secret documents can be seen

secret documents can be seen

by eda karacelebi -
Number of replies: 12

hello, my moodle version is 1.9.9. When I search on Google, I Can see my files that are located in password protected moodle courses. ISn't it strange? the documents are belongs to the school so we want to allow only our students to see those documents. But when someone search them, they are visible on Google. what can I do to prevent this?

Average of ratings: -
In reply to eda karacelebi

Re: secret documents can be seen

by Mary Cooch -
Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Testers Picture of Translators

Are you sure the files are in the actual password protected courses and not in the site files - directory #1? Do you have an example URL of a file ?

In reply to Mary Cooch

Ynt: Re: secret documents can be seen

by eda karacelebi -

for instance this:

 http://terakki.net/tmoodle/file.php?file=%2F274%2F2.hafta%2FKOLIGATIF_OEZELLIKLER_test.pdf

I wrote "terakki koligatif" on Google. If I write terakki and the file name, I can find more files.. but the course page is password protected.

In reply to eda karacelebi

Re: Ynt: Re: secret documents can be seen

by G. M. -

Hi Eda,

Some ideas to check...

* Site open to Google

* Guest role (guest access)

* The moodledata directory (should not be accesible via the Web)

* Double check the location of the file(s) in question (could it be that there's a copy lying around)

* Check the web server access log

 

Average of ratings: Useful (1)
In reply to G. M.

Ynt: Re: Ynt: Re: secret documents can be seen

by eda karacelebi -

thank you Guillermo.

yes site open to Google. CAn we close this? do you advise?

there is no guest Access.

where should be mu my moodle data directory?

In reply to eda karacelebi

Re: secret documents can be seen

by G. M. -

Hi Eda,

Yes, you can close it, and yes, I would definitely disable access to the Google bot.

http://docs.moodle.org/19/en/Site_policies#Open_to_Google

Actually, both the site and many courses allow guest access, as shown in the image.

http://docs.moodle.org/19/en/Guest_access#Disabling_guest_access

The Moodle data directory should be outside of what's called the DocumentRoot directory, that is, where all the web pages reside. A usual web server structure is something like this:

/home/username/public_html

As "public_html" is the DocumentRoot, one should then create the Moodle data directory outside, like so:

/home/username/moodledata

Attachment guest-access.png
In reply to eda karacelebi

Re: secret documents can be seen

by Richard Price -

This Document is within course 274
TVO / ▶ Kimya-S11 is wide open as is everything else on that site.

Just about the entire site is currently completely open to browse without logging in apart from to see profiles etc. So if you want these files to be private, then perhaps the courses should not have guest access open. 

Average of ratings: Useful (1)
In reply to Richard Price

Re: secret documents can be seen

by Richard Oelmann -
Picture of Core developers Picture of Plugin developers Picture of Testers

Confirming Richard's comment above - Much of your site is open access without logging in, including the course this file is held on and it so it can be accessed by anyone.

If you want the documents held to only logged in users then you will have to close your course pages down so that they are not open to visitors without logging in (I didn't even have to log in as a guest to this particular course)

In reply to eda karacelebi

Re: secret documents can be seen

by Usman Asar -
Picture of Plugin developers Picture of Testers

Eda, you (or who so ever manage your moodle) must have kept the moodledata folder on wwwroot/public_html directory, where it is recommended to keep this data folder separate (out of www/wwwroot/public_html) folder so no one (outsiders, bots, spiders etc) can have access to this .

you can still move directory to the root of your host, if it is still residing at the public_html folder. As moodledata folder holds all uploaded documents, images, etc. later you can update your config.php file mentioning the location of the moodledata folder, even with Guest access and Google Opened, it wont be fetched by google or any other search engine.

with that said, documents that already have been fetched by Google/search engines cannot be removed from their servers, you may can try manually assigning the URL removal in Google Webmaster URL removal tool and as well modify your robots.txt file (as long as its pointing towards HTML folder), the command that you will be typing in robots.txt file will be

User-agent: *

Dissallow: /yourdatadirectory

Dissallow: /mysercretfolder

in above code, (*) represents ALL bots, and if you are just using (/), means all directories are effected, mentioning the name of specific directory will only prevent bots to enter that directory, this only applies if you want to keep your data directory on WWWROOT/PUBLIC_HTML folder.

In reply to Usman Asar

Re: secret documents can be seen

by Richard Price -

Usman Asar, Whilst essential to ensure that moodledata is not in the server web root, what you have said will not stop the files from appearing on google if the courses remain open to guest access and searchable by google. A document within a course that is open to guests and the site is google searchable is available to all.

Guest access to those courses should be turned off/removed. There is no real evidence that the moodledata folder is in the wrong place. The file address looks like guest access is the way it is accessed.

In reply to Usman Asar

Re: secret documents can be seen

by G. M. -

Ten days later? I'd say that she definitely must have solved this issue.