General developer forum

 
 
Picture of Jan Eberhardt
Policy isn't required for user creation. Is that ok with you?
 

Hi there,

we have a huge problem with the user administration in moodle. In a standard moodle installation the system will create an account (i.e. in the case of a LDAP-connection), even if the user has NOT ACCEPTED THE POLICY. This won't go along with german privacy laws and mostly it won't be wished by most of the administrators. Because yet it is posible to have an user in your community, which didn't agreed the terms of use (which includes in our case the privacy terms)!

I'd like to discuss if this is a major topic for you as well and what's the reason behind this solution.

Maybe sombody can tell a quick alternative, than editing the core... because for now I had to change the moodlelib, the user/policy.php AND had to create a custom script...

 
Average of ratings: -
Davo
Re: Policy isn't required for user creation. Is that ok with you?
Group DevelopersGroup Particularly helpful Moodlers

I don't really know anything about German privacy laws, but surely if you are registering a user on Moodle via LDAP, that implies you have already entered their details into your whatever system is feeding into LDAP? Did you not already get the users' permission to use their details at that point?

There also seems to be two different uses for the policy - making the user aware of what the organisation considers acceptable usage on behalf of the user and making the user aware of what is considered acceptable behaviour on behalf of the organisation.

If your focus is on what behaviour is expected of the user, then I can see no problem at all with the current system, as, even though the user account has been created, the user is unable to do anything on the site without accepting the policy.

If your focus is on making the user aware of the behaviour of the organisation, before they create an account on the system, then you need to be making sure the user is aware of the policy before they reach the point of being authenticated - trying to make use of a system that appears after the authentication has been completed, would seem to be the wrong way around.

 
Average of ratings:Useful (1)
Picture of Mark Ward
Re: Policy isn't required for user creation. Is that ok with you?
 

Totally agree with this. LDAP requires that they already have an account with your organisation which must be goverened by a usage policy of some kind. Including your Moodle policy in there makes it far easier to track who has or hasn't agreed to your terms, since otherwise you would have to track that in two places. 

 
Average of ratings: -
Picture of Olja Petrovic
Re: Policy isn't required for user creation. Is that ok with you?
 

This is an interesting question.

Is the problem in the enrol plugin or Moodle privacy policy handling? Could you explain the core modifications you had to make?

With email registration, you need to accept the privacy policy right away, if privacy policy is needed for that platform.

I do not know LDAP as such, I guess a generic Single Sign-on solution the user could be created and logged in as a potential user, and then it was Moodle that asked the user to accept the policy.

I guess you want Moodle to ask for policy accepting first and second to call the user_enrol method to have to traces of user data if policy not accepted?

Did I understand correctly?

Just as a side note, Moodle deletes non-confirmed users at predefined intervals.

Have you tried contacting the LDAP plugin author directly via a private message on moodle.org or via email (see plugin source code)? 

The source code cites Iñaki Arenaza as author. You can look up his profile and write him a message.

http://moodle.org/user/view.php?id=68632&course=5

You can even make a feature request or some other issue on the Moodle Tracker:

http://tracker.moodle.org/

BTW Moodle plugins, including enrol plugins, can have configuration settings, so if you decide to change the setting, consider if it's possible to decide in configuration which approach to use.

I am busy today, but together with the plugin author you can analyse the feature request and see how it fits in Moodle.

If modifying the existing plugin is not an option or it takes too much time, you can also create your own enrol plugin, even temporarily while the original is worked on.

Maybe other users need your version too, so you could publish it also.

Greetings.

Olja Petrovic

 
Average of ratings: -
Picture of Olja Petrovic
Re: Policy isn't required for user creation. Is that ok with you?
 

P.S. I see that Iñaki Arenaza is active on this forum, but I guess he might have missed your post (it doesn't mention LDAP in the subjectsmile ). So I think you really should contact him directly and bring his attention to this thread, he might find a solution for you and other Moodle admins who have the same project requirements.

 
Average of ratings: -
Picture of Iñaki Arenaza
Re: Policy isn't required for user creation. Is that ok with you?
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers
Hi Olja,

this time I didn't miss it smile

I'm having a look at it, but it may take time (I need some time to check all the settings involved in this).

Saludos.
Iñaki.
 
Average of ratings: -
Picture of Jan Eberhardt
Re: Policy isn't required for user creation. Is that ok with you?
 

Thanks a lot. I didn't came to my mind, to ask a developer of a plugin to fix this, because I don't connect this problem with a specified auth plugin.

Please read my other post below, where I explain, why I didn't used "LDAP" in the subject... smile

 
Average of ratings: -
Picture of Olja Petrovic
Re: Policy isn't required for user creation. Is that ok with you?
 

Thank you very much for your timely, detailed and constructive response.

It is so inspiring to see programmers be involved with users and the community, I know it takes time and patience and energy. 

Keep up the good work,

greetings, Olja

 
Average of ratings: -
Picture of Jan Eberhardt
Re: Policy isn't required for user creation. Is that ok with you?
 

Hi there,

thank you for your input. I'll explain some of the question which popped out:

First, yes users have to confirm some policy to get a LDAP account. The problem is, that this is a completely different section in our university. So we can't ensure, that their policy cover all the details we have to ask for. For that reason, we habe to enable policy handling, even if some parts are the same.

Second, it doesn't realy have an PlugIn-specified context, because if we are going to implement a own authentification method, that problem has also to be in mind. That's the reason, why I don't changed any authentification plugin. The changes I made are completely made in moodlelib.

