Note: You are currently viewing documentation for Moodle 2.4. Up-to-date documentation for the latest stable version of Moodle may be available here: Site policies.

Site policies: Difference between revisions

From MoodleDocs
No edit summary
(→‎Site policy URL: viewing site policy)
 
(43 intermediate revisions by 11 users not shown)
Line 1: Line 1:
Location: ''Administration > Security > Site policies''
{{Security}}
A site administrator can set site policies affecting the security and privacy of the site in ''Settings > Site administration > Security > Site policies''.


===Protect usernames===
With this enabled, when people click on the  "Forgotten your username or  password?" link, no hints will be given that might allow people to guess usernames or email addresses.


==Open to Google==
===Force users to login===
 
If you turn this setting on, all users must login before they even see the [[Front Page]] of the site.
 
===Force users to login for profiles===
 
Leave this set to Yes to keep anonymous visitors away from user profiles.
 
===Force users to login to view user pictures===
 
If enabled, users must login in order to view user profile pictures and the default user picture will be used in all notification emails.
 
===Open to Google===


Enabling this setting allows Google's search spiders guest access to your site. Any part of the site that allows guest access will then be searchable on Google. In addition, people coming in to your site via a Google search will automatically be logged in as a guest.
Enabling this setting allows Google's search spiders guest access to your site. Any part of the site that allows guest access will then be searchable on Google. In addition, people coming in to your site via a Google search will automatically be logged in as a guest.


==Maximum uploaded file size==
===Profile visible roles===
Any role which is checked/ticked here will be visible on  user profiles and the Participation screen.
 
===Maximum uploaded file size===


Probably the most frequently asked question in the Moodle.org Using Moodle forums is "How do I increase the upload file size limit?"
Probably the most frequently asked question in the Moodle.org Using Moodle forums is "How do I increase the upload file size limit?"
Line 20: Line 38:
  max_execution_time = 600 ; Maximum execution time of each script, in seconds;
  max_execution_time = 600 ; Maximum execution time of each script, in seconds;


3. The Moodle site-wide maximum uploaded file size setting: ''Administration > Security > Site policies > Maximum uploaded file size [128M]''.
3. The Moodle site-wide maximum uploaded file size setting: ''Settings > Site administration > Security > Site policies > Maximum uploaded file size''.


4. The Moodle course maximum uploaded file size setting in the course settings: ''Administration > Courses > Add/Edit courses > select Course category & edit each course > Maximum upload size [128M]''.
4. The Moodle course maximum uploaded file size setting in the course default  settings: ''Settings > Site administration > Courses > Course default settings''
 
5. The  file size settings in each individual course in ''Course Administration>Settings''.


5. Certain course activity module settings (for example, Assignment)
5. Certain course activity module settings (for example, Assignment)


==Enable messaging system==
* See [[File upload size]] for more details.


Click the checkbox to enable site-wide [[Messaging]].
===User quota===


:''Note'': If you enable the messaging system, all users will be able to send and receive messages at any time. Teachers can't choose whether or not messaging is allowed between students in their particular course.
The maximum number of bytes that a user can store in their own [[Private files]] area.


==Force users to login==
===Allow EMBED and OBJECT tags===
Allowing these presents a security risk but if you wish normal users such as students to be able to use them then check the box here.


If you turn this setting on all users must login before they even see the front page of the site.
===Enable trusted content===


==Force users to login for profiles==
By default Moodle will always thoroughly clean text that comes from users to remove any possible bad scripts, media etc that could be a security risk. The Trusted Content system is a way of giving particular users that you trust the ability to include these advanced features in their content without interference. To enable this system, you need to first enable this setting, and then grant the [[Capabilities/moodle/site:trustcontent|Trust submitted content]] capability to a specific Moodle role. Texts created or uploaded by such users will be marked as trusted and will not be cleaned before display. Please refer to [[dev:Trusttext cleaning bypass]] for further information.


Leave this set to Yes to keep anonymous visitors away from user profiles. (See the Using Moodle forum discussion [http://moodle.org/mod/forum/discuss.php?d=89061 3rd party spam exploit possible? Help please!].)
===Maximum time to edit posts===
 
==Enable trusted content==
 
Please refer to [[Development:Trusttext cleaning bypass]] for further information.
 
