MoodleDocs - User contributions [en]

Security recommendations

2026-02-23T05:18:27Z

Michaelh2: /* Introduction */

{{Security}}All web application software is highly complex, and every application has security issues that are found from time to time, usually involving some combination of input that the programmers did not anticipate. The Moodle project takes security seriously, and is continuously improving Moodle to close such holes as we find them.

==Introduction==
*This page contains important security measures for your Moodle installation.
*If you find a potential security vulnerability in Moodle LMS, please see the [https://moodledev.io/general/development/process/security Security procedures documentation] for instructions on how to safely report them. Reported issues will be triaged as soon as possible and fixes will be prioritised depending on the severity of the issue. On that page you can also see our responsible disclosure policy, which includes ensuring we inform registered Moodle sites before information about any vulnerabilities are published more widely.
*You should not post any details about potential security vulnerabilities either in the Moodle community forums or elsewhere on the web, particularly before a fix is announced on https://moodle.org/security, to ensure other Moodle sites are not exposed without having an opportunity to upgrade or patch the issue.

==Simple security measures==
*The best security strategy is a good backup! But you don't have a good backup unless you are able to restore it. Test your restoration procedures!
*Load only software or services you will use
*Perform regular updates
*Model your security after the layers of clothing you wear on a cold winter day

==Basic recommendations==

;Update Moodle regularly on each release
:Published security holes draw crackers' attention after release. The older the version, the more vulnerabilities it is likely to contain.
; Use https to secure all pages (not just the login page)
:Protect all traffic from your Moodle instance and your users by making all pages accessible via https only. This not only protects passwords on login but also ensures the privacy of your users so that all user data cannot be intercepted or manipulated ("ad injections") from third parties like WLAN providers for example. Free https certificates are available from https://letsencrypt.org/. In addition, set httpslogin=yes in your moodle config to add an extra layer of protection for submitting login credentials.
;[[admin/environment/custom check/php check register globals|Register globals '''MUST''' be disabled]]
:This will help prevent against possible XSS problems in third-party scripts.
;Run the [[Security_overview_report|Security Overview Report]]
:This identifies various configurations within your Moodle site that may pose a security risk, so any issues raised by that report should be investigated and action taken if necessary.
;Use strong passwords for admin and teachers
:Choosing "difficult" passwords is a basic security practice to protect against "brute force" cracking of accounts.
;Only give teacher accounts to trusted users. Avoid creating public sandboxes with free teacher accounts on production servers.
:Teacher accounts have much more liberal permissions and it is easier to create situations where data can be abused or stolen.
;Separate your systems as much as possible
:Another basic security technique is to use different passwords on different systems, use different machines for different services and so on. This will prevent damage being widespread even if one account or one server is compromised.

==Run regular updates==
*Use auto update systems
*Windows Update
*Linux: up2date, yum, apt-get
:Consider automating updates with a script scheduled via cron
*Mac OSX update system
*Stay current with php, apache, and moodle

==Use mailing lists to stay updated==
*CISA Cybersecurity advisories - https://www.cisa.gov/news-events/cybersecurity-advisories
*PHP - http://www.php.net/mailing-lists.php - sign up for Announcements list
*MySQL - http://lists.mysql.com - sign up for MySQL Announcements

==Firewalls==
*Security experts recommend a dual firewall
:Differing hardware/software combinations
*Disabling unused services is often as effective as a firewall
:Use netstat -a to review open network ports
*Not a guarantee of protection
*Allow ports
:80, 443(ssl), and 9111 (for chat),
:Remote admin: ssh 22, or rdp 3389

==Password policy==

A password policy may be set up in ''Settings > Site administration > Security > [[Site policies]]''.

There is a check box to determine if password complexity should be enforced or not, the option to set the minimum length of the password, the minimum number of digits, the minimum number of lowercase characters, the minimum number of uppercase characters and the minimum number of non alphanumeric characters.

If a user enters a password that does not meet those requirements, they are given an error message indicating the nature of the problem with the entered password.

Enforcing password complexity along with requiring users to change their initial password go a long way in helping ensure that users choose and are in fact using "good passwords".

However, making the check too onerous just results in them writing it down so be realistic.

==Be prepared for the worst==
*Have backups ready
*Practice recovery procedures ahead of time
*Use a rootkit detector on a regular basis
**Linux/MacOSX - http://www.chkrootkit.org/
**Windows - http://technet.microsoft.com/en-en/sysinternals/bb897445.aspx and http://technet.microsoft.com/de-de/sysinternals/bb897445.aspx

==Moodle security alerts==
*Register your site with Moodle.org
:Registered users receive email alerts
*Security alerts also posted online
*Web - http://moodle.org/security
*RSS feed - http://moodle.org/rss/file.php/1/1/forum/996/rss.xml

==Miscellaneous considerations==
These are all things you might consider that impact your overall security:
*Use the secure forms setting
*Always set a mysql root user password
*Turn off mysql network access
*Use SSL, httpslogins=yes
*Use good passwords - set up a password policy in ''Settings > Site administration > Security > [[Site policies]]''
*Do not enable the ''opentowebcrawlers'' setting (in ''Settings > Site administration > Security > [[Site policies]]'')
*Disable guest access
*Place enrollment keys on all courses or set Course Enrollable = No for all courses
*Ensure the enrolment key hint is disabled (which it is by default) in ''Administration > Site administration > Plugins > Enrolment > Self enrolment.''

==Most secure/paranoid file permissions==

'''Note''': The following information applies to Linux/Unix based installations only, as MS Windows permission system is quite different.

Depending on your server set-up there are two different scenarios:
# You are running Moodle on your own dedicated server.
# You are running Moodle on a shared hosting environment.

In the sections below, you are required to use the web service user account and group to set the permissions, so you need to know them. This can vary quite a bit from server to server but if this feature has not been disabled in your server, you can go to ''<nowiki>http://your.moodle.site/admin/phpinfo.php</nowiki>'' (logging in as admin), and then search for the line that reads 'User/Group', inside the 'apache' table. For example, I get 'www-data' for the user account and 'www-data' for the group too.

=== Running Moodle on a dedicated server ===
Assuming you are running Moodle on a sealed server (i.e. no user logins allowed on the machine) and that root takes care of the modifications to both moodle code and moodle config (config.php), then this are the most tight permissions I can think of:

1. moodledata directory and all of its contents (and subdirectories, includes sessions):
owner: apache user (apache, httpd, www-data, whatever; see above)
group: apache group (apache, httpd, www-data, whatever; see above)
permissions: 700 on directories, 600 on files

2. moodle directory and all of its contents and subdirectories (including config.php):
owner: root
group: root
permissions: 755 on directories, 644 on files.

If you allow local logins for regular users, then 2. should be:
owner: root
group: apache group (apache, httpd, www-data, whatever; see above)
permissions: 750 on directories, 640 on files.

Think of these permissions as the most paranoid ones. You can be secure enough with less tighter permissions, both in moodledata and moodle directories (and subdirectories).

=== Running Moodle on a shared hosting environment ===
If you are running Moodle on a shared hosting environment, then above permissions are probably wrong. If you set 700 as the permission for directories (and 600 for files), you are probably denying the web service user account access to your directories and files.

If you want to tighten your permissions as much as possible, you will need to know:

# the user account and the group the web service is running under (see above).
# the owner of the directories/files of both moodledata and the moodle directory (this should normally be your client user account), and the group of the directories/files. You can usually get this information from the file manager of your hosting control panel. Go to the moodle folder and pick any directory or file and try to view/change the permissions, owner and group of that file. That would normally show the current permissions, owner and group. Do the same for the moodledata directory.

Then, depending on the following scenarios you should use a different set of permissions (listed from more secure to less secure) for your moodledata directory:

# if the web service account and the owner of the directories/files is the same, you should use 700 for directories and 600 for files.
# if the web service group and the group of the directories/files is the same, you should use 770 for directories and 660 for the files.
# if none of the above, you will need to use 777 for directories and 666 for files, which is less secure but it is your only option. 707 and 606 would be more secure, but it might or might not work, depending on your particular setup.

In fact, you just need to set moodledata the permissions specified above, as all the directories and files inside are created by the web service itself, and will have the right permissions.

Regarding the moodle directory, as long as the web service user account can read the files plus read and execute the directories, that should be enough. There is no need to grant write permission to the web service account/group on any of the files or subdirectories. The only drawback is that you will need to create the config.php by hand during the installation process, as Moodle will not be able to create it. But that should not be a big problem.

==See also==

*[[Security FAQ]]
*[https://moodle.com/news/top-security-tips-for-moodle-administrators/ Top security tips for Moodle administrators article]
Using Moodle forum discussions:
*[http://moodle.org/mod/forum/discuss.php?d=39404 Guide to Securing your Moodle Server]
*[http://moodle.org/mod/forum/discuss.php?d=93561 How to secure Moodle website from hacking] including recommendations on emergency recovery

[[es:Recomendaciones de Seguridad]]
[[fr:Sécurité]]

sms/configure

2024-11-19T18:11:10Z

Michaelh2: Redirected page to SMS gateways

#Redirect [[SMS gateways]]

admin/setting/sms

2024-11-19T18:09:52Z

Michaelh2: Redirected page to SMS gateways

#Redirect [[SMS gateways]]

admin/setting/factor sms

2024-11-19T18:07:54Z

Michaelh2: Redirected page to Multi-factor authentication#Example setups

#Redirect [[Multi-factor_authentication#Example_setups]]

Multi-factor authentication

2024-11-19T17:52:03Z

Michaelh2: Added additional details about configuring SMS gateways for MFA use.

{{Authentication}}
==What is multi-factor authentication (MFA)?==
[https://en.wikipedia.org/wiki/Multi-factor_authentication Multi-factor authentication (MFA)] is a security measure that requires users to verify their identity using two or more factors of authentication. Factors can be something users know, like a password, something they have, like a phone or security token, or something they are, like a fingerprint.

MFA helps improve security of your Moodle site because it is more difficult for attackers to compromise multiple factors.
==Manage multi-factor authentication==
From Site administration > Plugins > Admin tools > Manage multi-factor authentication, you can turn MFA on by checking the box MFA plugin enabled.

If you’re configuring MFA for your site for the first time, we recommend that you check out the [[Multi-factor authentication#Recommendations and example setups|Recommendations and example setups]] to streamline the experience for your users.
=== Weights and factors ===
In Site administration > Plugins > Admin tools > Manage multi-factor authentication, you can see a list of the available factors and select the ones that make up MFA for your site.

These factors have weight points, and users have to reach 100 points in order to be able to log in. By configuring multiple factors and adjusting their weights, you can create complex and flexible rules for multi-factor authentication.

For example, you could have two factors with 100 points each, if you want to give users different methods of authentication. Or you could have two factors with 50 points each, meaning that users will have to go through both factors to be able to log in.

During the login process, factors that don't require user input, like IP address or user role, are assessed first. Then, the remaining factors are evaluated in order of weight, starting from the highest, until either the cumulative points reach the login threshold (100) or all factors have been checked and login is denied.
==== Available authentication factors ====
===== Standard authentication factors =====
These are well known, usual authentication factors used in many products and software:

'''Email''': This factor requires users to enter a code received via email during the login process. When a user attempts to log in, the system generates a unique, temporary code and sends it to the user’s registered email address. The user must then enter this code along with their password to successfully complete the login process. This code has a limited validity period, which you can customise, ensuring that it cannot be used for unauthorised access.

