I am using Moodle 1.9.7 for my School. I have course areas, which students pay for and are enrolled in, and open free courses which allow guest access for small sample courses.
Today, I discovered a problem with file permissions and security that's a big problem for me. I have texts and articles which paying/enrolled students can download from the main lesson page, which I added using the "add a resource" link, which uploads the file and creates a link to it for students to download.
Now, those files have path names that Moodle uses, like "school/mod/resource/view.php?id=123" or such, and they also of course have real names once you click to download them, like: "school/file.php/123/textname.pdf"
In Firefox, when I am not logged in, or logged in as a guest, if I paste that second real file name into the browser bar, I get a warning "Sorry, this course does not allow guest access". Good!
BUT: if I paste that file link address into Safari, it shows the text, even if I am logged in as a guest, whether I am enrolled in that class or not, etc. So, anyone who gets that address, maybe from a friend in a paid class, can get the course files for free. Big problem!
For now, I have hidden the guest login button, and so if I am not logged in at all, and I try to access the file, I just go through the loop asking me to log in, and don't get anywhere. But, this is not a permanent solution, I do need to have guest access AND control what they can see properly.
Any suggestions would be so appreciated!