Add Course - Shows system password in course field!

Add Course - Shows system password in course field!

by Jean Jones -
Number of replies: 2

We've just installed Moodle 2.6.3+ (Build: 20140522) and whenever a course is added, we've run into this major issue involving login names and passwords.

  1. Click on Add Course.

The Edit course settings page displays the user's login name in the Course ID number field. Since we don't use numbers, I can see a lot of people overlooking this field.

Add Course


But even worse....

2. Complete the fields and continue to scroll down the page. When you get to the Guest access area, there's a password. When you unmask it, it's the personal system password of the user who logged in to add the course!

Guest Access Area

In our training environment--and I'm sure other environments are like this as well--multiple users have 'developer' access to a specific course:

    • A small group of instructional designers will have developer access to all courses.
    • And for internal training, multiple users will have developer access to courses within specific categories assigned to their organization.

Is there a FIX for this? Employees' personal systems passwords which get them into the company intranet should be very secure. With human nature being what it is, people will forget occasionally to go down to this field and remove their personal password.  

I think this is a SERIOUS bug.

Our production system is at 2.4.1. We want to move to 2.6.3. (Also, we can't go above 2.6.3 right now because we're limited by the PHP version on our servers. IT does not want to upgrade for just one app.) 

We never use Guest Access anyway. If there isn't a fix, is there a way to prevent Guest Access from even displaying on the Add Course page?


Average of ratings: -
In reply to Jean Jones

Re: Add Course - Shows system password in course field!

by Gareth J Barnard -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers

Hi Jean,

I'm using Moodle 2.6.3+ (Build: 20140613) and could not replicate:

Course settings

How did you install?  Was some old code left about if you upgraded a test system?  Could you try one of the standalone packages and see if it happens there for you, from the top of: http://download.moodle.org/

Cheers,

Gareth 

Average of ratings: -
In reply to Gareth J Barnard

Re: Add Course - Shows system password in course field!

by Jean Jones -

Thanks, Gareth. Actually when you mentioned 'old code' it reminded me of how some browsers use 'auto fill'--and when we just went back through here, that's where we found the problem. smile

I found that if you're using a browser like Chrome and you have auto-fil turned on, you can end up with the issue that I indicated above. Since we have quite a few people with the Developer Role and we never use the 'Guest Access' function, and I didn't want to worry about a variety of browser setups, I just turned OFF the 'Assign Roles' permission for the Developer Role. 

(We had initially had the Assign Role function assigned to the Developer role because for a long time, the much earlier Moodle releases we were using did not have an Enrollment function and 'Assign' was the only way we could add people to classes.) 

So now, with Assign Roles turned OFF, when Developers log in and add a course, the fields in the Guest access area no longer appear. This works for us. smile

Assign Role off




Average of ratings: -