'''Authenticator app''': This factor uses a mobile application to generate a temporary code for user authentication. During the login process, Moodle prompts the user to enter a code generated by their authenticator app, in addition to their password. This code changes periodically, ensuring that it can’t be reused for unauthorised access. '''Users must have an app installed on their mobile device and configure this factor themselves.'''

'''Security key''': This factor utilises physical hardware tokens, like USB or NFC security keys, or physical biometrics such as fingerprints. During the login process, users must physically use their security on their device to verify their identity. '''Users must configure this factor themselves'''.

'''IP range''': This factor utilises users’ IP address to verify their identity, providing enhanced security when accessing from a trusted network. It requires no upfront setup from your users, allowing you to configure full login access on a trusted network. '''This factor requires no setup by your users.'''

'''SMS Mobile phone''': This factor requires a mobile phone capable of receiving SMS (text) messages. During the login process, Moodle generates a unique, one-time code and sends it to the user's registered mobile phone number via SMS. The user enters this code along with their password to successfully complete the login process. '''Users must configure this factor themselves'''. Find out more from [[SMS gateways]].

=====User-filtering factors=====
User-filtering factors are a way to easily create groups of users who will or will not be required to use multi-factor authentication (MFA).

'''Non administrator''': This factor requires only administrators to have two or more authentication factors, while not affecting other users. It does so by giving factor points to all users who are not an administrator.

'''Authentication type:''' This factor allows certain users to skip additional authentication steps based on their authentication type. This can be useful for situations where certain authentication types, such as [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language SAML] via [https://en.wikipedia.org/wiki/Active_Directory_Federation_Services ADFS] , already provide a high level of security, making additional authentication checks unnecessary.

'''Role''': This factor has to be used in combination with other factors, as it allows you to specify which roles must use other factors to authenticate. For example, it enables you to require that individuals with elevated access privileges, such as managers and administrators, undergo a more stringent authentication process, while other non-specified roles such students can bypass MFA.

'''Cohort''': This factor has to be used in combination with other factors, as it allows you to specify which cohorts must use other factors to authenticate.

'''User capability''': This factor is similar to the Role factor, and must also be combined with other factors, as it allows you to specify which users must use other factors to authenticate. It does so by checking whether users have the capability ‘factor/capability:cannotpassfactor’ at system level. Users who do not have the capability ‘factor/capability:cannotpassfactor’ will be given points for this factor and can bypass MFA, while users with this capability will need to use another type of authentication.

For example: You assign the capability ‘factor/capability:cannotpassfactor’ to all Managers, and also enable the Email factor. When a Manager logs in, they will have to use the Email factor. But when a student tries to log in, they will not.

Since Admin users have all capabilities allowed by default, including “factor/capability:cannotpassfactor”, there’s an additional setting that will allow Admins to gain points for this factor despite having the capability.

=====Other factors =====
These factors provide additional flexibility and control over the authentication process.

'''Trust this device''': This factor allows users to mark a device as trusted during MFA logins. Once a device is designated as trusted, users can bypass MFA for a specified period of time when logging in from that device.

To implement this feature effectively, assign a score of 100 points to this factor.

'''Grace period''': This factor is essential when you turn on factors that require upfront setup from users, like authenticator app or security key. It allows users to log in without engaging with multi-factor authentication (MFA) for a specified time frame, providing a buffer period to complete the setup of additional authentication factors. If a user is still within their grace period upon reaching the first post-login page, regardless of whether they used grace mode as a login factor, a notification will inform them of the remaining grace period length and the potential need to set up additional factors to prevent account lockout when the grace period expires.

To implement this feature effectively, assign a score of 100 points to this factor. To receive points for this factor, there must be no other user-input factors requiring user interaction during the login process. Place this factor at the end of the list to ensure all other factors are addressed first.

If the grace period ends and users have not set up their authentication methods, they will not be able to log in to your site. You can extend the grace period to allow them to log in, or enable other factors temporarily, such as IP range or role.

'''No other factors''': This factor allows people to log in if they have not set up any other MFA factors. For example, if you want to offer MFA to your users but not make it compulsory, give 100 points to ‘no other factors’ to allow those who don’t want to use MFA to log in to the site. Once another factor is set up for a user, they will no longer gain points for this one.
===User setup===
If you enable the factors '''Authenticator app''' and '''Security key''', your users will need to configure multi-factor authentication themselves. The authentication settings can be accessed through ''User menu > Preferences > Multi-factor authentication preferences''. There, they will be able to set up and manage their authenticator apps or security keys, as well as revoke access to any factors they have configured.

It is important to note that a user will not be able to revoke a factor without having at least one other factor set up. This will reduce the chances of locking a user out without another way to authenticate.
==Recommendations and example setups==

When setting up MFA for your site, it’s important to ensure that you’re making your site more secure, but also creating a good experience for your users, including making sure that they are able to log in if they follow the right steps. Here are some recommendations to ensure that MFA is streamlined for your users:
# Make sure you turn on the '''Grace period''' factor when you turn on an authentication factor that requires users to configure something themselves ('''Authenticator app''' or '''Security key'''). This will give your users time to set up MFA before they are required to use it.
#If you don’t want to make MFA mandatory, enable '''No other factors'''. This will allow users with no other factors to log in using only their password.
#'''IP range''' factor is a very straightforward authentication method if all your users are using the same network. Once users are logged in using this factor, you can allow them to set up additional factors, such as an authenticator app, and then use those other factors to log in when not on your secure network.
#The '''SMS mobile phone''' factor relies on [[SMS gateways]], which currently support Amazon Simple Notification Service (SNS) for the delivery of secure and efficient SMS messages.
===Example setups===

These are some examples of common MFA setups to increase the security of your Moodle site.

'''a) Email verification'''
#Enable MFA.
#Turn on factor '''Email''' and give it 100 points.
#You can turn on '''Trust your device''' to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time.
#Let your users know that email verification is now enabled. Next time your users try to log in, they will see a message that asks them to check their email and enter a code that has been sent there.

'''b) Authenticator app'''
#Enable MFA.
#Turn on the factor '''Grace period''' and give it 100 points. This will allow your users a period of time to set up their authenticator apps and prevent them from being locked out of your site. Use the '''Grace period warning banner''' to let your users know that MFA will be enabled soon and encourage them to set up their authenticator app.
#Turn on the factor '''Authenticator app''' and give it 100 points.
# You can turn on '''Trust your device''' to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time.

'''c) Email OR authenticator app'''
#Enable MFA.
#Turn on the factor '''Email''' and give it 100 points.
#Turn on the factor '''Grace period''' and give it 100 points. This will allow your users a period of time to set up their authenticator apps and prevent them from being locked out of your site. Use the '''Grace period warning banner''' to let your users know that MFA will be enabled soon and encourage them to set up their authenticator app.
#Turn on the factor '''Authenticator app''' and give it 100 points.
#You can turn on '''Trust your device''' to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time.

'''d) Email AND authenticator app'''
#Enable MFA.
# Turn on the factor '''Email''' and give it 50 points.
#Turn on the factor '''Grace period''' and give it 100 points. This will allow your users a period of time to set up their authenticator apps and prevent them from being locked out of your site. Use the '''Grace period warning banner''' to let your users know that MFA will be enabled soon and encourage them to set up their authenticator app.
#Turn on the factor '''Authenticator app''' and give it 50 points. Users will have to pass both factors to get to 100 points and be able to log in.
#You can turn on Trust your device to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time.

'''e) SMS Mobile phone:'''

# Enable MFA.
# Visit the settings page for the '''SMS Mobile phone''' factor.
# If no SMS gateways have been configured on the site, you will be prompted to set one up. You can follow the "set up an SMS gateway" link on the page to set this up. Alternatively, if you have one or more SMS gateways configured on the site, but wish to set up a new gateway for MFA, follow the "create a new gateway" link below the SMS gateway dropdown. If you need to check the configuration of an existing SMS gateway, you can do so via Site administration > SMS > Manage SMS gateways. Additional information can found in the [[SMS gateways|SMS gateways documentation]].
# After the gateway has been configured (or if it was already set up and available), select it from the SMS gateway dropdown.
# Enable the factor, which will reveal additional settings.
# Set the Factor weight to 100 points and set an appropriate Secret validity duration, then save.
# Inform your users that SMS mobile phone verification is now activated. During their next login, they can proceed to set up SMS mobile phone authentication in the user profile preferences page.
# You can turn on '''Trust your device''' to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time.

==Summary of good conditions for login ==
Here are listed the factors selected and their total weighting, adding up to 100.
==General MFA settings==
*The MFA plugin enabled box should be checked for MFA to work.
*From this section you can add any relative URL from the siteroot for which the MFA check will not redirect from
*Links to any guidance pages or files may be uploaded here.
==Admin locked out of site - how to resolve==
Be careful as an administrator when configuring and testing the factors that you do not lock yourself out of the site. If you do then MFA can be disable from the command line by entering:
<syntaxhighlight lang="php">
: php admin/cli/cfg.php --component=tool_mfa --name=enabled --set=0</syntaxhighlight>
==See also==
[[All factor report]]

[[es:Autenticación de múltiples factores]]
[[de:Multi-Faktor-Authentifizierung]]

SMS gateways

2024-11-19T17:37:17Z

Michaelh2: Minor language tweaks.

SMS is a now a subsystem in Moodle LMS, which includes a plugin type (SMS gateway), to allow different providers (e.g. AWS SNS) to send messages via SMS. Site administrators can now setup and configure multiple SMS gateways. Only sending (not receiving) of messages is currently supported.

Initially, the SMS subsystem has been implemented for use in [[Multi-factor authentication]] (MFA), however there will also be a SMS notification support in the future. It is also worth mentioning that SMS is not a replacement for notifications sent to the [[Moodle app|Moodle App]], it is a supplementary mechanism. Many places in the world do not have access to internet enabled phones, or have data restrictions, so SMS functionality provides an alternative way to receive important information.

== Managing SMS gateways ==
Management of SMS gateways is now available from site administration. Navigate to Site administration > Plugins > SMS > Manage SMS gateways.
[[File:01 sms.png|frameless|800x800px|center]]
Selecting Manage SMS gateways will take you to the SMS gateway management page. Select "Create new SMS gateway" to create a new SMS gateway.
[[File:02 sms.png|frameless|800x800px|sms gateway|center]]

This will open the SMS gateway configuration form. In this page, the following information should be added to allow the usage of the gateway:

*'''SMS gateway provider:''' SMS can have many different gateway providers, currently AWS is supported in Moodle LMS. Other providers such as Modica and Twilio will be available in future (or if you install a plugin to support them).
*'''Gateway name:''' This name will be used identify the gateway in the list of configured gateways.
*'''Default country code:''' This is the country code used if users have not included a country code when entering their mobile number. This is particularly useful if your users are from one specific region or mostly from one region, since it means they won't need to add the country code while entering their mobile number in plugins like MFA.
*The rest of the fields like Find AWS credential, Access key, Secret key, region etc. are specific to the AWS SMS gateway plugin. That information comes from your AWS account and must be filled correctly to ensure the gateway works correctly. Please note, different plugins will have different form fields for this section.

