Yes, provided they know the filenames of other students' submissions. This is generally true of all files uploaded to Moodle, not only in the assignment module. Anyone who can guess the filename of an uploaded file can access it. This long-standing problem will go away when Moodle 2.0 uses a proper DMS.
The same flaw is in the teachers forum: if you link a remark in the teacher-forum to a studentview, they can use that link to visit any page in the teacher forum, there is no access right check in the teacher forum.
This is not true - there are checks for this and have been for a very long time.
If you feel you can duplicate this please file a bug in the bug tracker with detailed information.
If you feel you can duplicate this please file a bug in the bug tracker with detailed information.
Our school server prints that it is version: 1.2 development (2003111400)
I checked it myself again...
- I create a forum
- I attach a file to a message
- I link that file as a resource
...OOPS, yes you are right, it says that I must be a teacher, so that is OK.
But..
- If I create a thread with several messages
- And I link the header of the thread to a section
- THEN the student has access to that complete thread: If a teacher has somewhere in that thread a forgotten remark, or forgets this link and starts to use this thread like the other threads, or an other teacher with access rights who does not know/see this link (or an insecure warning) in the forum..
.
Or:
If a creative teacher wants to show the student answer 12 in the thread, then you can link to the button on the next card with show previous answer, same effect, no check
So is this a bug? no Is this a security flaw? yes (Teacher should always realise, but he is a human... or not have the chance to do this? to protect this human?)
I checked it myself again...
- I create a forum
- I attach a file to a message
- I link that file as a resource
...OOPS, yes you are right, it says that I must be a teacher, so that is OK.
But..
- If I create a thread with several messages
- And I link the header of the thread to a section
- THEN the student has access to that complete thread: If a teacher has somewhere in that thread a forgotten remark, or forgets this link and starts to use this thread like the other threads, or an other teacher with access rights who does not know/see this link (or an insecure warning) in the forum..
.Or:
If a creative teacher wants to show the student answer 12 in the thread, then you can link to the button on the next card with show previous answer, same effect, no check
So is this a bug? no Is this a security flaw? yes (Teacher should always realise, but he is a human... or not have the chance to do this? to protect this human?)
I still don't understand what you are talking about, sorry, Ger.
My link in the parent to your post is to the "header of a thread" (by which I assume you mean the "first post in a discussion") and you don't have access to that.
Can you post an actual URL that allows students access to the teacher forum?
And why are you still using 1.2 dev!!?
My link in the parent to your post is to the "header of a thread" (by which I assume you mean the "first post in a discussion") and you don't have access to that.
Can you post an actual URL that allows students access to the teacher forum?
And why are you still using 1.2 dev!!?
Lets start at the end: why am I using still this version?
- everything works
- We have 1237 users on it
- We have 146 running and try-out courses on it
- we made lots of small patches, for example
- to integrate the gradebook with columns
- to make the excelsheet download working for grades (and gradebook)
- to make the short answerfield longer (user request)
- to allow Novell UN/PWs working
- to connect LDAP
- to allow the adminuser to surpass the LDAP for special users
- to change several fields from input to echo (not overrule email form LDAP, let users use forward email instead..)
- to hide the header of a hidden section for users (user request)
- to jump from the bold current day to the section of current week in our calendar
- etc..
Bill Gates offers several versions of his product windows. Bill offers you to check your system and advises you which patches to install. But YOU (= I ) choose..
OK, a small version of this would be:
- The technical hats of Moodle make a long list of approved patches for each release and situation
- For a new release this list is updated: some patches are no longer necessary
- Until this day I have the choice to use only the limited core set of Moodle or do a lot of handtuning myself. (And with version 2.0 in the near future, the support for 1.3 will slowdown?)
By the way, Bill extended the promissed expiration date of Windows98 again...so..1.4?
Ok, I tested the situation in beta 1.3 (other server) Yes there it is gone, nice, thanks..
(I cannot give you there a handmade account, because I did not yet implement the patch to surpass the LDAP.)