Securing a directory

Securing a directory

by Michael Black -
Number of replies: 13

Running Moodle 1.98?  (latest stable build)

How can I create a directory in which Student can upload assignments, but cannot download, or read any other items placed in the folder?

On the same note, how can I create an Instructor Only folder, that no student, authenticated user, guest has access to?

Any advice will be greatly appreciated, and if this has been asked before I am sorry for the repost, but I cannot find an answer so this seem the logical place to start.

Thank You

Michael

Average of ratings: Useful (1)
In reply to Michael Black

Re: Securing a directory

by Mary Cooch -
Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Testers Picture of Translators
Ok -well first of all -in any course,in the course admin block there is a files folder where teachers can upload directly to. Only teachers can see that folder and (unless they are really cunning and can guess what is in there and work out the url) students can't access it -so putting stuff in there is relatively safe. There will also be a backup folder and that is even safer as students can't access that. Students and guests don't even see the files folder in course admin -all they see in that block is grades and possibly their profile link. When you set up assignments (in add an activity>assignments) students can upload their work but they can't see anybody else's - so it is quite safe and private.The directory creates itself once a student has uploaded work and it's called moddata in the files directory of the course admin block of your course
Average of ratings: Useful (2)
In reply to Mary Cooch

Re: Securing a directory

by Joe Griffin -
I have a similar problem. When a student clicks on the insert image icon they are shown the the backupdata folder among others in the file browser (image attached). How do i stop users being able to get access to files on this directory - I notice that on this forum I do not see the file browser section when I click on the insert image icon.

Thanks
Attachment insertimage.jpg
Average of ratings: -
In reply to Joe Griffin

Re: Securing a directory

by Joe Griffin -
I should hve said I am using Moodle 1.95. Attached is the insert image pop up I see on this Moodle site.

Thanks


Average of ratings: -
In reply to Joe Griffin

Re: Securing a directory

by Mary Cooch -
Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Testers Picture of Translators
Joe - this is really odd as this is the teacher view not the student view - are you 100% certain your students are enrolled as students in that course and that there haven#t been any permission overrides enabling them to upload files? DO they have a turn editing on button or are they able to see into the gradebook to see others's scores?
Average of ratings: Useful (1)
In reply to Mary Cooch

Re: Securing a directory

by Joe Griffin -
Hi Mary

Thanks for the response. I have checked the roles. These are definitely students and I have even prohibited further permissions that might have caused this access problem. Do you have any suggestions as to any I might have missed?

Not sure about the gradebook question. I don't use it and this is not a problem I have noticed. It is when students are using the HTML editor and insert an image or a link that I have my problem.

At that point they see the File Browser (as shown in the earlier message I posted) and can find the name of the backup zip files. Then they can use this name, append it to an appropriate url (don 't want to give too much away here thoughtful ) and when the point the brower at the new url, presto, the entire zip file downloads. It is then only a small matter to extract certain data such as passwords.

Thanks
Average of ratings: -
In reply to Joe Griffin

Re: Securing a directory

by Mary Cooch -
Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Testers Picture of Translators
How about going to site admin>define roles and resetting authenticated user and student back to default? (which should get rid of any "rogue" permissions) And then seeing if you still have the problem? And presumably your default course user in the course settings is also student? What activity are your students using when they get this message (ie, where is the html editor?)
Average of ratings: Useful (1)
In reply to Mary Cooch

Re: Securing a directory

by Joe Griffin -
HI Mary

I'll try that. The HTML Editor appears when users are posting or replying to forums. It is the standard editor that comes with Moodle (the one I am using here in fact)

Joe

Average of ratings: -
In reply to Mary Cooch

Re: Securing a directory

by Joe Griffin -
Hi

I re-set the defaults for student role at system level. In the course I then set overrides to all inherit. The default user in a course is student. I still get the file browser appearing when I click on insert image icon in the HTML editor as in the image I posted earlier. (I have disabled the editor for now so no images can be inserted, as a stop gap measure.)
Average of ratings: -
In reply to Joe Griffin

Re: Securing a directory

by Mary Cooch -
Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Testers Picture of Translators
Joe -when did this start? Have your students always been able to do this or has it been since an upgrade?
Average of ratings: -
In reply to Mary Cooch

Re: Securing a directory

by Joe Griffin -
Hi

I only became aware of this yesterday so I cannot say when it started.

Joe

Average of ratings: -
In reply to Joe Griffin

Re: Securing a directory

by Paul Holden -
Picture of Core developers Picture of Moodle HQ Picture of Moodle Workplace team Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Testers
Users only get the file browser in the Insert Image dialog if they have the moodle/course:managefiles capability - students really shouldn't have this capability in a course, you should check how you've defined your site/course roles thoughtful

How are you checking what a student account sees?
Average of ratings: -
In reply to Paul Holden

Re: Securing a directory

by Joe Griffin -
Hello Paul

Thanks for the reply. I have the student user set to the system default which shows this moodle/course:managefiles capability as being inherited.

I have logged in as a student (using an account I set up for this purpose) and this showed the file browser. I also logged in as a teacher and switched roles.

I have now specifically prohibited the moodle/course:managefiles capability and the file browser in the html editor still appears when I am logged in as a student.

Joe

Average of ratings: -
In reply to Paul Holden

Re: Securing a directory

by Joe Griffin -
I upgraded to 1.9.7 and problem solved. Thanks to both of you for your help.

Joe

Average of ratings: -