[[File:03 sms.png|frameless|800x800px|center]]

If we fill that information and save changes, we will have the gateway available in the SMS gateway management page.
[[File:04_sms.png|center|frameless|800x800px]]
The gateways can be enabled or disabled when needed, by clicking the toggle in the Status column, which will be confirmed by a notification banner.[[File:05 sms.png|frameless|800x800px|center]]

If the gateway is in use (e.g. MFA is using this gateway), then it will not be disabled and instead it will show a notification that it can not be disabled.
[[File:06 sms.png|frameless|800x800px|center]]

Gateways can also be deleted. A confirmation dialogue will be shown before deleting the gateway, as well as a notification after a successful deletion.
[[File:07 sms.png|frameless|800x800px|center]]
[[File:08 sms.png|frameless|800x800px|center]]

If the gateway is in use or any other issues are found while deleting the gateway, it will not be deleted and a notification will be shows with relevant information.
[[File:09 sms.png|frameless|800x800px|center]]

Once a gateway has been configured and enabled, you can select the gateway from the MFA SMS factor settings.
[[File:10 sms.png|center|frameless|800x800px]]
For further usage related information, please visit the [[Multi-factor authentication|MFA setup documentation.]] Configure your Amazon SNS for SMS Authentication following the [https://docs.aws.amazon.com/sns/ AWS SNS Documentation].
[[es: Puertas de enlace (gateways) SMS]]

admin/setting/ai

2024-10-15T07:57:22Z

Michaelh2: Redirected page to AI subsystem

#Redirect[[AI_subsystem]]

TinyMCE editor

2024-09-20T06:53:22Z

Michaelh2: /* Tiny Toolbar */

{{Editing text}}
==What is TinyMCE?==
TinyMCE is a powerful rich-text editor that allows users to create formatted content within a user-friendly interface.

The popular editor is the default editor in all sites from Moodle 4.4 onwards. From ''Administration > Site administration > Plugins > Text editors > Manage editors''. From that page, text editors can be enabled, disabled, ordered by priority and the default editor can also be configured. If more than one text editor is enabled, users can select their preferred editor via their preferences page: ''User menu > Preferences > Editor preferences.''

{{MediaPlayer | url = https://youtu.be/aGtOOmJXweA?si=RbAzDcyv0XaydsTN | desc = Overview of TinyMCE}}

==Spellcheck==
Although a spellchecker is available with TinyMCE Premium (see below), you can use your browser to check spellings in the standard TinyMCE editor. Depending on your browser you can, for example, type text, right click and select Spellcheck. Incorrect or potentially incorrect spellings will be underlined in red.
== Tiny Toolbar ==
The following buttons are available on the toolbar (not all buttons might show in all scenarios:)
[[File:latestTiny.png|center]]

The available buttons are as follows:
{| class="wikitable"
|+
!#
!Button
!#
!Button
!#
!Button
|-
|1
|Undo and Redo
|10
|No auto-link
|18
|Numbered list
|-
|2
|Bold and Italic
|11
|Full screen
|19
|Equation editor
|-
|3
|Insert image/modify properties
|12
|Align left
|20
|Toggle second toolbar (if present)
|-
|4
|Insert audio/video/modify properties
|13
|Align centre
|21
|
|-
|5
|[[Audio|Record audio]]
|14
|Align right
|
|
|-
|6
|[[Video|Record video]]
|15
|L/R and R/L directionality
|
|
|-
|7
|Insert H5P / modify H5P properties
|16
|Decrease/increase indent
|
|
|-
|8
|Link
|17
|Bullets list
|
|
|-
|9
|Unlink
|
|
|
|
|}
Some button have pre-requisites to display, for instance, the equation editor button will only show if either the [[MathJax filter|MathJax]] or the [[TeX notation filter|TeX notation]] filters are enabled (in ''Site administration > Plugins > Filters > Manage filters''), while the H5P option will only show if the ''tiny/h5p:addembed'' capability has been granted.

Some features will also be displayed in a "quick toolbar" when highlighting text within the editor (for example some formatting options), however the quick toolbar will only be displayed if the editor is more than 5 lines of text high. It is automatically hidden in smaller editor instances as the shorter space can cause issues with correctly displaying the options.

== Tiny features ==
[[File:Tiny - Insert menu.png|thumb]]
The following features are available from the '''Insert''' menu:
=== Insert / Edit image ===
The easiest way to insert an image is via drag and drop. Alternatively, you can use the ''Insert image'' tool, which gives you more control over some image properties:

[[File:uploadtinymce.png]]

You can paste in a URL of an image or browse the repositories to locate or upload an image.

Once your image is added, you can resize it and add alt text:

[[File:edittinymceimage.png]]

To modify image properties once it has been added to your text, select the image and press the ''Image'' button on the mini toolbar that shows up.

=== Insert / Edit Link ===
When inserting or editing a link to another (internal or external) page, you can provide the following settings:
* '''URL''': The address of the page to navigate to. If left empty, the option ''<top>'' and ''<bottom>'' are available
* '''Text to display''': The text that is shown in the text, represented as a link
* '''Title''': The text shown when hovering over the link
* '''Browse repositories''': Upload a file to link to.
* '''Open link in...''': The page can either be opened in the '''Current Window''' or a '''New window'''
[[File:Tiny - Link.png|border|center|frameless|450x450px]]
=== Insert / Edit Multimedia ===
To insert existing audio or videos clips, the TinyMCE editor supports Moodle standard [[Media embedding|Media embedding interface]].
[[File:Tiny - Audio & Video.png|thumb]]
=== Record audio and video ===
TinyMCE lets users record [[audio]] and [[video]] clips which will attach to the text once recorded. Each recording comprises three steps:
# '''Start recording''': when ready, press the ''Start recording'' button
# '''Stop recording''': when completed, press the ''Stop recording'' button
# '''Review recording''': you can listen to or watch the recording via the provided controls. Either attach the clip to your text or record it again.

The maximum length and quality (bitrate) can be [[TinyMCE editor#Tiny Record RTC plugin for Moodle|configured]] at admin level.
=== Insert / Edit code sample ===
The Tiny editor lets you insert and embed syntax color highlighted code snippets into the editable area.
[[File:Tiny - Code Sample.png|border|center|frameless|600x600px]]
While you can select the (programming) language at the top, it doesn't have any impact on the way the code is displayed.

Tiny also supports formatting of code elements (''Format -> Code''), which changes the selected text to the internally defined <code>code style</code>.
=== Insert Table ===
Tiny comes with comprehensive table management functionality to handle grid-like structures in your text. In addition to the Insert table menu item, an entire main menu has been dedicated to tables.
[[File:Tiny - Table.png|border|center|frameless|450x450px]]
Once a table has been added, you can customise individual cells, row, columns, and the properties of the entire table. The following self-explanatory menu items are available, all supporting standard HTML table options:
* Cell
** Cell properties
** Merge cells
** Split cells
* Row
** Insert row before
** Insert row after
** Delete row
** Row properties
** Cut row
** Copy row
** Paste row before
** Paste row after
* Column
** Insert column before
** Insert column after
** Delete column
** Cut column
** Copy column
** Paste column before
** Paste column after
* Table properties
* Delete table
[[File:Tiny - Table operations.png|border|center|frameless|600x600px]]
The table editor also shows context-sensitive menus when editing different table elements.
=== Insert special character ===
The special character picker lets you insert letters and symbols (a map of special unicode characters) that are difficult or impossible to access via your keyboard. You can either search by keyword and / or browse categories.
[[File:Tiny - Special character.png|border|center|frameless|450x450px]]
=== Insert Emojis ===
Bring a smiley to your content: The emoji picker lets you insert pictograms. You can either search by keyword and / or browse categories.
[[File:Tiny - Emojis.png|border|center|frameless|450x450px]]
=== Insert HTML elements ===
The following 4 HTML elements are supported by TinyMCE via menus:
* '''Insert horizontal line''': Adds an HTML line to your text.

* '''Insert page break''': Adds a page break (<code><nowiki></nowiki></code>) to your text.

* '''Insert nonbreaking space''': Add an nonbreaking space (<code>&nbsp;</code>) at the current cursor location.

* '''Insert anchor''': Insert anchors (sometimes referred to as a bookmarks) to your text. Users will be prompted via a dialog box to enter a string. The string will be inserted into the HTML as an anchor id at the location of the cursor. For example, a user places their cursor at the beginning of "Moodle" and clicks on the anchor button and enters "start" in the dialog box. The resulting HTML will take the form of <code><nowiki><a id="start"></a></nowiki>Moodle<nowiki></nowiki></code>.
=== Insert date/time ===
The Insert date/time options lets you easily insert the current date and/or time into the editable area at the cursor insertion point.
[[File:Tiny - DateTime.png|border|center|frameless]]
The available format options depend on the selected language.
[[File:Tiny - Equation editor.png|thumb]]
=== Equation editor ===
If either the [[MathJax filter|MathJax]] or the [[TeX notation filter|TeX]] filters are enabled (in ''Site administration > Plugins > Filters > Manage filters'') then the ''Insert equation'' option is provided in the TinyMCE editor for launching the equation editor.

Internally, the equation editor uses the [https://docs.moodle.org/400/en/TeX_notation_filter TeX notation] which can either be entered manually and / or interactively. The interactive elements are grouped into 4 categories (Operators, Arrows, Greek symbols, and Advanced). The content of each tab can be configured via the [[Equation editor settings]].

At the bottom of the editor, a preview is shown.
=== Configure H5P content ===
You can embed [[H5P]] content via the ''Configure H5P content'' menu as follows:
# Browse the Content bank repository and select an H5P file
# Choose to either make a copy of the file or create a shortcut
# Optionally, configure the H5P options (Allow download, Embed button, Copyright button)
# Click the button 'Select this file'
# Click 'Insert H5P'These steps will automatically enter the internal address in the H5P URL field. Alternatively, you can enter any internal or external H5P URL manually.
Note: If you create a shortcut to the file, you can edit it in the Content bank and any activities with a link to the file will be updated.
== Tiny tools ==
[[File:Tiny - Tools menu.png|thumb]]
The following tools are available in vie the '''Tools''' menu:
=== View source code ===
The source code pop up window displays the code of the page, usually HTML or JS. The code can be modified in plain text; once the window is closed, any changes will be reflected in the WYSIWYG mode.
[[File:Tiny - Source code.png|center|frameless|900x900px]]
=== Word count ===
The word pop up windows displays the number of words and the number of characters (with and without spaces) of the entire document and the selected text, respectively.
[[File:Tiny - Word count.png|border|center|frameless|600x600px|alt=]]

The number of words are also shown in the editor's footer.
=== Accessibility checker ===
The automated [[accessibility]] checker checks for some common errors in the text. These are usually elements in the way the text is constructed that can prevent all users from having equal access to information and functionality. The list of problems that the accessibility checker looks for is:
* Images with missing or empty alt text (unless they have the presentation role)
* Contrast of font colour and background colour meets [https://en.wikipedia.org/wiki/Web_Content_Accessibility_Guidelines WCAG AA guidelines]
* Long blocks of text are sufficiently broken up into headings
* All tables require captions
* Tables should not contain merged cells as they are difficult to navigate with screen readers
* All tables should contain row or column headers
=== Media Manager ===
The media manager shows all media files that have been embedded in the text.

The top part of the media manager shows the familiar file management element where you can add, download, and delete attached files.