==Maximum time to edit posts==


This sets the editing time for forum postings. The editing time is the amount of time users have to change forum postings before they are mailed to subscribers.
This sets the editing time for forum postings. The editing time is the amount of time users have to change forum postings before they are mailed to subscribers.
Line 50: Line 65:
Please refer to the forum discussions [http://moodle.org/mod/forum/discuss.php?d=28679 Editing a forum post after the 30 minutes deadline] and [http://moodle.org/mod/forum/discuss.php?d=5367 The philosophy underlying "no editing after 30 minutes"]
Please refer to the forum discussions [http://moodle.org/mod/forum/discuss.php?d=28679 Editing a forum post after the 30 minutes deadline] and [http://moodle.org/mod/forum/discuss.php?d=5367 The philosophy underlying "no editing after 30 minutes"]


==Site policy URL==
===Full name format===


If you have a site policy that all users must see and agree to before using this site, then specify the URL to it here, otherwise leave this field blank. The URL can point to anywhere, for example a file in the site files.
If set to 'First name' only users with the [[Capabilities/moodle/site:viewfullnames|view full names capability]] (by default managers, teachers and non-editing teachers) can view users' full names.


:''Tip'': It is recommended that the site policy is on the same domain as Moodle to avoid the problem of Internet Explorer users seeing a blank screen when the site policy is on a different domain.
===Allow extended characters in usernames===


==Blog visibility==
The default here, unchecked = unenabled, can only contain alphabetical letters in lowercase, numbers, hypen '-', underscore '_', period '.', or at sign '@'. If you enable this, it will be possible to have any characters for the username.


To enable [[Blogs]], select the level to which user blogs can be viewed.
===Site policy URL===


By default, all site users can see all blogs. Blog visibility may be restricted so that users can only see blogs for people whom they share a course with or whom they share a group with.
* If you have a site policy that all users must see and agree to before using this site, then specify the URL to it here, otherwise leave this field blank. The URL can point to any type of file anywhere online that can be accessed without a log in to your Moodle.
* It is recommended that the site policy is on the same domain as Moodle to avoid the problem of Internet Explorer users seeing a blank screen when the site policy is on a different domain.
* The site policy will be displayed in a frame. You can view it via the URL ''<nowiki>yourmoodlesite.org/user/policy.php</nowiki>''.


:''Note'': This setting is for specifying the maximum context of the VIEWER not the poster. To limit blogging to specific users only, a [[Blogger role]] should be created and users assigned to it in the system context.
===Site policy URL for guests===
This is similar to the Site policy URL as above but will be seen by those to whom you give guest access.


==Enable tags functionality==
===Keep tag name casing===
 
{{Moodle 1.9}}From Moodle 1.9 onwards, users may [[Tags|tag]] themselves and create interest pages around those tags.
 
==Keep tag name casing==


If checked, then tags like the following will be displayed: SOCCER, gUiTaR, MacDonalds, music
If checked, then tags like the following will be displayed: SOCCER, gUiTaR, MacDonalds, music
Line 79: Line 93:
:* For languages where this kind of capitalization changes the meaning, it is best to keep this option on.
:* For languages where this kind of capitalization changes the meaning, it is best to keep this option on.


==Password policy==
===Profiles for enrolled users only===
 
To prevent misuse by spammers, profile descriptions of users who are not yet enrolled in any course are hidden. New users must enrol in at least one course before they can add a profile description.
 
===Cron execution via command line only===
 
[[Cron]] is an action that runs various administrative jobs on your Moodle such as sending out forum posts. Normally Cron can be run by typing www.YOURMOODLE.com/admin/cron.php but as anyone logged in can do this, if you wish to prevent it, then check this box and only a admin can run Cron from the command line.
 
===Cron password for remote access===
Setting a password here will mean that users can only run cron from the browser if they know the password and add it like this:
www.YOURMOODLE.com/admin/cron.php/?password=THEPASSWORDYOUSET
 
===Password policy===
 
It is highly recommended that a password policy is set to force users to use stronger passwords that are less susceptible to being cracked by a intruder.
[[Image:Password policy.png|thumb|Password policy]]
 
The password policy includes option to set the minimum length of the password, the minimum number of digits, the minimum number of lowercase characters, the minimum number of uppercase characters and the minimum number of non alphanumeric characters.
 
The password policy is enabled by default. Default settings are:
* Password length - 8
* Digits - 1
* Lowercase letters - 1
* Uppercase letters - 1
* Non-alphanumeric characters - 1


{{Moodle 1.9}}From Moodle 1.9 onwards, a password policy may be set up, ensuring users choose passwords of a certain length etc.
If a user enters a password that does not meet the requirements, they are given an error message indicating the nature of the problem with the entered password.


