Hi,
I'm installing moodle for the first time, and just now I found that my admin/index.php page is wide open.
Anyone can get in there without login, and can even do "Upgrade moodle database", which can be devastating.
How to protect my admin/index.php to only admin please?
(I did the moodle installation via some docker container)
Thanks
Is the moodle actually installed?
Until it is, the site will throw any access to the code into installing.
'SoS', Ken
If installed and you didn't create any new categories or courses, it's pretty much bare but it does require login to access any /admin/ area. You have only 2 users ... admin (if left for defaults) and guest - which has no password, but shouldn't see /admin/.
You did say 'some docker image' ... was it this one:
https://github.com/moodlehq/moodle-docker
'SoS', Ken
Since it's not 'official' docker from MoodleHQ, maybe the best place to get resolution is:
https://github.com/thepurpleblob/DockerMoodle/issues
'SoS', Ken
Does this mean you have solved your issue?
AMP stack is really simple ... Apache/MySQL/PHP(perl/python) .. *if* you build it. When one takes something built by others, complications could raise their ugly heads.
Best source of support is the person who built it, but, as it says, no support.
Official Moodle docs on nginx
https://docs.moodle.org/404/en/Nginx
Here's a thread ...
https://moodle.org/mod/forum/discuss.php?d=322457
Consider this ... the docker was supposed to save you time and do the 'heavy lifting' for AMP stack. I wonder how much time it's really saved you. Kinda like Bitnami ... yes, it does allow one to easily get up and running ... without really knowing how it was built ... where everything related to AMP stack + app (moodle in this case) was installed and configured. Things are great at first ... but then something happens, Bitnami users come to moodle forums for resolutions to problems. Suggestions from forum users don't work cause most folks here a thinking in terms of 'standard' AMP stack.
Am Docker and Bitnami void ... so question ... a zero day flaw is found in something AMP. Fix is released as soon as a fix is available. Can a Docker/Bitnami upgrade just the part of AMP stack that needs fixing?
The only way one could find out is to learn to build a box from scratch using native package manager.
When one ventures from 'standard' and the further from 'standard' one ventures, the more one is on their own!
'SoS', Ken
Congrats! You've gone where no man/woman has gone before! :|
Can only encourage you to keep digging ... and when you do find the resolution, update the docs for nginx.
'SoS', Ken
Hi John, no need to panic - just add the following to your site config:
$CFG->upgradekey = 'somelongpasswordthatyouknowandwontsharewithanyone';
Upgrade key
If the upgrade key is defined here, then the value must be provided every time
the site is being upgraded though the web interface, regardless of whether the
administrator is logged in or not. This prevents anonymous access to the upgrade
screens where the real authentication and authorization mechanisms can not be
relied on.
Congrats, Emma! . So due to environment check and plugins issue, site was never installed/upgraded and that's why we kept getting sent to /admin/.
Now some suggestions ...
Do you still have the issue of a plugin you cannot un-install?
There is CLI script in admin/cli/ called uninstall_plugins.php
Run without parameters will bring up help screen from which you an choose/try the options.
Might have to manually remove the offending code folder/directory and moodle will complain, but we know why it's 'missing from disk'! Press on ... go forward anyway.
Check environment using cli checks.php
Try the upgrade via command line - in cli there is a upgrade.php ... it does do an environment check prior to attempting. If there are errors ... fix 'em! Then try again.
All the above can be done when site is in the maintenance mode - which can be turned on and off with another cli script:
php maintenance.php --enable
php maintenance.php --disable
'SoS', Ken