Files that have been attached and deleted again are shown at the bottom half of the screen.
[[File:Tiny - Media manager.png|border|center|frameless|600x600px]]
== Keyboard shortcuts ==
The following keyboard shortcuts will work in the Tiny text editor in most browsers. Note that for many of these commands to work you need to either click in the text editor or select content in the text editor.
=== Editor shortcuts ===
{| class="wikitable"
!Windows Command
!Mac Command
!Function
|-
|Ctrl + Shift + f
|⌘ + Shift + f
|Full screen toggle
|-
|Ctrl + c
|⌘ + c
|Copy
|-
|Ctrl + v
|⌘ + v
|Paste
|-
|Ctrl + Shift + v
|⌘ + Shift + v
|Paste without formatting (very useful)
|-
|Ctrl + x
|⌘ + x
|Cut
|-
|Ctrl + z
|⌘ + z
|Undo
|-
|Ctrl + y
|⌘ + y
|Redo
|-
|Ctrl + a
|⌘ + a
|Select all
|-
|Ctrl + f
|⌘ + f
|Find and replace
|-
|F3
|<s>F3</s>
|Find next
|-
|Shift + F3
|<s>Shift + F3</s>
|Find previous
|-
|Ctrl + b
|⌘ + b
|Bold
|-
|Ctrl + i
|⌘ + i
|Italics
|-
|Ctrl + u
|⌘ + u
|Underline
|-
|Ctrl + k
|⌘ + k
|Insert/edit link
|-
|Ctrl + Right arrow
|Option + Right arrow
|Move to the end of the next word
|-
|Ctrl + Left arrow
|Option + Left arrow
|Move to the end of the previous word
|-
|Ctrl + Shift + Right arrow
|Shift + Option + Right arrow
|Select the next word or letter
|-
|Ctrl + Shift + Left arrow
|Shift + Option + Left arrow
|Select the previous word or letter
|-
|Ctrl + Shift + Home
|<s>⌘ + Shift + Home</s>
|Select from the cursor to the beginning of the page
|-
|Ctrl + Shift + End
|<s>⌘ + Shift + End</s>
|Select from the cursor to the end of the page
|-
|Ctrl + Home
|⌘ + Up arrow
|Move to the beginning of the page
|-
|Ctrl + End
|⌘ + Down arrow
|Move to the end of the page
|-
|Ctrl + Backspace
|<s>⌘ + Backspace</s>
|Delete word or letter to the left
|-
|Ctrl + Delete
|<s>⌘ + Delete</s>
|Delete word or letter to the right
|-
|Ctrl + P
|⌘ + P
|Print
|-
|Alt+Shift+1
|Ctrl+Option+1
|Header 1
|-
|Alt+Shift+2
|Ctrl+Option+2
|Header 2
|-
|Alt+Shift+3
|Ctrl+Option+3
|Header 3
|-
|Alt+Shift+4
|Ctrl+Option+4
|Header 4
|-
|Alt+Shift+5
|Ctrl+Option+5
|Header 5
|-
|Alt+Shift+6
|Ctrl+Option+6
|Header 6
|-
|Alt+Shift+7
|Ctrl+Option+7
|Paragraph
|-
|Alt+Shift+8
|Ctrl+Option+8
|Div
|-
|Alt+Shift+9
|Ctrl+Option+9
|Address
|-
|Alt+0
|Option+0
|Help dialogue (list of shortcuts)
|-
|Ctrl and +
|⌘ and +
|Zoom in (not specific to the editor, but very useful)
|-
|Ctrl and -
|⌘ and -
|Zoom out (not specific to the editor, but very useful)
|-
|Ctrl and 0
|⌘ and 0
|Reset zoom (not specific to the editor, but very useful)
|-
|Double-click
|Double-click
|Select word
|-
|Triple-click
|Triple-click
|Select line
|}
=== Keyboard navigation ===
The sections of the outer UI of the editor - the menubar, toolbar, sidebar and footer - are all keyboard navigable.
==== Activating keyboard navigation ====
There are multiple ways to activate keyboard navigation:
* Focus the menubar: Alt + F9 (Windows) or ⌥F9 (MacOS)
* Focus the toolbar: Alt + F10 (Windows) or ⌥F10 (MacOS)
* Focus the footer: Alt + F11 (Windows) or ⌥F11 (MacOS)
Focusing the menubar or toolbar will start keyboard navigation at the first item in the menubar or toolbar, which will be highlighted with a gray background. Focusing the footer will start keyboard navigation at the first item in the element path, which will be highlighted with an underline.
==== Moving between UI sections ====
When keyboard navigation is active, pressing tab will move the focus to the next major section of the UI, where applicable. These sections are:
* the menubar
* each group of the toolbar
* the sidebar
* the element path in the footer
* the wordcount toggle button in the footer
* the branding link in the footer
* the editor resize handle in the footer
Pressing shift + tab will move backwards through the same sections, except when moving from the footer to the toolbar. Focusing the element path then pressing shift + tab will move focus to the first toolbar group, not the last.
==== Moving within UI sections ====
Keyboard navigation within UI sections can usually be achieved using the left and right arrow keys. This includes:
* moving between menus in the menubar
* moving between buttons in a toolbar group
* moving between items in the element path
In all these UI sections, keyboard navigation will cycle within the section. For example, focusing the last button in a toolbar group then pressing right arrow will move focus to the first item in the same toolbar group.
==== Executing buttons ====
To execute a button, navigate the selection to the desired button and hit space or enter.
==== Opening, navigating and closing menus ====
When focusing a menubar button or a toolbar button with a menu, pressing space, enter or down arrow will open the menu. When the menu opens the first item will be selected. To move up or down the menu, press the up or down arrow key respectively. This is the same for submenus, which can also be opened and closed using the left and right arrow keys.

To close any active menu, hit the escape key. When a menu is closed the selection will be restored to its previous selection. This also works for closing submenus.
==== Context toolbars and menus ====
To focus an open context toolbar such as the table context toolbar, press Ctrl + F9 (Windows) or ⌃F9 (MacOS).

Context toolbar navigation is the same as toolbar navigation, and context menu navigation is the same as standard menu navigation.
==== Dialog navigation ====
There are two types of dialog UIs in TinyMCE: tabbed dialogs and non-tabbed dialogs.

When a non-tabbed dialog is opened, the first interactive component in the dialog will be focused. Users can navigate between interactive components by pressing tab. This includes any footer buttons. Navigation will cycle back to the first dialog component if tab is pressed while focusing the last component in the dialog. Pressing shift + tab will navigate backwards.

When a tabbed dialog is opened, the first button in the tab menu is focused. Pressing tab will navigate to the first interactive component in that tab, and will cycle through the tab's components, the footer buttons, then back to the tab button. To switch to another tab, focus the tab button for the current tab, then use the arrow keys to cycle through the tab buttons.
==== Accessibility shortcuts ====
This is a list of available keyboard shortcuts within the editor user interface.
{| class="wikitable"
!Windows Command
!Mac Command
!Function
|-
|Enter / Spacebar
|Enter / Spacebar
|Execute command
|-
|Tab
|Tab
|Focus on next UI Element(such as: Menu bar, Toolbar, Toolbar Group, Status Bar Item)
|-
|Shift+Tab
|Shift+Tab
|Focus on previous UI Element(such as: Menu bar, Toolbar, Toolbar Group, Status Bar Item)
|-
|Right Arrow / Down Arrow
|Right Arrow / Down Arrow
|Focus next Control(such as: toolbar button, menu, or menu item)
|-
|Left Arrow / Up Arrow
|Left Arrow / Up Arrow
|Focus previous Control(such as: toolbar button, menu, or menu item)
|-
|Down Arrow / Spacebar
|Down Arrow / Spacebar
|Open menu or toolbar menu button
|-
|Spacebar
|Spacebar
|Open group toolbar button
|-
|Down Arrow
|Down Arrow
|Open split toolbar button
|-
|Shift+Enter
|Shift+Enter
|Open the popup menu on split toolbar buttons
|-
|Right Arrow
|Right Arrow
|Open submenu
|-
|Left Arrow / Esc
|Left Arrow / Esc
|Close submenu
|-
|Esc
|Esc
|Close dialog
|-
|Esc
|Esc
|Close menu
|-
|Esc
|Esc
|Move focus back to editor body
|}
'''Note''': Browsers and Screen Readers provide additional shortcuts within the editor context.
==Site administration settings==
=== General settings ===
From ''Site administration > Plugins > Text editors > TinyMCE editor'' you can disable and enable certain settings, for example the Tiny HTML formatter, Tiny no-auto link and access the setting for the paid service TinyMCE Premium.

You can also disable the TinyMCE branding logo which appears at the bottom of the editor.

====TinyMCE Premium====
TinyMCE Premium requires a paid subscription. Your API key is available on your [https://www.tiny.cloud/ Tiny Cloud] account page if you have purchased a subscription, or if you are on a free trial.

You can enter the API key and enable specific premium plugins at ''Site administration > Plugins > Text editors > TinyMCE Premium''.

For TinyMCE premium features charging is done on "per request" basis (number of editor loads). You can make use of the capability 'Access TinyMCE Premium features' (tiny/premium:accesspremium) (new in Moodle 4.4) to control which users can use premium features and in which context.

The TinyMCE features that may be available to your Moodle site with a Premium subscription are:

* Advanced Tables
* Advanced Typography
* Case Change
* Checklist
* Enhanced Image Editing
* Export
* Footnotes
* Format Painter
* Link Checker
* Page Embed
* Permanent Pen
* PowerPaste
* Spell Checker Pro
* Spelling Autocorrect
* Table of Contents

You can learn more about these features on [https://www.tiny.cloud/tinymce/features/#productivity TinyMCE's website]. Please note that not all plugins listed on TinyMCE's website are currently available to Moodle users.

=== Equation editor settings ===
[[File:Tiny - Equation editor settings.png|thumb]]
The equation editor has 4 tabs: Operators, Arrows, Greek symbols, and Advanced. The commands that are available on each tab and their order can be configured in ''Site administration > Plugins > Text editors > TinyMCE editor > Equation editor settings''.

For each group, the list of commands is shown in TeX format.
=== Tiny Record RTC plugin for Moodle ===
[[File:Tiny - RTC settings.png|thumb]]
Tiny fully supports media recording through. Internally, RecordRTC is utilised, an open source JavaScript library using WebRTC for audio and video recording. To configure its settings, navigate to ''Site administration > Plugins > Text editors > TinyMCE editor > RecordRTC'':

The following options have an impact on server resources, both in terms of bandwidth and disk usage:
* '''Allowed types''': You can specify whether '''Audio and video''' recording are supported or '''Audio only''' or '''Video only'''. There are two capabilities to control access to the TinyMCE buttons: '''[[Capabilities/tiny/recordrtc:recordvideo]]''' and '''[[Capabilities/tiny/recordrtc:recordaudio]]'''
* '''Audio bitrate''' and '''Video bitrate''': The lower the bitrates, the smaller the file sizes, and vice versa. The default bitrate for recorded audio (128000) should generate files of about 15 KB per minute; the default bitrate for recorded video (2500000) to files of approximately 20 MB per minute.
* '''Audio time limit in seconds''' and '''Video time limit in seconds''': The default time limit is 2 minutes for audio and video recording. Again, the longer the maximum recording length, the bigger the resulting files.

Recordings are stored in subdirectories of ''$CFG->dataroot>/filedir''. Ensure ''post_max_size'' and ''upload_max_filesize'' are configured in line with your expected maximum recording sizes.

[[es:Editor TinyMCE]]
[[de:TinyMCE-Editor]]
[[fr:Éditeur TinyMCE]]

TeX notation filter

2024-08-14T05:59:42Z

Michaelh2: /* Installing the binaries */

{{Filters}}
The TeX Filter is a core Moodle filter intended to allow one to convert tex expressions into GIF, PNG or SVG images. The filter relies on some additional binaries to accomplish this for expressions contained between appropriate tokens. Where these binaries are not available, Moodle provides for a fallback through the use of Mimetex. Versions of MimeTex for Linux (glib2.3 32bit), Windows, Mac OS X and FreeBSD are included in the Moodle distribution. There are other technologies available for displaying Tex (see the section on [[Mathematics]] tools for a discussion.)

