I've been looking for ways to restrict access to an *entire* subdirectory so that all files are only viewable by students logged in to a specific course. I've already tried:
require_once('../config.php');
require_once("../lib/moodlelib.php");
if(!isstudent($courseid) && !isteacher($courseid)) {
die("Only members of course $courseid can access this!");
}
(Thanks to Dan Stowell for this code)
But this is not an efficient method of protecting all php files at once, and it does not work for images, SWF's, PDF's etc. Can anyone provide help, or direct me to a posting that describes an effective solution for this? My client is concern about the proprietary nature of the resource content. Thanks.
The resources themselves (SWFs, PDFs) should NOT be in the "resource" directory. They should be uploaded in the normal Moodle way - Moodle will then store them in a protected directory.
I'm not sure if you've completely understood Moodle's security model. Moodle's scripts should be in the web-accessible "moodle" folder, but all of the content should never be there - instead it is in either (a) the database, or (b) the non-web-accessible "moodledata" directory. Moodle protects both of those "locations", making sure that only authorised people can access the content.
A good way to see how this works is to use Moodle's interface to upload a single file into a course. Using the web interface, go into the course and choose "Files" from the course admin menu. Then choose "Upload a file" and use the form to upload a file into the course. It's now available for use in your course. Now when you look "behind the scenes" at the moodledata folder, you'll see it's been stored in there in a specific folder designated for that course.
I'm not sure if you've completely understood Moodle's security model. Moodle's scripts should be in the web-accessible "moodle" folder, but all of the content should never be there - instead it is in either (a) the database, or (b) the non-web-accessible "moodledata" directory. Moodle protects both of those "locations", making sure that only authorised people can access the content.
A good way to see how this works is to use Moodle's interface to upload a single file into a course. Using the web interface, go into the course and choose "Files" from the course admin menu. Then choose "Upload a file" and use the form to upload a file into the course. It's now available for use in your course. Now when you look "behind the scenes" at the moodledata folder, you'll see it's been stored in there in a specific folder designated for that course.
Thanks for the clarification. I initially did use the course file area you mention. But the reason why ended up putting my resource directory in a moodle subfolder is because I could not get my php files (part of my resources) to successfully make calls to mySQL from outside of the public_html folder.
Perhaps I need to investigate why my php files don't seem to work from outside public_html. If you have any insight into this, I'd appreciate it. But thanks for the nput so far.
Perhaps I need to investigate why my php files don't seem to work from outside public_html. If you have any insight into this, I'd appreciate it. But thanks for the nput so far.
I'm getting a bit confused. "Resources" in the moodle sense are things like HTML pages, PDFs, Flash files, uploaded into a course. They never include PHP code. If you want to add PHP code to Moodle, you typically do this by writing a plugin, such as a new activity type or new resource type.
Do you know which of the two you're creating? Are you adding resources or extending Moodle's functionality? Or some unholy mixture of the two
?
By the way, you can restrict access to a directory by creating a file called ".htaccess" containing the text "Deny from all". But beware - if you do this for the "resource" directory then Moodle will BREAK, because users do need to access the PHP files contained within.
Do you know which of the two you're creating? Are you adding resources or extending Moodle's functionality? Or some unholy mixture of the two
By the way, you can restrict access to a directory by creating a file called ".htaccess" containing the text "Deny from all". But beware - if you do this for the "resource" directory then Moodle will BREAK, because users do need to access the PHP files contained within.
mmmmm... i've tried this both ways with the same result. Uploading a couple of files to provide them as a resource -- i can access them directly after i've closed the browser.
then i followed the above and used the 'files' section of the course to upload the same files -- same result -- can still access them directly after logging off.
checked 'guest access' is off. what's goin' on?!?