Change a student's permission to allow user update in one instance

Re: Change a student's permission to allow user update in one instance

by Brad Ayers -
Number of replies: 2
Thanks for your reply, Dave. I really appreciate your feedback. As you suggested, the bit of code I was using is from admin/user.php. My main concern was to avoid any risk that may arise from writing my own script. But the more I researched the more I realized that, as you said, changing user permission is not a simple matter and could be very dangerous.

So, I ended up writing my own script in the plugin that just does the suspend outside of changing any permissions. As a security precaution, it does verify login and sesskey before performing the suspend on the currently logged in user.

The only thing that I did different from your recommendation is that the question and answer script is separate from the suspend script. So, the modal does an AJAX call to the question and answer script then, if the user fails to answer the question, the page is redirected to the suspend script (the only parameter passed, via GET, is the SESSKEY)  where the logged in user is suspended, logged out and redirected to the login URL.

If there is any other validation you recommend should be done in addition to the require_login() and confirm_sesskey(), I would be grateful for your feedback so that the custom script can be as secure as possible. Lastly, this is my first Moodle plugin and I am installing it in the local directory. It occurred to me that the availability directory may be appropriate as well. Thoughts? Thank you again.
Average of ratings: -
In reply to Brad Ayers

Re: Change a student's permission to allow user update in one instance

by Davo Smith -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Brad - it comes down to a matter of trust - do you trust the user's browser (potentially under the full control of the user) to make the decision about whether or not they should be suspended, or do you trust your server-side code to interpret the response sent back by the browser and make that decision?

require_login() + require_sesskey() (wraps around confirm_sesskey(), but automatically throws an exception and stops the execution if the sesskey doesn't match) should be sufficient to confirm the user identity and their intention. Normally, if possible, you would want to POST to a URL that makes changes to the DB, rather than using a redirect. However, that may be tricky to do in this case.

The "availability" directory is for plugins that directly interact with the APIs for controlling the availability of individual activities or course sections to the user (e.g. "must complete activity X first", "date must be after 1st April", etc.) - that doesn't sound at all like what you're doing here, so a local plugin is probably the correct place.
Average of ratings: Useful (1)
In reply to Davo Smith

Re: Change a student's permission to allow user update in one instance

by Brad Ayers -
Thanks for your feedback on this, Davo. Your follow up is appreciated more than you know. I'll leave the plugin in the local directory and see if I can switch to an AJAX POST rather than the redirect.

It's been a few years since I've done anything on git, but I may push this on there in case it is of any interest to anyone.
Average of ratings: -