'''Note''': being based on binaries it requires the availability of three PHP program execution functions: <code><nowiki>exec</nowiki></code>, <code><nowiki>shell_exec</nowiki></code> and <code><nowiki>system</nowiki></code>.

== Methods and Usage ==

To avoid confusion you should note that the TeX filter has two separate methods for converting the TeX notation to images. The preferred method is a collection of three binaries that you are responsible for installing (if they are not already present, though many webhosts make these available) and configuring on your server. The filter settings page relates entirely to this method. If this fails for any reason the filter will fall back to a single binary - MimeTeX. A number of different builds are included in the Moodle distribution for popular operating systems, though Mimetex and its bigger brother, MathTex are easy enough to compile and install if you have systems administration experience.

Before doing anything else, you need to go to ''Settings > Site administration > Plugins > Filters'' and activate the TeX Notation Filter. If you want to use the Algebra filter (another core filter) since the Algebra Filter is really only a "front end" to the Tex filter, you should also turn on the Algebra filter. For more information on the Algebra Filter see the [[Algebra filter]].

Once the filter is turned on and properly configured you can make use of it by
including a TeX expression delimited by double-dollar signs. Example:

$$ \sqrt{x + y} $$

If this does not display properly, see the information on debugging.

== MimeTeX ==

Moodle may use a pre-built MimeTeX binary (located in the filters/tex directory) as a fallback if it can't properly access dvips, convert and latex binaries. There are a number of different versions for different operating systems. The TeX filter picks the appropriate binary for the detected host operating system (you will need to hack the script if your operating system is not included). Note that your web server needs to be set up with appropriate permissions for running binaries in that location.

The [http://www.forkosh.com/mimetexmanual.html MimeTeX manual] is available but is arguably intended for persons with systems administration experience and does not specifically address the Moodle environment.

You should only use MimeTeX if installing the full LaTeX system fails or the binaries are not available on your system. The results are not nearly as good.

== Compatability with MathJax ==

In Moodle 2.8 onwards, the TeX Notation and MathJaxloader filter may be used in combination. If both filters are enabled on the page, images will be displayed first by the TeX notation filter, and the MathJax version of the TeX expression will replace a little while later when MathJax has finished loading and processing. If both filters are available, a teacher may decide which to use in an activity by enabling one and disabling the other.

== Site administration settings ==

Location: TeX Notation settings link in ''Settings > Site administration > Plugins > Filters > Manage filters''

The TeX filter settings page are primarily intended to adjust the operation of the LaTeX renderer. The defaults for the three path settings are selected according to the detection of the operating system on which Moodle is running. These are simply suggested common values - Moodle does not check that the binaries actually exist at these locations. More recent versions of Moodle show a green tick or a red cross next to the path setting - this shows that the binary exists at that location (only). The settings have no effect on the operation of the MimeTex binary (used if any of these binaries are not found).

==== Installing the binaries ====

This depends on your platform, but for a typical install you are going to need a LaTeX implementation. On modern Linux implementations you should look for the 'texlive' package (e.g. ''apt-get install texlive'') although a Windows version is available (see [http://www.tug.org/texlive/doc/texlive-en/texlive-en.html Tex Live]). It is highly unlikely that you will have all these binaries as part of a standard install. If you cannot find texlive you may have to install LaTeX, Ghostscript and ImageMagick separately. While not endorsed by Moodle.org, a simple installation binary for Windows is [http://miktex.org/ MikTeX].

For security reasons, you should ensure shell escape is disabled (''shell_escape = f'') in your LaTeX configuration (if is enabled, this will be set to "t"). This is to prevent the risk of users being able to execute external commands. Note that this is usually disabled by default. (If this is set to "p" ie restricted mode, a predefined set of commands are allowed, if this is the desired behaviour, be extremely careful which commands are allowed given all users will have access to these).

The filter settings page will try to guess the most likely location for the binary files depending on the detected platform. If correct, green ticks will appear against each setting. If red crosses appear you will need to check and modify the settings as required. A simple check is made to establish if the binaries exist at the given paths. A tick or a cross is displayed alongside each as a result. Note that this does not check that the application actually works, just that it is there.

Some systems supply the fonts as separate packages. If you are having problems make sure you have all the fonts you need installed. You may need to track down an 'extra' fonts package to get the required maths fonts.

==== LaTeX preamble ====

Enables the LaTeX preamble to be specified. The default should work for most users, but you may need to change it to support non-Latin character sets etc. Please see the LaTeX documentation for further details.

==== Transparent colour ====

This should be set to your normal text background colour. The default setting is #FFFFFF (i.e., white).

==== Density ====

This setting effects the size of the resulting image. The default setting is 120 pixels, and it produces an image of reasonable quality, but for some complicated equations, this still may not be enough. It may be that anything less is not going to produce an image of sufficient quality but the image size can be controlled by the TeX encoding when the page is rendered.

==== Path of ''latex'' binary ====

Path to standard latex binary.

On Unix based systems it is normally "/usr/bin/latex". On a MacOS X, the path is "/usr/texbin/".

In Windows, using MiKTeX, it is usually something like C:\texmf\miktex\bin\latex.exe

==== Path of ''dvips'' binary ====

Path to standard dvips binary - generally distributed as part of a LaTeX system.

On Unix based systems it is normally "/usr/bin/dvips". On a MacOS X, the path is "/usr/texbin/".

On Windows using MikTeX is usually something like C:\texmf\miktex\bin\dvips.exe

==== Path of ''convert'' binary ====

Path to standard convert binary. It is necessary to produce GIF or PNG images from using the latex and dvips binaries. This is distributed as part of the Ghostscript system, or ImageMagick in Linux.

On Unix based systems it is normally "/usr/bin/convert". On a MacOS X, the path is "/usr/local/bin/".

On a Windows-based PC the path is something like C:\Program Files\ImageMagick\convert.exe (for ImageMagick, but something else for GhostScript.)

==== Path of ''dvisvgm'' binary ====

This binary is used instead of convert to produce SVG images. This is distributed as part of TeXlive on Linux although it may be require the full or extra packages to be installed.

On Unix based systems it is normally "/usr/bin/dvisvgm".

On a Windows-based PC a compiled binary is available from [http://dvisvgm.sourceforge.net/Downloads sourceforge] and can placed in the same directory with the latex binary.

==== Path of ''mimetex'' binary ====

If this is blank and the binaries above are missing or fail, the TeX filter will attempt to use a mimetex binary distributed with Moodle. If you have installed mimetex on the server and would rather use it include the path here.

== Debugging TeX filter ==

The TeX filter has a debugging script (which will be much more helpful if you turn on [[Debugging]]) included that should help if you are having problems. The URL will be as follows...

<nowiki>http://your.moodle.path/filter/tex/texdebug.php</nowiki>

You can either enter this path explicitly or with appropriate role permissions the TeX images (or more likely incorrectly rendered text, if you need debugging) will link to this. On more recent versions of Moodle you are ''required'' to be logged in as an Administrator to access this facility.

== See also ==

* [http://academy.edulabs.org/mod/glossary/print.php?id=764&mode&hook=ALL&sortkey&sortorder&offset=0&pagelimit=10 TeX Filter Glossary] - a [[glossary]] you can add to your course which details usage of the supported [[TeX notation]].
* [http://www.latex-project.org/ LaTeX] - the LaTeX document preparation system.
* [http://www.ghostscript.com/ ghostscript] - required to render the image
* [http://www.forkosh.com/mimetexmanual.html MimeTeX Manual] - Default TeX notation manual
* [http://www.miktex.org/ MikTeX] - LaTeX for Windows systems
* [http://www.imagemagick.org/script/index.php ImageMagick] - required to render images for Windows
* [[Using TeX Notation]]
* [[Advanced Maths Tools]] for Moodle 2.x - SEE - The Next Generation of TeX Tools
* [https://moodle.org/mod/forum/view.php?id=752 Mathematics tools forum] on moodle.org

[[Category:Site administration]]
[[Category:Mathematics]]

[[de:TeX-Notation]]
[[es:Filtro de notación TeX]]

TinyMCE editor

2024-06-13T03:04:26Z

Michaelh2: /* What is TinyMCE? */

{{Editing text}}
==What is TinyMCE?==
TinyMCE is a powerful rich-text editor that allows users to create formatted content within a user-friendly interface.

The popular editor is the default editor in all sites from Moodle 4.4 onwards. In Moodle 4.2 and 4.3, TinyMCE is the default editor for new installations only, but can be made default for upgraded sites from ''Administration > Site administration > Plugins > Text editors > Manage editors''. From that page, text editors can be enabled, disabled, ordered by priority and the default editor can also be configured. If more than one text editor is enabled, users can select their preferred editor via their preferences page: ''User menu > Preferences > Editor preferences.''

{{MediaPlayer | url = https://youtu.be/Q-D6nWSusrY | desc = Overview of TinyMCE}}

== Tiny Toolbar ==
The following buttons are available on the toolbar (not all buttons might show in all scenarios:)
[[File:latestTiny.png|center]]

The available buttons are as follows:
{| class="wikitable"
|+
!#
!Button
!#
!Button
!#
!Button
|-
|1
|Undo and Redo
|10
|No auto-link
|18
|Numbered list
|-
|2
|Bold and Italic
|11
|Full screen
|19
|Equation editor
|-
|3
|Insert image/modify properties
|12
|Align left
|20
|Toggle second toolbar (if present)
|-
|4
|Insert audio/video/modify properties
|13
|Align centre
|21
|
|-
|5
|[[Audio|Record audio]]
|14
|Align right
|
|
|-
|6
|[[Video|Record video]]
|15
|L/R and R/L directionality
|
|
|-
|7
|Insert H5P / modify H5P properties
|16
|Decrease/increase indent
|
|
|-
|8
|Link
|17
|Bullets list
|
|
|-
|9
|Unlink
|
|
|
|
|}
Some button have pre-requisites to display, for instance, the equation editor button will only show if either the [[MathJax filter|MathJax]] or the [[TeX notation filter|TeX notation]] filters are enabled (in ''Site administration > Plugins > Filters > Manage filters''), while the H5P option will only show if the ''tiny/h5p:addembed'' capability has been granted.

== Tiny features ==
[[File:Tiny - Insert menu.png|thumb]]
The following features are available from the '''Insert''' menu:
=== Insert / Edit image ===
The easiest way to insert an image is via drag'n'drop. Alternatively, you can use the ''Insert image'' tool, which gives you more control over some image properties:
* '''URL''': The (internal or external) address of the image. You can either enter a URL manually or select an image from the repository browser, which adds the URL automatically.
*'''Description''': Unless the image is labelled decorative only, a description must be provided for screenreader users
*'''Size''': Initially, the image's width and height are set. These can be adjusted to fit your text. When the ''Auto size'' checkbox remains ticked, the image's width-height ratio stays intact.
* '''Alignment''': Options are ''Top'', ''Middle'', and ''Bottom''.
[[File:Tiny - Image.png|border|center|frameless|450x450px]]
To modify image properties once it has been added to your text, select the image and press the ''Image'' button on the mini toolbar that shows up.
=== Insert / Edit Link ===
When inserting or editing a link to another (internal or external) page, you can provide the following settings:
* '''URL''': The address of the page to navigate to. If left empty, the option ''<top>'' and ''<bottom>'' are available
* '''Text to display''': The text that is shown in the text, represented as a link
* '''Title''': The text shown when hovering over the link
* '''Browse repositories''': Upload a file to link to.
* '''Open link in...''': The page can either be opened in the '''Current Window''' or a '''New window'''
[[File:Tiny - Link.png|border|center|frameless|450x450px]]
=== Insert / Edit Multimedia ===
To insert existing audio or videos clips, the TinyMCE editor supports Moodle standard [[Media embedding|Media embedding interface]].
[[File:Tiny - Audio & Video.png|thumb]]
=== Record audio and video ===
TinyMCE lets users record [[audio]] and [[video]] clips which will attach to the text once recorded. Each recording comprises three steps:
# '''Start recording''': when ready, press the ''Start recording'' button
# '''Stop recording''': when completed, press the ''Stop recording'' button
# '''Review recording''': you can listen to or watch the recording via the provided controls. Either attach the clip to your text or record it again.

