Inactive Students in child courses enrolled as Managers via Course Meta Link

Inactive Students in child courses enrolled as Managers via Course Meta Link

by heli g -
Number of replies: 5
Inactive Students in child courses have been enrolled as Managers via Course Meta Link.

I changed the sync setting so Managers are no longer synced - which means that these deregistered students can no longer access (and edit!) the parent course (they appear as Inactive Managers in the Enrolled Users table) - but I remain very concerned about how this could have happened.
Any ideas?

Moodle  2.6.11
Average of ratings: -
In reply to heli g

Re: Inactive Students in child courses enrolled as Managers via Course Meta Link

by James Hamilton -

Hello Heli, 

I have noticed that this is happening too. 

Here's the low down:

  1. User has 'student' role in child course, but enrolment is expired by date parameters. Other users have 'student' role in child course and their enrolment is active.
  2. Add meta-course enrolment to the parent course, choose the child course to link.
  3. Users with 'student' role and are active in the child course are enrolled as 'students' in the parent course, but users with expired enrolment and the 'student' role in the child course are enrolled as 'managers' in the parent course and their enrolment is 'disabled'.

This means that students can still access the parent course, but with elevated permissions allowing them to edit the course etc. 

Did you find a solution, or can a fellow forum member contribute? We're currently on M2.8.

Average of ratings: -
In reply to James Hamilton

Re: Inactive Students in child courses enrolled as Managers via Course Meta Link

by Séverin Terrier -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Testers Picture of Translators
Hi,

I think the security issue MDL-50744 could explain some things. Perhaps you already received this information if you've registered your site.

Séverin
Average of ratings: -
In reply to Séverin Terrier

Re: Inactive Students in child courses enrolled as Managers via Course Meta Link

by heli g -

Hi Séverin,

Thanks for this, but I am afraid I can acces the issue. If this is a known bug that would be a relief - as I having failed to find more information my mind was wondering into corrupt database territory...


Average of ratings: -
In reply to heli g

Re: Inactive Students in child courses enrolled as Managers via Course Meta Link

by Séverin Terrier -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Testers Picture of Translators
Sorry my message was not clear enough.

Being a security issue, and even if resolved, it's not visible yet, time to let administrators update there Moodle instances. It should be accessible in a week.

But, as i said previously, if you registered your site, you should have received details by email...

Séverin
Average of ratings: -
In reply to James Hamilton

Re: Inactive Students in child courses enrolled as Managers via Course Meta Link

by heli g -

Hi James,

Sorry I missed this before. I did something which was more panicked damage control than a solution:

I duplicated the Manager role and assigned those who should be Managers to the role - then removed all capabilities from the Manager role.

Do you or anyone else have a better solution? To my mind this is a very serious security issue.

Heli

Average of ratings: -