Scheduler overview allows view of grades between unrelated courses

Scheduler overview allows view of grades between unrelated courses

by Erica Bithell -
Number of replies: 4

My institution has a widespread requirement for a good slot booking plugin in Moodle, and I have been evaluating Scheduler as a potential solution. 

I have set up the following scenario, and the results raise concerns for us about leakage of students' grades between courses:

  • Create Course A with users Student A and Teacher A.
  • Create Scheduler A in Course A and enable grading.
  • Teacher A books a slot with Student A, marks the student as seen and gives the student a grade.
  • Also create Course B, but with users Student A, Teacher A and Teacher B.
  • Create Scheduler B in Course B.
  • Login as Teacher B (who is not enrolled in Course A).
  • Go to the Scheduler Overview tab and filter the view by Teacher A.
  • Teacher B is now able to see the grade given to the student by Teacher A, in a course that Teacher B is not enrolled on and cannot enter.

I would be interested in knowing whether others who are using Scheduler view this as a feature or a bug. Are there any workarounds to prevent this happening? I know that we can downgrade the Teacher role capabilities to those of a Non-editing Teacher, but this leaves Teachers unable to book slots for other Teachers.

Any comments or suggestions would be very welcome.

Average of ratings: -
In reply to Erica Bithell

Re: Scheduler overview allows view of grades between unrelated courses

by Henning Bostelmann -
Picture of Core developers Picture of Plugin developers
Dear Erica

yes, that's right: The "Overview" tab allows teachers to see data from other courses. That might seem a little unintuitive, since Moodle's "coursemodule instances" are normally completely isolated from each other, and access rights are maintained on the level of individual "coursemodules" (eg, Schedulers).

However, to my understanding it's a feature, and one that has been in Scheduler for a very long time (back to Moodle 1.9, before I took over the maintenance of Scheduler). I haven't changed it since.

I'm actually not so sure how useful the "Overview" feature, looking across all schedulers and courses, actually is. For what I'm concerned (or our institution), we could just restrict the data to the current scheduler or course.

However, since the feature has been around for so long (10 years, I guess?) it might always be that somewhere out there, someone relies on it.

So, if there's anyone around who needs the Overview tab to display data from other courses, please speak up! (i.e., reply to this message)

If the feature is still needed, one possibility would be to introduce finer-grained access control at that point.

Best wishes
Henning
Average of ratings: -
In reply to Henning Bostelmann

Re: Scheduler overview allows view of grades between unrelated courses

by Erica Bithell -

Dear Henning,

Thank you for the explanation. I agree that there might be circumstances in which this feature could be useful, but for us it is something unexpected that users need to be aware of (and, as you say, is somewhat unintuitive by comparison with core Moodle behaviour). Some finer grained control at that point would certainly be welcome (especially where display of grades is concerned).

We are also getting an error (cannot find record in database) from the links on the Overview tab in the Scheduler column and the With Whom column (anything that contains a=[cmid] in the query string) - which is another reason why we have disabled the tab:

Debug info: SELECT cm.*, m.name, md.name AS modname 
FROM {course_modules} cm
JOIN {modules} md ON md.id = cm.module
JOIN {scheduler} m ON m.id = cm.instance
WHERE cm.id = :cmid AND md.name = :modulename
[array (
'cmid' => '14',
'modulename' => 'scheduler',
)]
Error code: invalidrecordunknown
Stack trace:
line 1479 of /lib/dml/moodle_database.php: dml_missing_record_exception thrown
line 1352 of /lib/datalib.php: call to moodle_database->get_record_sql()
line 31 of /mod/scheduler/view.php: call to get_coursemodule_from_id()

Is this something that you are already aware of? I couldn't find anything on the Scheduler tracker.

Many thanks for your help,

Erica

Average of ratings: -
In reply to Erica Bithell

Re: Scheduler overview allows view of grades between unrelated courses

by Henning Bostelmann -
Picture of Core developers Picture of Plugin developers

Dear Erica

I have now added a proposed solution for the permissions problem to the tracker: CONTRIB-5750. Please feel free to comment.

I wasn't aware of the problem with links in the overview tab, but have added it as a reminder to myself in CONTRIB-5751.

I will get to these in due course.

Average of ratings: -
In reply to Henning Bostelmann

Re: Scheduler overview allows view of grades between unrelated courses

by Erica Bithell -

Dear Henning,

Thanks very much for this - the solution to the permissions concern that you've outlined on the tracker looks good for us (and would add extra flexibility as well). And thank you also for fixing the overview links issue so speedily!

Average of ratings: -