The maximum length and quality (bitrate) can be [[TinyMCE editor#Tiny Record RTC plugin for Moodle|configured]] at admin level.
=== Insert / Edit code sample ===
The Tiny editor lets you insert and embed syntax color highlighted code snippets into the editable area.
[[File:Tiny - Code Sample.png|border|center|frameless|600x600px]]
While you can select the (programming) language at the top, it doesn't have any impact on the way the code is displayed.

Tiny also supports formatting of code elements (''Format -> Code''), which changes the selected text to the internally defined <code>code style</code>.
=== Insert Table ===
Tiny comes with comprehensive table management functionality to handle grid-like structures in your text. In addition to the Insert table menu item, an entire main menu has been dedicated to tables.
[[File:Tiny - Table.png|border|center|frameless|450x450px]]
Once a table has been added, you can customise individual cells, row, columns, and the properties of the entire table. The following self-explanatory menu items are available, all supporting standard HTML table options:
* Cell
** Cell properties
** Merge cells
** Split cells
* Row
** Insert row before
** Insert row after
** Delete row
** Row properties
** Cut row
** Copy row
** Paste row before
** Paste row after
* Column
** Insert column before
** Insert column after
** Delete column
** Cut column
** Copy column
** Paste column before
** Paste column after
* Table properties
* Delete table
[[File:Tiny - Table operations.png|border|center|frameless|600x600px]]
The table editor also shows context-sensitive menus when editing different table elements.
=== Insert special character ===
The special character picker lets you insert letters and symbols (a map of special unicode characters) that are difficult or impossible to access via your keyboard. You can either search by keyword and / or browse categories.
[[File:Tiny - Special character.png|border|center|frameless|450x450px]]
=== Insert Emojis ===
Bring a smiley to your content: The emoji picker lets you insert pictograms. You can either search by keyword and / or browse categories.
[[File:Tiny - Emojis.png|border|center|frameless|450x450px]]
=== Insert HTML elements ===
The following 4 HTML elements are supported by TinyMCE via menus:
* '''Insert horizontal line''': Adds an HTML line to your text.

* '''Insert page break''': Adds a page break (<code><nowiki></nowiki></code>) to your text.

* '''Insert nonbreaking space''': Add an nonbreaking space (<code>&nbsp;</code>) at the current cursor location.

* '''Insert anchor''': Insert anchors (sometimes referred to as a bookmarks) to your text. Users will be prompted via a dialog box to enter a string. The string will be inserted into the HTML as an anchor id at the location of the cursor. For example, a user places their cursor at the beginning of "Moodle" and clicks on the anchor button and enters "start" in the dialog box. The resulting HTML will take the form of <code><nowiki><a id="start"></a></nowiki>Moodle<nowiki></nowiki></code>.
=== Insert date/time ===
The Insert date/time options lets you easily insert the current date and/or time into the editable area at the cursor insertion point.
[[File:Tiny - DateTime.png|border|center|frameless]]
The available format options depend on the selected language.
[[File:Tiny - Equation editor.png|thumb]]
=== Equation editor ===
If either the [[MathJax filter|MathJax]] or the [[TeX notation filter|TeX]] filters are enabled (in ''Site administration > Plugins > Filters > Manage filters'') then the ''Insert equation'' option is provided in the TinyMCE editor for launching the equation editor.

Internally, the equation editor uses the [https://docs.moodle.org/400/en/TeX_notation_filter TeX notation] which can either be entered manually and / or interactively. The interactive elements are grouped into 4 categories (Operators, Arrows, Greek symbols, and Advanced). The content of each tab can be configured via the [[Equation editor settings]].

At the bottom of the editor, a preview is shown.
=== Configure H5P content ===
You can embed [[H5P]] content via the ''Configure H5P content'' menu as follows:
# Browse the Content bank repository and select an H5P file
# Choose to either make a copy of the file or create a shortcut
# Optionally, configure the H5P options (Allow download, Embed button, Copyright button)
# Click the button 'Select this file'
# Click 'Insert H5P'These steps will automatically enter the internal address in the H5P URL field. Alternatively, you can enter any internal or external H5P URL manually.
Note: If you create a shortcut to the file, you can edit it in the Content bank and any activities with a link to the file will be updated.
== Tiny tools ==
[[File:Tiny - Tools menu.png|thumb]]
The following tools are available in vie the '''Tools''' menu:
=== View source code ===
The source code pop up window displays the code of the page, usually HTML or JS. The code can be modified in plain text; once the window is closed, any changes will be reflected in the WYSIWYG mode.
[[File:Tiny - Source code.png|center|frameless|900x900px]]
=== Word count ===
The word pop up windows displays the number of words and the number of characters (with and without spaces) of the entire document and the selected text, respectively.
[[File:Tiny - Word count.png|border|center|frameless|600x600px|alt=]]

The number of words are also shown in the editor's footer.
=== Accessibility checker ===
The automated [[accessibility]] checker checks for some common errors in the text. These are usually elements in the way the text is constructed that can prevent all users from having equal access to information and functionality. The list of problems that the accessibility checker looks for is:
* Images with missing or empty alt text (unless they have the presentation role)
* Contrast of font colour and background colour meets [https://en.wikipedia.org/wiki/Web_Content_Accessibility_Guidelines WCAG AA guidelines]
* Long blocks of text are sufficiently broken up into headings
* All tables require captions
* Tables should not contain merged cells as they are difficult to navigate with screen readers
* All tables should contain row or column headers
=== Media Manager ===
The media manager shows all media files that have been embedded in the text.

The top part of the media manager shows the familiar file management element where you can add, download, and delete attached files.

Files that have been attached and deleted again are shown at the bottom half of the screen.
[[File:Tiny - Media manager.png|border|center|frameless|600x600px]]
== Keyboard shortcuts ==
The following keyboard shortcuts will work in the Tiny text editor in most browsers. Note that for many of these commands to work you need to either click in the text editor or select content in the text editor.
=== Editor shortcuts ===
{| class="wikitable"
!Windows Command
!Mac Command
!Function
|-
|Ctrl + Shift + f
|⌘ + Shift + f
|Full screen toggle
|-
|Ctrl + c
|⌘ + c
|Copy
|-
|Ctrl + v
|⌘ + v
|Paste
|-
|Ctrl + Shift + v
|⌘ + Shift + v
|Paste without formatting (very useful)
|-
|Ctrl + x
|⌘ + x
|Cut
|-
|Ctrl + z
|⌘ + z
|Undo
|-
|Ctrl + y
|⌘ + y
|Redo
|-
|Ctrl + a
|⌘ + a
|Select all
|-
|Ctrl + f
|⌘ + f
|Find and replace
|-
|F3
|<s>F3</s>
|Find next
|-
|Shift + F3
|<s>Shift + F3</s>
|Find previous
|-
|Ctrl + b
|⌘ + b
|Bold
|-
|Ctrl + i
|⌘ + i
|Italics
|-
|Ctrl + u
|⌘ + u
|Underline
|-
|Ctrl + k
|⌘ + k
|Insert/edit link
|-
|Ctrl + Right arrow
|Option + Right arrow
|Move to the end of the next word
|-
|Ctrl + Left arrow
|Option + Left arrow
|Move to the end of the previous word
|-
|Ctrl + Shift + Right arrow
|Shift + Option + Right arrow
|Select the next word or letter
|-
|Ctrl + Shift + Left arrow
|Shift + Option + Left arrow
|Select the previous word or letter
|-
|Ctrl + Shift + Home
|<s>⌘ + Shift + Home</s>
|Select from the cursor to the beginning of the page
|-
|Ctrl + Shift + End
|<s>⌘ + Shift + End</s>
|Select from the cursor to the end of the page
|-
|Ctrl + Home
|⌘ + Up arrow
|Move to the beginning of the page
|-
|Ctrl + End
|⌘ + Down arrow
|Move to the end of the page
|-
|Ctrl + Backspace
|<s>⌘ + Backspace</s>
|Delete word or letter to the left
|-
|Ctrl + Delete
|<s>⌘ + Delete</s>
|Delete word or letter to the right
|-
|Ctrl + P
|⌘ + P
|Print
|-
|Alt+Shift+1
|Ctrl+Option+1
|Header 1
|-
|Alt+Shift+2
|Ctrl+Option+2
|Header 2
|-
|Alt+Shift+3
|Ctrl+Option+3
|Header 3
|-
|Alt+Shift+4
|Ctrl+Option+4
|Header 4
|-
|Alt+Shift+5
|Ctrl+Option+5
|Header 5
|-
|Alt+Shift+6
|Ctrl+Option+6
|Header 6
|-
|Alt+Shift+7
|Ctrl+Option+7
|Paragraph
|-
|Alt+Shift+8
|Ctrl+Option+8
|Div
|-
|Alt+Shift+9
|Ctrl+Option+9
|Address
|-
|Alt+0
|Option+0
|Help dialogue (list of shortcuts)
|-
|Ctrl and +
|⌘ and +
|Zoom in (not specific to the editor, but very useful)
|-
|Ctrl and -
|⌘ and -
|Zoom out (not specific to the editor, but very useful)
|-
|Ctrl and 0
|⌘ and 0
|Reset zoom (not specific to the editor, but very useful)
|-
|Double-click
|Double-click
|Select word
|-
|Triple-click
|Triple-click
|Select line
|}
=== Keyboard navigation ===
The sections of the outer UI of the editor - the menubar, toolbar, sidebar and footer - are all keyboard navigable.
==== Activating keyboard navigation ====
There are multiple ways to activate keyboard navigation:
* Focus the menubar: Alt + F9 (Windows) or ⌥F9 (MacOS)
* Focus the toolbar: Alt + F10 (Windows) or ⌥F10 (MacOS)
* Focus the footer: Alt + F11 (Windows) or ⌥F11 (MacOS)
Focusing the menubar or toolbar will start keyboard navigation at the first item in the menubar or toolbar, which will be highlighted with a gray background. Focusing the footer will start keyboard navigation at the first item in the element path, which will be highlighted with an underline.
==== Moving between UI sections ====
When keyboard navigation is active, pressing tab will move the focus to the next major section of the UI, where applicable. These sections are:
* the menubar
* each group of the toolbar
* the sidebar
* the element path in the footer
* the wordcount toggle button in the footer
* the branding link in the footer
* the editor resize handle in the footer
Pressing shift + tab will move backwards through the same sections, except when moving from the footer to the toolbar. Focusing the element path then pressing shift + tab will move focus to the first toolbar group, not the last.
==== Moving within UI sections ====
Keyboard navigation within UI sections can usually be achieved using the left and right arrow keys. This includes:
* moving between menus in the menubar
* moving between buttons in a toolbar group
* moving between items in the element path
In all these UI sections, keyboard navigation will cycle within the section. For example, focusing the last button in a toolbar group then pressing right arrow will move focus to the first item in the same toolbar group.
==== Executing buttons ====
To execute a button, navigate the selection to the desired button and hit space or enter.
==== Opening, navigating and closing menus ====
When focusing a menubar button or a toolbar button with a menu, pressing space, enter or down arrow will open the menu. When the menu opens the first item will be selected. To move up or down the menu, press the up or down arrow key respectively. This is the same for submenus, which can also be opened and closed using the left and right arrow keys.

