LDAP enrollments: users unenrolled on login when courses are unavailable to students

LDAP enrollments: users unenrolled on login when courses are unavailable to students

by David Walton -
Number of replies: 7
We are using LDAP enrollments for about 2,500 courses per term, and we just started having a problem when we upgraded to Moodle 1.9b4. Specifically: any time a user is enrolled in a course via LDAP, they are unenrolled when they log in if the course is set to be unavailable to students. A few notes:

  • This happens for Course creator, Editing Teacher, and Student role assignments. I haven't investigated other roles.
  • This also effects metacourse enrollments: if a child course is invisible, students are unenrolled from it when they log in, and are hence unenrolled from the metacourse.
  • Only LDAP enrollments seem to be effected. If I manually assign a user to an invisible course as an editing teacher, for example, she'll see the course properly when she logs in. Likewise, if I run enrol_ldap_sync.php and then do an UPDATE query to set all the LDAP enrollments to manual (just as a test), all users remain properly enrolled in their courses when they log in. When I reset them back to LDAP, they are again unenrolled on login.
  • Running enrol_ldap_sync.php properly restores enrollments to all courses. It's only when users actually log in (or when an admin uses login as) that the users are unenrolled, at which point only running enrol_ldap_sync.php will restore the enrollments.

This first started happening when we upgraded to Moodle 1.9b4 (we've been running 1.9 since September 2007). It has continued since 1.9 was officially released. It was never a problem before that.

A little information about our setup: our course objects are posixGroups in eDirectory 8.7.3, with user IDs stored in the memberUid attributes. We have tested this with servers running both Red Hat ES 4 and CentOS, with PHP 4 and 5. We haven't changed anything in our LDAP directory at all.

One thing I'm not sure about is whether I might be overlooking a user permissions setting that causes this problem. I've been over the role definitions, though, and haven't seen anything obvious (anything that looked like it might be even remotely connected, I changed to "Allow," with no effect).

Has anyone else noticed this? For various reasons, we need to have our courses be unavailable to students by default, but if we do that, instructors are no longer able to access them when they login, which is frustrating and somewhat counterproductive. :-|

David Walton
Average of ratings: -
In reply to David Walton

Re: LDAP enrollments: users unenrolled on login when courses are unavailable to students

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

The only changes in the setup_enrolments() member function of the LDAP enrolment plugin since 2007.03.29 are a bugfix from Dan Marsden (on 2008.01.22) and another bugfix I did on 2007.09.15, to fix MDL-11098, MDL-10282 and MDL-8346, which coincidentally deals with enrolments to hidden courses.

But the bugfix is really that. Functionality shouln't have changed, as the bugfix simply removes a superfluous (and buggy) additional check. Maybe that extra buggy check is what has made it work the way you wanted, but it's certainly not the way it was supposed to work.

I think you can get your desired behaviour by commenting out these lines (around line 78 in 1.9 current as of today):

} else { // the course object exists before we call... if ($course_obj->visible==0) { // non-visible courses don't show up in the enrolled // array, so we should skip them -- continue; } }

This will keep enrolments to hidden courses, and I think the capabilities for the default student role will prevent them from entering the course, but I haven't tested it at all (just have had a cursory look at the code). Teachers, Editing Teachers and Course creators (and any other role having the moodle/course:viewhiddencourses capability set) will have no problems entering the course.

Saludos. Iñaki.

Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP enrollments: users unenrolled on login when courses are unavailable to students

by David Walton -
Thanks, Iñaki. I'd been looking at precisely that section of code a couple of days ago, and commenting it out does seem to do precisely what we want. The role capabilities do prevent students from seeing the course, while allowing anyone with the viewhiddencourses ability, just as you said.

I'm going to discuss using this workaround with our hosting provider. The alternative that we've explored is to set the enrollment type to 'manual' in mdl_role_assignments for the course creators and editing teachers, and we may still go ahead with that depending on how all of this plays out.

Thanks for your help.

David
Average of ratings: -
In reply to David Walton

Re: LDAP enrollments: users unenrolled on login when courses are unavailable to students

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

As this is clearly a bug, I've opened MDL-14097 in the bug tracker.

Saludos. Iñaki.

Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP enrollments: users unenrolled on login when courses are unavailable to students

by Eloy Lafuente (stronk7) -
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Peer reviewers Picture of Plugin developers Picture of Testers
And it has been fixed as suggested in this discussion (MDL-14097).

Thanks for feedback cool and ciao smile
Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP enrollments: users unenrolled on login when courses are unavailable to students

by David Walton -
Further information: the fix that Iñaki suggested does work in that it allows instructors (or roles with viewhiddencourses capability) to access invisible courses, and keeps students enrolled but doesn't let them see the course. There's one issue, however, which is that the student does see the greyed-out course name under "My courses" when they login. For us, at least, this is a problem, because it causes a lot of confusion ("I can see a course I'm registered for, but I can't get in it? What's up with that?!"--paraphrasing frustrated student).

As a temporary fix, I instead changed the test to not unenroll the user (i.e., don't 'continue' in the above code) if the user has viewhiddencourses capability. Change this line from from Iñaki's code above in /enrol/ldap/enrol.php:

if ($course_obj->visible==0) {


To this:

if ($course_obj->visible==0 && (!has_capability('moodle/course:viewhiddencourses', get_context_instance(CONTEXT_COURSE, $course_obj->id)))) {



In other words: "if the course is visible and the user doesn't have the viewhiddencourses capability, skip this enrollment."

That gives us the behavior we want, for the most part--teachers get access to their invisible courses and students do not. But I find it troubling that it still unenrolls students from invisible courses; my instinct is that while the student shouldn't be able to see the course, enrollments should remain intact. There are some cases where an instructor may need to see the enrolled users in a course before making the course public (to set up groups, for example, before the course starts). But if those users are allowed to log in before the course is made visible, then they're bumped out of the course entirely.

Any thoughts?
Average of ratings: -
In reply to David Walton

Re: LDAP enrollments: users unenrolled on login when courses are unavailable to students

by David Walton -
Oh, cripes. My one-sentence English summary above should say: "if the course is NOT visible and the user doesn't have the viewhiddencourses capability, skip this enrollment."

David Walton
Average of ratings: -
In reply to David Walton

Re: LDAP enrollments: users unenrolled on login when courses are unavailable to students

by David Walton -
In reading over my post above, I didn't make clear that what I was suggesting is to not to comment out the else block that Iñaki posted, but rather to change the test to omit the enrollment if the course is invisible only if the user doesn't have the viewhiddencourses capability. Thus the block that Iñaki included would read as follows:

else {
// the course object exists before we call...
if ($course_obj->visible==0 && !has_capability('moodle/course:viewhiddencourses', get_context_instance(CONTEXT_COURSE, $course_obj->id))) {
// non-visible courses don't show up in the enrolled
// array, so we should skip them --
continue;
}
}


With any luck, this is the last time I'll be responding to correct my own posts. :-|
Average of ratings: -