a Moodle course whenever they like. 'Visit' in this sense means to enter the course as a guest and view the content but not participate in the various activities. |
In normal circumstances, allow authenticated users to enter as a guest without an enrolment key. In exceptional circumstances: • DO NOT allow guests to enter, or • Allow guests only with the key. |
| 2.6 DO NOT allow non-community authenticated users (i.e. manual accounts) to enter courses as a guest, unless assigned that role by a teacher in the context of the course. |
Allowing guests to enter without an enrolment key (see 2.5) does not distinguish between community and non-community authenticated users, i.e. between LDAP accounts and manual accounts. This would allow, for example, a teacher from another school with a manual account to ‘snoop’ in all courses where guest access is allowed without an enrolment key. To prevent this, hacks required that block manual accounts from entering courses as a guest, unless assigned that role by a teacher in the context of the course. |
Amend ‘Moodlelib.php’ at about line 1968: New code in red /// Non-guests who don't currently have access, check if they can be allowed in as a guest if ($USER->username != 'guest' and !has_capability('moodle/course:view', $COURSE->context)) { if ($COURSE->guest == 1 and !is_internal_auth($USER->auth)) { // hack: prohibited if authenticated manually // Temporarily assign them guest role for this context, if it fails later user is asked to enrol $USER->access = load_temp_role($COURSE->context, $CFG->guestroleid, $USER->access); } } Amend ‘Moodlelib.php’ at about line 2040: New code in red /// Currently not enrolled in the course, so see if they want to enrol /// Start hack to prohibit manually authenticated users, i.e. non-community users if (is_internal_auth($USER->auth)) { print_header_simple(); notice(get_string('manualguestsnotallowed', '', format_string($COURSE->fullname)), "$CFG->wwwroot"); /// note: add 'manualguestsnotallowed' to en_utf8_local/moodle.php } /// End hack $SESSION->wantsurl = $FULLME; redirect($CFG->wwwroot .'/course/enrol.php?id='. $COURSE->id); die; Add new local language expression to moodle.php $string['manualguestsnotallowed'] = 'Sorry, \'$a\' does not allow guests who are not members of the school community.'; // ORPHANED |
| 2.7 Allow community authenticated users (i.e. LDAP accounts) to self-enrol in any course if permitted by the teacher of that course. |
|
|
| 2.8 DO NOT allow non-community authenticated users (i.e. manual accounts) to self-enrol in any course. |
Enrol button is not displayed for manual accounts but is displayed for LDAP accounts, by the following hack: Amend blocks/admin/block_admin.php at about line 207 Amended code in red // hack to hide enrol button if user has been authenticated manually /// Unenrol link if (empty($course->metacourse) && ($course->id!==SITEID)) { if (has_capability('moodle/legacy:guest', $context, NULL, false) and !is_internal_auth($USER->auth)) { // Hack - enrol button not displayed if user has been authenticated manually $this->content->items[]='<a href="enrol.php?id='.$this->instance->pageid.'">'.get_string('enrolme', '', format_string($course->shortname)).'</a>'; $this->content->icons[]='<img src="'.$CFG->pixpath.'/i/user.gif" class="icon" alt="" />'; } else if (has_capability('moodle/role:unassignself', $context, NULL, false) and get_user_roles($context, $USER->id, false)) { // Have some role $this->content->items[]='<a href="unenrol.php?id='.$this->instance->pageid.'">'.get_string('unenrolme', '', format_string($course->shortname)).'</a>'; $this->content->icons[]='<img src="'.$CFG->pixpath.'/i/user.gif" class="icon" alt="" />'; } } |
|
| 2.9 DO NOT allow students of any course to self-unenrol. |
This prevents unenrolling before it is discovered that they have enrolled in a course that they shouldn’t have. |
By default, students are unable to unenrol themselves from courses by the moodle/role:unassignself capability of the student role, i.e. only the teacher can unenrol students from a course. |