To close any active menu, hit the escape key. When a menu is closed the selection will be restored to its previous selection. This also works for closing submenus.
==== Context toolbars and menus ====
To focus an open context toolbar such as the table context toolbar, press Ctrl + F9 (Windows) or ⌃F9 (MacOS).

Context toolbar navigation is the same as toolbar navigation, and context menu navigation is the same as standard menu navigation.
==== Dialog navigation ====
There are two types of dialog UIs in TinyMCE: tabbed dialogs and non-tabbed dialogs.

When a non-tabbed dialog is opened, the first interactive component in the dialog will be focused. Users can navigate between interactive components by pressing tab. This includes any footer buttons. Navigation will cycle back to the first dialog component if tab is pressed while focusing the last component in the dialog. Pressing shift + tab will navigate backwards.

When a tabbed dialog is opened, the first button in the tab menu is focused. Pressing tab will navigate to the first interactive component in that tab, and will cycle through the tab's components, the footer buttons, then back to the tab button. To switch to another tab, focus the tab button for the current tab, then use the arrow keys to cycle through the tab buttons.
==== Accessibility shortcuts ====
This is a list of available keyboard shortcuts within the editor user interface.
{| class="wikitable"
!Windows Command
!Mac Command
!Function
|-
|Enter / Spacebar
|Enter / Spacebar
|Execute command
|-
|Tab
|Tab
|Focus on next UI Element(such as: Menu bar, Toolbar, Toolbar Group, Status Bar Item)
|-
|Shift+Tab
|Shift+Tab
|Focus on previous UI Element(such as: Menu bar, Toolbar, Toolbar Group, Status Bar Item)
|-
|Right Arrow / Down Arrow
|Right Arrow / Down Arrow
|Focus next Control(such as: toolbar button, menu, or menu item)
|-
|Left Arrow / Up Arrow
|Left Arrow / Up Arrow
|Focus previous Control(such as: toolbar button, menu, or menu item)
|-
|Down Arrow / Spacebar
|Down Arrow / Spacebar
|Open menu or toolbar menu button
|-
|Spacebar
|Spacebar
|Open group toolbar button
|-
|Down Arrow
|Down Arrow
|Open split toolbar button
|-
|Shift+Enter
|Shift+Enter
|Open the popup menu on split toolbar buttons
|-
|Right Arrow
|Right Arrow
|Open submenu
|-
|Left Arrow / Esc
|Left Arrow / Esc
|Close submenu
|-
|Esc
|Esc
|Close dialog
|-
|Esc
|Esc
|Close menu
|-
|Esc
|Esc
|Move focus back to editor body
|}
'''Note''': Browsers and Screen Readers provide additional shortcuts within the editor context.
==Site administration settings==
=== General settings ===
From ''Site administration > Plugins > Text editors > TinyMCE editor'' you can disable and enable certain settings, for example the Tiny HTML formatter, Tiny no-auto link and access the setting for the paid service TinyMCE Premium.

You can also disable the TinyMCE branding logo which appears at the bottom of the editor.

====TinyMCE Premium====
TinyMCE Premium requires a paid subscription. Your API key is available on your [https://www.tiny.cloud/ Tiny Cloud] account page if you have purchased a subscription, or if you are on a free trial. Enter the API key from Site administration > Plugins > Text editors > TinyMCE Premium.

For TinyMCE premium features charging is done on "per request" basis (number of editor loads). You can make use of the capability 'Access TinyMCE Premium features' (tiny/premium:accesspremium) (new in Moodle 4.4) to control which users can use premium features and in which context.

The TinyMCE features that may be available to your Moodle site with a Premium subscription are:

* Advanced Tables
* Advanced Typography
* Case Change
* Checklist
* Enhanced Image Editing
* Export
* Footnotes
* Format Painter
* Link Checker
* Page Embed
* Permanent Pen
* PowerPaste
* Spell Checker Pro
* Spelling Autocorrect
* Table of Contents

You can learn more about these features on [https://www.tiny.cloud/tinymce/features/#productivity TinyMCE's website]. Please note that not all plugins listed on TinyMCE's website are currently available to Moodle users.

=== Equation editor settings ===
[[File:Tiny - Equation editor settings.png|thumb]]
The equation editor has 4 tabs: Operators, Arrows, Greek symbols, and Advanced. The commands that are available on each tab and their order can be configured in ''Site administration > Plugins > Text editors > TinyMCE editor > Equation editor settings''.

For each group, the list of commands is shown in TeX format.
=== Tiny Record RTC plugin for Moodle ===
[[File:Tiny - RTC settings.png|thumb]]
Tiny fully supports media recording through. Internally, RecordRTC is utilised, an open source JavaScript library using WebRTC for audio and video recording. To configure its settings, navigate to ''Site administration > Plugins > Text editors > TinyMCE editor > RecordRTC'':

The following options have an impact on server resources, both in terms of bandwidth and disk usage:
* '''Allowed types''': You can specify whether '''Audio and video''' recording are supported or '''Audio only''' or '''Video only'''. There are two capabilities to control access to the TinyMCE buttons: '''[[Capabilities/tiny/recordrtc:recordvideo]]''' and '''[[Capabilities/tiny/recordrtc:recordaudio]]'''
* '''Audio bitrate''' and '''Video bitrate''': The lower the bitrates, the smaller the file sizes, and vice versa. The default bitrate for recorded audio (128000) should generate files of about 15 KB per minute; the default bitrate for recorded video (2500000) to files of approximately 20 MB per minute.
* '''Audio time limit in seconds''' and '''Video time limit in seconds''': The default time limit is 2 minutes for audio and video recording. Again, the longer the maximum recording length, the bigger the resulting files.

Recordings are stored in subdirectories of ''$CFG->dataroot>/filedir''. Ensure ''post_max_size'' and ''upload_max_filesize'' are configured in line with your expected maximum recording sizes.

[[es:Editor TinyMCE]]
[[de:TinyMCE-Editor]]
[[fr:Éditeur TinyMCE]]

TinyMCE editor

2024-06-13T02:52:58Z

Michaelh2: /* What is TinyMCE? */

{{Editing text}}
==What is TinyMCE?==
TinyMCE is a powerful rich-text editor that allows users to create formatted content within a user-friendly interface.

The popular editor is the default editor in all sites from Moodle 4.4 onwards. In Moodle 4.2 and 4.3, TinyMCE is the default editor for new installations only, but can be made default for upgraded sites from ''Administration > Site administration > Plugins > Text editors > Manage editors''.

If enabled, users may select the '''TinyMCE editor''' from the ''User menu > Preferences > Editor preferences.''
{{MediaPlayer | url = https://youtu.be/Q-D6nWSusrY | desc = Overview of TinyMCE}}

== Tiny Toolbar ==
The following buttons are available on the toolbar (not all buttons might show in all scenarios:)
[[File:latestTiny.png|center]]

The available buttons are as follows:
{| class="wikitable"
|+
!#
!Button
!#
!Button
!#
!Button
|-
|1
|Undo and Redo
|10
|No auto-link
|18
|Numbered list
|-
|2
|Bold and Italic
|11
|Full screen
|19
|Equation editor
|-
|3
|Insert image/modify properties
|12
|Align left
|20
|Toggle second toolbar (if present)
|-
|4
|Insert audio/video/modify properties
|13
|Align centre
|21
|
|-
|5
|[[Audio|Record audio]]
|14
|Align right
|
|
|-
|6
|[[Video|Record video]]
|15
|L/R and R/L directionality
|
|
|-
|7
|Insert H5P / modify H5P properties
|16
|Decrease/increase indent
|
|
|-
|8
|Link
|17
|Bullets list
|
|
|-
|9
|Unlink
|
|
|
|
|}
Some button have pre-requisites to display, for instance, the equation editor button will only show if either the [[MathJax filter|MathJax]] or the [[TeX notation filter|TeX notation]] filters are enabled (in ''Site administration > Plugins > Filters > Manage filters''), while the H5P option will only show if the ''tiny/h5p:addembed'' capability has been granted.

== Tiny features ==
[[File:Tiny - Insert menu.png|thumb]]
The following features are available from the '''Insert''' menu:
=== Insert / Edit image ===
The easiest way to insert an image is via drag'n'drop. Alternatively, you can use the ''Insert image'' tool, which gives you more control over some image properties:
* '''URL''': The (internal or external) address of the image. You can either enter a URL manually or select an image from the repository browser, which adds the URL automatically.
*'''Description''': Unless the image is labelled decorative only, a description must be provided for screenreader users
*'''Size''': Initially, the image's width and height are set. These can be adjusted to fit your text. When the ''Auto size'' checkbox remains ticked, the image's width-height ratio stays intact.
* '''Alignment''': Options are ''Top'', ''Middle'', and ''Bottom''.
[[File:Tiny - Image.png|border|center|frameless|450x450px]]
To modify image properties once it has been added to your text, select the image and press the ''Image'' button on the mini toolbar that shows up.
=== Insert / Edit Link ===
When inserting or editing a link to another (internal or external) page, you can provide the following settings:
* '''URL''': The address of the page to navigate to. If left empty, the option ''<top>'' and ''<bottom>'' are available
* '''Text to display''': The text that is shown in the text, represented as a link
* '''Title''': The text shown when hovering over the link
* '''Browse repositories''': Upload a file to link to.
* '''Open link in...''': The page can either be opened in the '''Current Window''' or a '''New window'''
[[File:Tiny - Link.png|border|center|frameless|450x450px]]
=== Insert / Edit Multimedia ===
To insert existing audio or videos clips, the TinyMCE editor supports Moodle standard [[Media embedding|Media embedding interface]].
[[File:Tiny - Audio & Video.png|thumb]]
=== Record audio and video ===
TinyMCE lets users record [[audio]] and [[video]] clips which will attach to the text once recorded. Each recording comprises three steps:
# '''Start recording''': when ready, press the ''Start recording'' button
# '''Stop recording''': when completed, press the ''Stop recording'' button
# '''Review recording''': you can listen to or watch the recording via the provided controls. Either attach the clip to your text or record it again.

The maximum length and quality (bitrate) can be [[TinyMCE editor#Tiny Record RTC plugin for Moodle|configured]] at admin level.
=== Insert / Edit code sample ===
The Tiny editor lets you insert and embed syntax color highlighted code snippets into the editable area.
[[File:Tiny - Code Sample.png|border|center|frameless|600x600px]]
While you can select the (programming) language at the top, it doesn't have any impact on the way the code is displayed.