There is a check box to determine if password complexity should be enforced or not, the option to set the minimum length of the password, the minimum number of digits, the minimum number of lowercase characters, the minimum number of uppercase characters and the minimum number of non alphanumeric characters.
:''Tip'': To reduce the chance of md5 lookup attack, passwords should have at least 8 characters and contain at least one number, at least one lowercase letter, at least one uppercase letter and at least one non-alphanumeric character.


If a user enters a password that does not meet those requirements, they are given an error message indicating the nature of the problem with the entered password.
Enabling the password policy does not affect existing users until they decide to or are required to change their password. An admin can force all users to change their password using the force password change option in [[Bulk user actions]].


Enforcing password complexity along with requiring users to change their initial password go a long way in helping ensure that users choose and are in fact using "good passwords".
:''Tip'': The password policy may also be applied to [[Enrolment key|enrolment keys]] by ticking the 'Use password policy' checkbox in the [[Self enrolment]] settings.


==Disable user profile images==
===Group enrolment key policy===
If this is enabled then when a teacher sets a group enrolment key, they will have to set a key which follows the password policy set above.


From Moodle 1.9 onwards, the ability for users to change their profile images may be disabled by checking the ''disableuserimages'' box.
===Disable user profile images===


==Email change confirmation==
Check/tick this box if you don't want your users to be able to change their [[User pictures|profile images]].


{{Moodle 1.8}}In Moodle 1.8.6 and from 1.9.2 onwards, a confirmation step is required for users to change their email address unless the ''emailchangeconfirmation'' box is unchecked.
===Email change confirmation===


== See also ==
A confirmation step is required for users to change their email address unless the ''emailchangeconfirmation'' box is unchecked.


*[[Administration FAQ]]
===Remember username===
If you want  usernames to be stored during login then set this to "yes". This will store permanent cookies and in some countries may be considered a privacy issue if used without consent. From a UK point of view, see http://tracker.moodle.org/secure/attachment/24290/UK+Laws+Relating+to+Cookies-LUNS2011.pdf See also the Using Moodle forum discussion [http://moodle.org/mod/forum/discuss.php?d=201558 EU Cookie Law].


[[Category:Administrator]]
[[Category:Security]]


[[es:Políticas del sitio]]
[[eu:Gunearen_politikak]]
[[eu:Gunearen_politikak]]
[[fr:Règles site]]
[[fr:Règles site]]
[[hu:Portál alapelvei]]
[[ja:サイトポリシー]]
[[ja:サイトポリシー]]
[[de:Website-Rechte]]

Latest revision as of 13:10, 13 August 2013

A site administrator can set site policies affecting the security and privacy of the site in Settings > Site administration > Security > Site policies.

Protect usernames

With this enabled, when people click on the "Forgotten your username or password?" link, no hints will be given that might allow people to guess usernames or email addresses.

Force users to login

If you turn this setting on, all users must login before they even see the Front Page of the site.

Force users to login for profiles

Leave this set to Yes to keep anonymous visitors away from user profiles.

Force users to login to view user pictures

If enabled, users must login in order to view user profile pictures and the default user picture will be used in all notification emails.

Open to Google

Enabling this setting allows Google's search spiders guest access to your site. Any part of the site that allows guest access will then be searchable on Google. In addition, people coming in to your site via a Google search will automatically be logged in as a guest.

Profile visible roles

Any role which is checked/ticked here will be visible on user profiles and the Participation screen.

Maximum uploaded file size

Probably the most frequently asked question in the Moodle.org Using Moodle forums is "How do I increase the upload file size limit?"

Upload file sizes are restricted in a number of ways - each one in this list restricts the following ones:

1. The Apache server setting LimitRequestBody ... default in Apache 2.x or greater is set to 0 or an unlimited upload size

2. The PHP site settings post_max_size and upload_max_filesize in php.ini : modify php.ini in web server directories ( apache2.x.x/bin/php.ini ) not in php directories :

post_max_size = 128M;  to increase limit to 128 Megabytes;
upload_max_filesize = 128M;  to increase limit to 128 Megabytes;
max_execution_time = 600 ; Maximum execution time of each script, in seconds;

3. The Moodle site-wide maximum uploaded file size setting: Settings > Site administration > Security > Site policies > Maximum uploaded file size.

4. The Moodle course maximum uploaded file size setting in the course default settings: Settings > Site administration > Courses > Course default settings

5. The file size settings in each individual course in Course Administration>Settings.

5. Certain course activity module settings (for example, Assignment)

User quota

The maximum number of bytes that a user can store in their own Private files area.

