|Topic:||Multiple backup/restore related issues|
|Versions affected:||<1.8.11 and <1.9.7|
|Reported by:||multiple reports|
|Issue no.:||MDL-20838, MDL-20849, MDL-20939, MDL-20932|
|Solution:||upgrade to 1.8.11 or 1.9.7|
|Workaround:||remove backup capability from all users|
User password hashes and secrets are now never included in backup files. There are also new capabilities that control backup/restore of all user information (separately from the course data), and these are off by default. The admin has much better control over who has these capabilities, and the security overview report now gives a comprehensive picture of dangerous roles, overrides, users etc. Even if this capability is enabled, only enrolled users can be included in backup files.