Hi all,
I have just noticed that students may view the forum posts of teachers, even posts that a teacher has made to courses and forums that the student does not have access to simply by clicking the Forum posts tab in the teacher's profile page.
Have I missed some setting somewhere to keep teachers (and admins!) posts private or is this a security hole with potentially embarrassing consequences?
Any help greatly appreciated!
Gav
This sort of thing was fixed some time ago ... you may be using an old version of Moodle or perhaps you've found a new bug.
if the latter please file it in the Moodle Tracker with details.
if the latter please file it in the Moodle Tracker with details.
We're using version 1.7 
. I'll try to add this to the tracker today. Cheers!
. I'll try to add this to the tracker today. Cheers!
That's a HUGE problem, my students found out that if you clicked on the name of someone in a forum post on the frontpage you could then access all his posts in all the site's forums, regardless of whether you were registered on not in the courses. And for two days they've read messages they were REALLY not supposed to read , till I found out. I had to delete completely (after a backup) the "teachers only" courses because it was such an emergency I didn't know what else to do. I'm running 1.7.1+.
I had a look in the bug tracker but couldn't find anything? Gavin, did you report it, or shall I do it?
I had a look in the bug tracker but couldn't find anything? Gavin, did you report it, or shall I do it?
Reported 4 Feb here:
http://tracker.moodle.org/browse/MDL-8420
Looks like Vy-Shane Sin Fat has it sorted.
I'll try updating ours and report back.
cheers!
http://tracker.moodle.org/browse/MDL-8420
Looks like Vy-Shane Sin Fat has it sorted.
I'll try updating ours and report back.
cheers!
AFAK, I've updated accesslib, and I still have the same problem when a user accesses another user data through a forum post made at site level (they can read all the posts from all courses)
At course level, it seems to be OK.
Thanks for letting me know how it's working for you, Gavin.
At course level, it seems to be OK.
Thanks for letting me know how it's working for you, Gavin.
For the courses where you don't want guests to be able to read forum posts, ensure that the default guest role has the capability mod/forum:viewdiscussions set to "prevent".
I've filed it: MDL-8485
Voted for it.
-- Art
-- Art
gavin writes
noticed that students may view the forum posts of teachers, even posts that a teacher has made to courses and forums that the student does not have access to simply by clicking the Forum posts tab in the teacher's profile page.
Hi gavin, we have the same problem. We've downloaded 1.7 the last saturday.
Wow that's a big deal
Luca
noticed that students may view the forum posts of teachers, even posts that a teacher has made to courses and forums that the student does not have access to simply by clicking the Forum posts tab in the teacher's profile page.
Hi gavin, we have the same problem. We've downloaded 1.7 the last saturday.
Wow that's a big deal
Luca