Allow EMBED and OBJECT tags

Allowing these presents a security risk but if you wish normal users such as students to be able to use them then check the box here.

Enable trusted content

By default Moodle will always thoroughly clean text that comes from users to remove any possible bad scripts, media etc that could be a security risk. The Trusted Content system is a way of giving particular users that you trust the ability to include these advanced features in their content without interference. To enable this system, you need to first enable this setting, and then grant the Trust submitted content capability to a specific Moodle role. Texts created or uploaded by such users will be marked as trusted and will not be cleaned before display. Please refer to dev:Trusttext cleaning bypass for further information.

Maximum time to edit posts

This sets the editing time for forum postings. The editing time is the amount of time users have to change forum postings before they are mailed to subscribers.

Please refer to the forum discussions Editing a forum post after the 30 minutes deadline and The philosophy underlying "no editing after 30 minutes"

Full name format

If set to 'First name' only users with the view full names capability (by default managers, teachers and non-editing teachers) can view users' full names.

Allow extended characters in usernames

The default here, unchecked = unenabled, can only contain alphabetical letters in lowercase, numbers, hypen '-', underscore '_', period '.', or at sign '@'. If you enable this, it will be possible to have any characters for the username.

Site policy URL

  • If you have a site policy that all users must see and agree to before using this site, then specify the URL to it here, otherwise leave this field blank. The URL can point to any type of file anywhere online that can be accessed without a log in to your Moodle.
  • It is recommended that the site policy is on the same domain as Moodle to avoid the problem of Internet Explorer users seeing a blank screen when the site policy is on a different domain.
  • The site policy will be displayed in a frame. You can view it via the URL yourmoodlesite.org/user/policy.php.

Site policy URL for guests

This is similar to the Site policy URL as above but will be seen by those to whom you give guest access.

Keep tag name casing

If checked, then tags like the following will be displayed: SOCCER, gUiTaR, MacDonalds, music

If unchecked, then all tags will be displayed as follows: Soccer, Guitar, Macdonalds, Music

Tips:
  • For English, off is useful.
  • For Japanese, no changes are made either way.
  • For languages where this kind of capitalization changes the meaning, it is best to keep this option on.

Profiles for enrolled users only

To prevent misuse by spammers, profile descriptions of users who are not yet enrolled in any course are hidden. New users must enrol in at least one course before they can add a profile description.

Cron execution via command line only

Cron is an action that runs various administrative jobs on your Moodle such as sending out forum posts. Normally Cron can be run by typing www.YOURMOODLE.com/admin/cron.php but as anyone logged in can do this, if you wish to prevent it, then check this box and only a admin can run Cron from the command line.

Cron password for remote access

Setting a password here will mean that users can only run cron from the browser if they know the password and add it like this: www.YOURMOODLE.com/admin/cron.php/?password=THEPASSWORDYOUSET

Password policy

It is highly recommended that a password policy is set to force users to use stronger passwords that are less susceptible to being cracked by a intruder.

Password policy

The password policy includes option to set the minimum length of the password, the minimum number of digits, the minimum number of lowercase characters, the minimum number of uppercase characters and the minimum number of non alphanumeric characters.

The password policy is enabled by default. Default settings are:

  • Password length - 8
  • Digits - 1
  • Lowercase letters - 1
  • Uppercase letters - 1
  • Non-alphanumeric characters - 1

If a user enters a password that does not meet the requirements, they are given an error message indicating the nature of the problem with the entered password.

Tip: To reduce the chance of md5 lookup attack, passwords should have at least 8 characters and contain at least one number, at least one lowercase letter, at least one uppercase letter and at least one non-alphanumeric character.

Enabling the password policy does not affect existing users until they decide to or are required to change their password. An admin can force all users to change their password using the force password change option in Bulk user actions.

Tip: The password policy may also be applied to enrolment keys by ticking the 'Use password policy' checkbox in the Self enrolment settings.

Group enrolment key policy

If this is enabled then when a teacher sets a group enrolment key, they will have to set a key which follows the password policy set above.

Disable user profile images

Check/tick this box if you don't want your users to be able to change their profile images.

Email change confirmation

A confirmation step is required for users to change their email address unless the emailchangeconfirmation box is unchecked.

Remember username

If you want usernames to be stored during login then set this to "yes". This will store permanent cookies and in some countries may be considered a privacy issue if used without consent. From a UK point of view, see http://tracker.moodle.org/secure/attachment/24290/UK+Laws+Relating+to+Cookies-LUNS2011.pdf See also the Using Moodle forum discussion EU Cookie Law.