Hello, everybody.
I just found this thread because we had a security issue and I was looking in the forums for solutions and comments.
Here is the issue:
- I am the responsible SysAdmin for setting up, running, upgrading, etc. Moodle on a Linux server
- I have roughly 10 Moodle-Admins who take care of the teachers and students of their own university. So we have sort of a First and Second Level support
- In Version 1.7.1+ we found the new roles concept, which helped us decide for only ONE running instance of Moodle. The idea was to assign ONE Moodle-Admin per University/Category and have them assume their responsibilities
- Unfortunately this does not work correctly for us and I do not know whether it is a bug in this Moodle version: every Admin and Teacher figuring at the level of a category/university was automatically added as such (or rather as Student, I do not remember exactly) in EVERY course restored from our previous 1.5x Moodle server course backups. This was extremly boring because I had to remove all the admins and teachers from every course restored from a previous course backup. Unfortunately we realised this strange behaviour only after having imported quite a big number of courses, as we started with a fresh and clean 1.7.1+ version instead of upgrading the old 1.5x version. So I decided to delete the 10 Admin accounts to make them disappear from every restored course at once and created them again AT THE TOP LEVEL of the site. Fortunately after that, later course backups were restored correctly. Maybe this is by design because a restored course appears at the top level category before it is moved in the category it belongs to, inheriting Admins and Teachers from all categories.
- Anyway, delegating Admin and Teacher Roles to category/university level was not possible. So the workaround was: all the Moodle-Admins are actually Admins at top level. And we assign Teacher Roles not at category/university level, but only for each single course.
- Now a few days ago one of the Top Level Admins uploaded a students list with two students (using my template with: username,password,firstname,lastname,email,course1). Nothing critical. But unfortunately both figured in the course AS TEACHERs! Please do not ask me HOW this was possible. I am in business since 18 years with server and user support and I stopped asking such questions. Of course it is not certain whether the upload of the list failed this way or whether the uploading Admin clicked something he/she should have not. And if so TWICE the same mistake? I really do not know.
And now the questions, even if the whole thing was only a fata morgana:
- Having a grid of 1024 Roles and capabilities/access rights multiplied by 1024 courses/categories/students/etc. nested in 1024 levels deep is for certain the horror of every admin concerned by security. Even delegating to different category-Admins and down to each single teacher will not help much in tracking access rights over a longer period of time. So I must agree with Steve who asked, whether we were not happy with the legacy roles. Consider that linux hast three groups (owner, group, others) and three access rights (read, write, execute) which seems to be a minimal but manageable set of rights.
- Now that Roles and Capabilities are there, everybody can use or ignore them at its own discretion.
- When importing/restoring course backups YOU IMPORT ROLES too. Is this really good practice? Importing and creating users is a tipical ADMINs job, isn't it? But teachers should be able to restore their own courses too. So there is a first security problem to solve. And if the imported users get a STUDENTS role, we are still on the safe border. But how about importing/restoring TEACHERs? From a security perspective I would say again that assignment of TEACHER role is an ADMINs job. If a TEACHER assigns a TEACHER role to one of his collegues, it's no problem. But if this happens through a restore, without the TEACHER being aware of it, this could be a security risk.
In conclusion security in Moodle should be as Steve wrote "no roles, no mess, no confusion, no chance of students getting into things they shouldn't"
Rosario
Edit: I just found a Tracker issue, which maybe addressed the strange behaviour we experienced when restoring courses. But they speak only of CourseCreator role whilst I had assigned Admin roles at Category Level. The Admins like the CourseCreators appeared as enrolled in every course. (see uploaded gif)