That leads to the last question: What have I done, so that it worked for me. First, I found the place, where new useres are created. That's in the authentificate_user() function of the moodle lib. The function does everything needed for the authentification process. That means it asks all plugins, if the user is a valid user. After that it checks in the db, if he/she exists. If not, the user will be created. That means, if you use that place for your changings it applies to all authentifacation methods.

There I've only introduced a new session variable ($SESSION->policyagreed) which is asked for. If it's empty or 0 and it's not an admin  (which now I think is a little bit strange to ask for, because if the user doesn't exists he/she can't be admin either...) than there's a redirect to the policy with introducing another new variable and setting $SESSION->wantsurl to my custom script. The new introduced var contains than username, password and the original site (that's what $SESSION->wantsurl was before). My custom script is nearly the same, what login/index.php is doing, but only a little bit shortened. That is for moodle to make all the steps, which I cancel on the redirect to the policy.

Hopefully you understand my explaination. If not, I can provide the source code. But still I hoped for a nicier way to do it...

edit: I forgot to mention that I set the $SESSION->policyagreed in user/policy.php, on the same place, where $USER->policyagreed is set.

 
Average of ratings: -
Picture of Iñaki Arenaza
Re: Policy isn't required for user creation. Is that ok with you?
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers

I've had a look at it, and you can get an equivalent result without modifying the code. I say equivalent result, and not exactly the same result as there's an additional side-effect. That side-effect may or may not fit your needs, so that's why I'm popping it up.

Once you configure a site policy URL in moodle, there are two places[1] where user acceptance is checked/enforced:

  • when they sign up for a new account
  • when they are required to login

The former is used when you are using email based authentication, or LDAP with external user creation, etc. In this case, the user is requested to comply with the policy before the account is created.

The latter can be used when the user account already exists. Moodle doesn't care if the admin has created the account beforehand manually, or if it's created on the fly as part of the login process (like most external authentication plugins do).

Notice that in the second case I said the user is required to login, not that the user voluntarily decides to log in. That's why Davo Smith said "the user is unable to do anything on the site without accepting the policy". As soon as the user tries to do anything on the site for which she's required to login (enter a course, download a file, read a blog, etc.), she'll have to accept the policy.

There's only a place[2] where you can go without being required to login: the front page. So if you configure Moodle to require logins even for the front page, the user is forced to accept the policy no matter where she tries to go on your site. You can configure this in Site Administration >> Security >> Site policies >> Force users to login

Now this is where the side-effect comes in. If you do this, guest/anonymous users won't be able to see your front page at all. Depending on your need this might be a good or a bad thing.

Saludos. Iñaki.

[1] There's another one or two, but they don't play a role in the issues discussed here

[2] Again this is not strictly true, but the other places aren't that useful.

 
Average of ratings: -
Picture of Jan Eberhardt
Re: Policy isn't required for user creation. Is that ok with you?
 

Yepp, I found that configuration as well. But we need to have guests to have access to our moodle :/

That's handy, if there's a teacher, who only give access to their lecture notes and other stuff. This feature is frequently asked. That means, I can't shut down the system for guest...

In any case, you're talking about another topic, which bothers me as well. There's only the option to use a created account as "guest account". This one has also accepted the policy (the first user, who ever used a guest account accepted it), that means, that all other people using that account have a "policyagreed" flag in the $USER object.

I would like to force EVERY guest to accept the terms of use, before they can view any course in our system... is there an option or configuration I missed?

 
Average of ratings: -
Picture of Olja Petrovic
Re: Policy isn't required for user creation. Is that ok with you?
 

Hi Jan.

I don't know much about guest accounts, and have no time to look now, unfortunately. It is an important question. Maybe you should start a separatediscussion for that question, to attract the attention of more expert users.

You can also ask in the Authentication forum, where not all people will be developers, but might be well informed with standard uses of Moodle and what is possible to do with the existing code.

Do you confirm that the basic problem is that you don't want to save any user data in the database if the user doesn't accept the policy?

Moodle is more concerned with not letting the user do things before the policy is accepted, and that is implemented with the current policy functionality (Settings->Security->Site Policies), as you know.

 
Average of ratings: -
Picture of Jan Eberhardt
Re: Policy isn't required for user creation. Is that ok with you?
 

Yepp, I confirm that I only want to store data, if the user has accepted the privacy terms. We aren't allowed to store and use data, if the user hasn't allowed us to do so.

 
Average of ratings: -
Picture of Björn Fisseler
Re: Policy isn't required for user creation. Is that ok with you?
 

Hi,

is there anything new on this issue? I've got a similar problem:

  • existing users login via LDAP
  • Moodle for research using LDAP for authentification, but the LDAP plugin does not care whether the user accepts the ToS or not

I also tried the setting "authpreventaccountcreation", but this does not work, because the user is then unknown. It seems to break the LDAP authentification.

The workflow I want to setup looks like this:

  • user wants to log in for the first time
  • user has to accept the ToS
  • account is created based on the LDAP information

Any hints on how to implement this?

 
Average of ratings: -
Picture of Pram Bains
Re: Policy isn't required for user creation. Is that ok with you?
 

We have the same privacy laws with our Universities in Canada. However, policy acceptance is usually done at the student registration office during tuition payment; a completely seperate entity that is not integrated into Moodle sites.

 
Average of ratings: -