Moodle 4.17 + OneDrive - Sharing externally does not work

Moodle 4.17 + OneDrive - Sharing externally does not work

by Jerry Lau -
Number of replies: 7
Hello folks

We'd like to revisit this problem that has been ongoing for about 2 years plus and cannot make it work

Moodle 4.17 + OneDrive - Sharing externally does not work when we use the file picker. the user/student can see their OneDrive content as this is not the problem. The problem is when they try to share the file as a link.

Does moodle use graph api for granular permission

We were told that for this to work, we would need to make it (our OneDrive/365) globally accessible by everyone. This is a major security risk.

has anyone integrated their Moodle 4.x with the MS365 Onedrive in your organization and have it work successfully? The goal is not to upload it to the moodle server (to save resources) and 

to allow Students to select a file from OneDrive and submit it to their Moodle assignment *without* the actual file being transferred into Moodle (saving space and preventing post-submission alterations to the original file from affecting the submission).

Other institutions have an LMS integration like this, and we’d really like to be able to offer it to our people too.

In the moodle bug tracker, there was a mention of:

“This is an issue to do with your sharing on Azure/Sharepoint/OneDrive side. The service account you have in use connected with OAuth2 OneDrive repository needs to be able to share around your orginisations global policies set in place. See here 'Anyone' is not allowed, therefore you will get the error Jerry showed above. (your organisation is preventing you from selecting this option)”

To allow "Anyone" is a major security risk

Thoughts?




Average of ratings: -
In reply to Jerry Lau

Re: Moodle 4.17 + OneDrive - Sharing externally does not work

by Jerry Lau -
Is this not a massive security risk if we allow anyone to just share? does this setting need to be adjusted?

office global 35 setting
Average of ratings: -
In reply to Jerry Lau

Re: Moodle 4.17 + OneDrive - Sharing externally does not work

by Raymond Reid -
Morning Jerry, 

I know I replied privately to you regarding this issue, but thought I write here for others. We've seen it with a few of our larger customers who have their sharing locked down to a more granular level. The service account one of them is using in OAuth 2 services has a green tick & says it works, it just does not. I believe it is because it does not have the access rights to share with guests as in share without limitations on who can see the content.

It throws the following error under debug

Exception - notAllowed: The operation failed because sharing has been disabled on this site.

Debug info:
Error code: generalexceptionmessage

Stack trace:
line 123 of /lib/classes/oauth2/rest.php: core\oauth2\rest_exception thrown
line 748 of /repository/onedrive/lib.php: call to core\oauth2\rest->call()
line 960 of /repository/onedrive/lib.php: call to repository_onedrive->set_file_sharing_anyone_with_link_can_read()
line 1289 of /lib/filelib.php: call to repository_onedrive->reference_file_selected()
line 169 of /course/modlib.php: call to file_save_draft_area_files()
line 170 of /course/modedit.php: call to add_moduleinfo()

Where as a smaller customer of ours who does allow external sharing enabled at the tenant level in SharePoint admin centre works fine.

On my test Moodle I've allowed sharing as a Guest, but only for the service account in use and it all seems to work, until you visit the page with OneDrive content not logged in as the same user, you then cannot see the page content coming from OneDrive of the service account. leading me to believe that at this current moment you need to allow external sharing across all accounts before this will work with Moodle - Is this a security risk.. maybe, but only if someone shares something that they shouldn't externally with a guest.. 

Regards,
Ray.
Average of ratings: -
In reply to Jerry Lau

Re: Moodle 4.17 + OneDrive - Sharing externally does not work

by Jerry Lau -

so i would have to enable "Anyone" sharing to a file FIRST before adding it to a file repository right? Then I can use the access controlled link I suspect?

Even if we allow "anyone" technically the public does not have access and still have to authenticate through our institutions authentication platfom, correct? Basically, this does not mean that anyone with that link can get to it because the link created for that file is still behind our Moodle server, correct?

thanks

onedrive sharing option

Average of ratings: -
In reply to Jerry Lau

Re: Moodle 4.17 + OneDrive - Sharing externally does not work

by Jerry Lau -
access controlled link error
is there a more detailed log about this error somewhere to see where it has failed precisely?

Exception - notAllowed: The operation failed because sharing has been disabled on this site.
File: /lib/classes/oauth2/rest.php
Line: 123
Average of ratings: -
In reply to Jerry Lau

Re: Moodle 4.17 + OneDrive - Sharing externally does not work

by Raymond Reid -
Hi Jerry,

Regarding the error, no not that I've found..

and regarding what you wrote yesterday, that is my understanding.. although I think it needs to be re-thought in light of the many changes to do with sharing permissions on Azure since the plugin was created.

I'd love to hear someone else's views on this - Anyone ??

This links back to the tracker here https://tracker.moodle.org/browse/MDL-76458 when my message and similar screenshots to yours from above.

Regards,
Ray.
Average of ratings: -
In reply to Raymond Reid

Re: Moodle 4.17 + OneDrive - Sharing externally does not work

by Jerry Lau -
It looks like the more secure institutions are not allowing this method (access control link) as this is a security risk. Anyone has it working with their Azure/MS platforms? So far no one I talked to have either 1. not integrated onedrive and 2. have not looked into this... most are using D2L or some other LMS smile
Average of ratings: -
In reply to Jerry Lau

Re: Moodle 4.17 + OneDrive - Sharing externally does not work

by Jerry Lau -
Access controlled link: The file (behind the scenes) is copied to the Service Account OneDrive, and linked to the Assignment as a submission. This means the student cannot modify it, but the Teacher can read it.

Does the MS OneDrive service account need to be a member of a particular system role? I don't think so. I think it is just allowing " external sharing" that is the issue, correct?
Average of ratings: -