Hi,
I had instructed my teachers to setup groups within
a course and add a forum in "separate groups" mode as way to maintain
private conversations within a given group. For instance, to discuss
topics (and share files) for a team assigment. I insisted in the private
nature of the "separate groups" setting in the forum (within a wider
course).
But, we have discovered that individual messages of those "private"
forums can be accessed and readed by other non-group members. There a
te two "holes":
a) The personal information page: you can see (and read) recent
messages sent by a user. Even messages to a forum you cannot acces.
b) The search forums utility: again, the results will show posts from "separate" forums.
In either case, if a non-member user want to acces the whole thread, Moodle emits and error message indicating that you do not have right to acces that forum. But individual messages as displayed. If a keyword is quite used, almost the whole thread is accessible.
Some teachers at my site think that Moodle should not even mention the existence of those messages to non-member users. They see this behaviour as a "privacy" breackage. One complains that some students have "stolen" files from other groups in this way.
I feel that this behavior comes from the social constructivist philosophy of Moodle, but I cannot force all my teachers into that view.
I would like to ask your opinions on this topic. Is this a feature or a bug?. Perhaps it would be possible to add a setting to modify the behaviour (as it is or no report at all) on teacher option. Should I report this as a bug in moodle bugtracker, or as a feature request?.
- Enrique -
What version of Moodle are you using? I'm pretty sure these bugs were fixed in 1.4 or later.
Hi Martin,
I've been off my site, giving a course about Moodle at University of Extremadura. Moodle is spreading in Spain, I hope we can form a league of Universities using Moodle.
Now back at work, our production server has version 1.40. I have checked this behaviour with the latest 1.4.3+. downloaded this morning, and the problem remains: when you search for a keyword the message body is displayed even if the user is not a member of the group, in a "separate groups" forum.
In version 1.4.3+ the personal information page does not reveal the messages sent to "private" forums, this is fixed. OK
But the other "hole", the search function, is there: revealing private messages to non-member users. So this is half-fixed.
With I.5 the search utility fails (XML parsing error). This is a several days old 1.5 copy.
I will enter a bug report
- Enrique -
I've been off my site, giving a course about Moodle at University of Extremadura. Moodle is spreading in Spain, I hope we can form a league of Universities using Moodle.
Now back at work, our production server has version 1.40. I have checked this behaviour with the latest 1.4.3+. downloaded this morning, and the problem remains: when you search for a keyword the message body is displayed even if the user is not a member of the group, in a "separate groups" forum.
In version 1.4.3+ the personal information page does not reveal the messages sent to "private" forums, this is fixed. OK
But the other "hole", the search function, is there: revealing private messages to non-member users. So this is half-fixed.
With I.5 the search utility fails (XML parsing error). This is a several days old 1.5 copy.
I will enter a bug report
- Enrique -
Yes, I see the problem, not good ... unfortunately a fix will be less than simple ... someone should really look at it.
Hi Martin,
I've taken the glove, and I think I have a fix for this. I have attached a zip with modified versions of mod/forum/lib.php and search.php (modified from v. 1.4.3+).
I have added a couple of functions to check if user is allowed to see the post (taken from code already existing in user/view.php), and to trim display of non-allowed messages. The changes are marked with "// ECastro" comments.
Please, test it, I have done tests only in a Moodle4Windows "toy" deploy.
- Enrique -