Hello,
when I log in as a student into Moodle and go to one of my courses I can simply find out who has been registered on our system. Just go to one participants profiles and change the id number in the browsers adress-field and you will receive the message: e.g. Peter Farmer is not enlisted in this course. So I can go through all the id´s and get the names. Is this a kown bug? Is there any way to change permissions for students in the system to avoid that?
Thanks in advance.
Greetings from Heidelberg
Klaus Kirchner
In reply to Klaus Kirchner
Re: Students are able to list user names of the whole system
by Dale Davies -
Nto sure if this could really be a bug. Perhaps it should be changed to say "The user is not enrolled on this course"?
In reply to Dale Davies
Re: Students are able to list user names of the whole system
by Klaus Kirchner -
Hello Dale,
unfortunately that’s not the problem. Students should not have the possibility to get a list of users on the system by entering an ID number in the browsers address window. Getting names not involved in the course is a data security issue – at least on German universities.
Klaus
unfortunately that’s not the problem. Students should not have the possibility to get a list of users on the system by entering an ID number in the browsers address window. Getting names not involved in the course is a data security issue – at least on German universities.
Klaus
In reply to Klaus Kirchner
Re: Students are able to list user names of the whole system
by Helen Foster -
Hi Klaus,
Thanks for raising this privacy issue. I've created a tracker issue for it - MDL-21830 (currently only viewable by developers).
As Dale mentions, a temporary workaround might be to edit the language string (see Language editing for details).
Thanks for raising this privacy issue. I've created a tracker issue for it - MDL-21830 (currently only viewable by developers).
As Dale mentions, a temporary workaround might be to edit the language string (see Language editing for details).
In reply to Helen Foster
Re: Students are able to list user names of the whole system
by Klaus Kirchner -
Hi Helen,
thank you! In the meanwhile I´ll try the language editing
thank you! In the meanwhile I´ll try the language editing
In reply to Klaus Kirchner
Re: Students are able to list user names of the whole system
by Mary Cooch -
Very interesting! (For anyone who comes to this, I think you need to go to site admin>language>language editing>edit words or phrases, select moodle.php from the drop down and then scroll down to $a is not enrolled in this course and change the $a to The User)
In reply to Mary Cooch
Re: Students are able to list user names of the whole system
by Klaus Kirchner -
Hallo Mary,
but this is no solution - it´s only the tip of the iceberg
The issue also occurs when I go to my own profile-page - not logged in into a course - and change the ID-number in the browsers address-window.
Besides that, the name is also displayed in the systems breadcrumb-tree.
I think the best solution for this bug, would be a repair in the main code.
but this is no solution - it´s only the tip of the iceberg
The issue also occurs when I go to my own profile-page - not logged in into a course - and change the ID-number in the browsers address-window.
Besides that, the name is also displayed in the systems breadcrumb-tree.
I think the best solution for this bug, would be a repair in the main code.
In reply to Helen Foster
Re: Students are able to list user names of the whole system
by Klaus Kirchner -
Hi Helen,
anything new on my issue?
Thanks and greetings from Heidelberg
Klaus
anything new on my issue?
Thanks and greetings from Heidelberg
Klaus
In reply to Klaus Kirchner
Re: Students are no longer able to list user names of the whole system
by Helen Foster -
Hi Klaus,
The good news is that your issue is fixed in the latest stable version of Moodle. Users without the capability to assign roles obtain the message 'The details of this user are not available to you'. Thanks to Petr for fixing the issue.
The good news is that your issue is fixed in the latest stable version of Moodle. Users without the capability to assign roles obtain the message 'The details of this user are not available to you'. Thanks to Petr for fixing the issue.
In reply to Helen Foster
Re: Students are no longer able to list user names of the whole system
by Klaus Kirchner -
Hi Helen,
wow - good news
Many thanks - also to Petr for the fast work
wow - good news
Many thanks - also to Petr for the fast work