Tiny also supports formatting of code elements (''Format -> Code''), which changes the selected text to the internally defined <code>code style</code>.
=== Insert Table ===
Tiny comes with comprehensive table management functionality to handle grid-like structures in your text. In addition to the Insert table menu item, an entire main menu has been dedicated to tables.
[[File:Tiny - Table.png|border|center|frameless|450x450px]]
Once a table has been added, you can customise individual cells, row, columns, and the properties of the entire table. The following self-explanatory menu items are available, all supporting standard HTML table options:
* Cell
** Cell properties
** Merge cells
** Split cells
* Row
** Insert row before
** Insert row after
** Delete row
** Row properties
** Cut row
** Copy row
** Paste row before
** Paste row after
* Column
** Insert column before
** Insert column after
** Delete column
** Cut column
** Copy column
** Paste column before
** Paste column after
* Table properties
* Delete table
[[File:Tiny - Table operations.png|border|center|frameless|600x600px]]
The table editor also shows context-sensitive menus when editing different table elements.
=== Insert special character ===
The special character picker lets you insert letters and symbols (a map of special unicode characters) that are difficult or impossible to access via your keyboard. You can either search by keyword and / or browse categories.
[[File:Tiny - Special character.png|border|center|frameless|450x450px]]
=== Insert Emojis ===
Bring a smiley to your content: The emoji picker lets you insert pictograms. You can either search by keyword and / or browse categories.
[[File:Tiny - Emojis.png|border|center|frameless|450x450px]]
=== Insert HTML elements ===
The following 4 HTML elements are supported by TinyMCE via menus:
* '''Insert horizontal line''': Adds an HTML line to your text.

* '''Insert page break''': Adds a page break (<code><nowiki></nowiki></code>) to your text.

* '''Insert nonbreaking space''': Add an nonbreaking space (<code>&nbsp;</code>) at the current cursor location.

* '''Insert anchor''': Insert anchors (sometimes referred to as a bookmarks) to your text. Users will be prompted via a dialog box to enter a string. The string will be inserted into the HTML as an anchor id at the location of the cursor. For example, a user places their cursor at the beginning of "Moodle" and clicks on the anchor button and enters "start" in the dialog box. The resulting HTML will take the form of <code><nowiki><a id="start"></a></nowiki>Moodle<nowiki></nowiki></code>.
=== Insert date/time ===
The Insert date/time options lets you easily insert the current date and/or time into the editable area at the cursor insertion point.
[[File:Tiny - DateTime.png|border|center|frameless]]
The available format options depend on the selected language.
[[File:Tiny - Equation editor.png|thumb]]
=== Equation editor ===
If either the [[MathJax filter|MathJax]] or the [[TeX notation filter|TeX]] filters are enabled (in ''Site administration > Plugins > Filters > Manage filters'') then the ''Insert equation'' option is provided in the TinyMCE editor for launching the equation editor.

Internally, the equation editor uses the [https://docs.moodle.org/400/en/TeX_notation_filter TeX notation] which can either be entered manually and / or interactively. The interactive elements are grouped into 4 categories (Operators, Arrows, Greek symbols, and Advanced). The content of each tab can be configured via the [[Equation editor settings]].

At the bottom of the editor, a preview is shown.
=== Configure H5P content ===
You can embed [[H5P]] content via the ''Configure H5P content'' menu as follows:
# Browse the Content bank repository and select an H5P file
# Choose to either make a copy of the file or create a shortcut
# Optionally, configure the H5P options (Allow download, Embed button, Copyright button)
# Click the button 'Select this file'
# Click 'Insert H5P'These steps will automatically enter the internal address in the H5P URL field. Alternatively, you can enter any internal or external H5P URL manually.
Note: If you create a shortcut to the file, you can edit it in the Content bank and any activities with a link to the file will be updated.
== Tiny tools ==
[[File:Tiny - Tools menu.png|thumb]]
The following tools are available in vie the '''Tools''' menu:
=== View source code ===
The source code pop up window displays the code of the page, usually HTML or JS. The code can be modified in plain text; once the window is closed, any changes will be reflected in the WYSIWYG mode.
[[File:Tiny - Source code.png|center|frameless|900x900px]]
=== Word count ===
The word pop up windows displays the number of words and the number of characters (with and without spaces) of the entire document and the selected text, respectively.
[[File:Tiny - Word count.png|border|center|frameless|600x600px|alt=]]

The number of words are also shown in the editor's footer.
=== Accessibility checker ===
The automated [[accessibility]] checker checks for some common errors in the text. These are usually elements in the way the text is constructed that can prevent all users from having equal access to information and functionality. The list of problems that the accessibility checker looks for is:
* Images with missing or empty alt text (unless they have the presentation role)
* Contrast of font colour and background colour meets [https://en.wikipedia.org/wiki/Web_Content_Accessibility_Guidelines WCAG AA guidelines]
* Long blocks of text are sufficiently broken up into headings
* All tables require captions
* Tables should not contain merged cells as they are difficult to navigate with screen readers
* All tables should contain row or column headers
=== Media Manager ===
The media manager shows all media files that have been embedded in the text.

The top part of the media manager shows the familiar file management element where you can add, download, and delete attached files.

Files that have been attached and deleted again are shown at the bottom half of the screen.
[[File:Tiny - Media manager.png|border|center|frameless|600x600px]]
== Keyboard shortcuts ==
The following keyboard shortcuts will work in the Tiny text editor in most browsers. Note that for many of these commands to work you need to either click in the text editor or select content in the text editor.
=== Editor shortcuts ===
{| class="wikitable"
!Windows Command
!Mac Command
!Function
|-
|Ctrl + Shift + f
|⌘ + Shift + f
|Full screen toggle
|-
|Ctrl + c
|⌘ + c
|Copy
|-
|Ctrl + v
|⌘ + v
|Paste
|-
|Ctrl + Shift + v
|⌘ + Shift + v
|Paste without formatting (very useful)
|-
|Ctrl + x
|⌘ + x
|Cut
|-
|Ctrl + z
|⌘ + z
|Undo
|-
|Ctrl + y
|⌘ + y
|Redo
|-
|Ctrl + a
|⌘ + a
|Select all
|-
|Ctrl + f
|⌘ + f
|Find and replace
|-
|F3
|<s>F3</s>
|Find next
|-
|Shift + F3
|<s>Shift + F3</s>
|Find previous
|-
|Ctrl + b
|⌘ + b
|Bold
|-
|Ctrl + i
|⌘ + i
|Italics
|-
|Ctrl + u
|⌘ + u
|Underline
|-
|Ctrl + k
|⌘ + k
|Insert/edit link
|-
|Ctrl + Right arrow
|Option + Right arrow
|Move to the end of the next word
|-
|Ctrl + Left arrow
|Option + Left arrow
|Move to the end of the previous word
|-
|Ctrl + Shift + Right arrow
|Shift + Option + Right arrow
|Select the next word or letter
|-
|Ctrl + Shift + Left arrow
|Shift + Option + Left arrow
|Select the previous word or letter
|-
|Ctrl + Shift + Home
|<s>⌘ + Shift + Home</s>
|Select from the cursor to the beginning of the page
|-
|Ctrl + Shift + End
|<s>⌘ + Shift + End</s>
|Select from the cursor to the end of the page
|-
|Ctrl + Home
|⌘ + Up arrow
|Move to the beginning of the page
|-
|Ctrl + End
|⌘ + Down arrow
|Move to the end of the page
|-
|Ctrl + Backspace
|<s>⌘ + Backspace</s>
|Delete word or letter to the left
|-
|Ctrl + Delete
|<s>⌘ + Delete</s>
|Delete word or letter to the right
|-
|Ctrl + P
|⌘ + P
|Print
|-
|Alt+Shift+1
|Ctrl+Option+1
|Header 1
|-
|Alt+Shift+2
|Ctrl+Option+2
|Header 2
|-
|Alt+Shift+3
|Ctrl+Option+3
|Header 3
|-
|Alt+Shift+4
|Ctrl+Option+4
|Header 4
|-
|Alt+Shift+5
|Ctrl+Option+5
|Header 5
|-
|Alt+Shift+6
|Ctrl+Option+6
|Header 6
|-
|Alt+Shift+7
|Ctrl+Option+7
|Paragraph
|-
|Alt+Shift+8
|Ctrl+Option+8
|Div
|-
|Alt+Shift+9
|Ctrl+Option+9
|Address
|-
|Alt+0
|Option+0
|Help dialogue (list of shortcuts)
|-
|Ctrl and +
|⌘ and +
|Zoom in (not specific to the editor, but very useful)
|-
|Ctrl and -
|⌘ and -
|Zoom out (not specific to the editor, but very useful)
|-
|Ctrl and 0
|⌘ and 0
|Reset zoom (not specific to the editor, but very useful)
|-
|Double-click
|Double-click
|Select word
|-
|Triple-click
|Triple-click
|Select line
|}
=== Keyboard navigation ===
The sections of the outer UI of the editor - the menubar, toolbar, sidebar and footer - are all keyboard navigable.
==== Activating keyboard navigation ====
There are multiple ways to activate keyboard navigation:
* Focus the menubar: Alt + F9 (Windows) or ⌥F9 (MacOS)
* Focus the toolbar: Alt + F10 (Windows) or ⌥F10 (MacOS)
* Focus the footer: Alt + F11 (Windows) or ⌥F11 (MacOS)
Focusing the menubar or toolbar will start keyboard navigation at the first item in the menubar or toolbar, which will be highlighted with a gray background. Focusing the footer will start keyboard navigation at the first item in the element path, which will be highlighted with an underline.
==== Moving between UI sections ====
When keyboard navigation is active, pressing tab will move the focus to the next major section of the UI, where applicable. These sections are:
* the menubar
* each group of the toolbar
* the sidebar
* the element path in the footer
* the wordcount toggle button in the footer
* the branding link in the footer
* the editor resize handle in the footer
Pressing shift + tab will move backwards through the same sections, except when moving from the footer to the toolbar. Focusing the element path then pressing shift + tab will move focus to the first toolbar group, not the last.
==== Moving within UI sections ====
Keyboard navigation within UI sections can usually be achieved using the left and right arrow keys. This includes:
* moving between menus in the menubar
* moving between buttons in a toolbar group
* moving between items in the element path
In all these UI sections, keyboard navigation will cycle within the section. For example, focusing the last button in a toolbar group then pressing right arrow will move focus to the first item in the same toolbar group.
==== Executing buttons ====
To execute a button, navigate the selection to the desired button and hit space or enter.
==== Opening, navigating and closing menus ====
When focusing a menubar button or a toolbar button with a menu, pressing space, enter or down arrow will open the menu. When the menu opens the first item will be selected. To move up or down the menu, press the up or down arrow key respectively. This is the same for submenus, which can also be opened and closed using the left and right arrow keys.

To close any active menu, hit the escape key. When a menu is closed the selection will be restored to its previous selection. This also works for closing submenus.
==== Context toolbars and menus ====
To focus an open context toolbar such as the table context toolbar, press Ctrl + F9 (Windows) or ⌃F9 (MacOS).

Context toolbar navigation is the same as toolbar navigation, and context menu navigation is the same as standard menu navigation.
==== Dialog navigation ====
There are two types of dialog UIs in TinyMCE: tabbed dialogs and non-tabbed dialogs.

When a non-tabbed dialog is opened, the first interactive component in the dialog will be focused. Users can navigate between interactive components by pressing tab. This includes any footer buttons. Navigation will cycle back to the first dialog component if tab is pressed while focusing the last component in the dialog. Pressing shift + tab will navigate backwards.

When a tabbed dialog is opened, the first button in the tab menu is focused. Pressing tab will navigate to the first interactive component in that tab, and will cycle through the tab's components, the footer buttons, then back to the tab button. To switch to another tab, focus the tab button for the current tab, then use the arrow keys to cycle through the tab buttons.
==== Accessibility shortcuts ====
This is a list of available keyboard shortcuts within the editor user interface.
{| class="wikitable"
!Windows Command
!Mac Command
!Function
|-
|Enter / Spacebar
|Enter / Spacebar
|Execute command
|-
|Tab
|Tab
|Focus on next UI Element(such as: Menu bar, Toolbar, Toolbar Group, Status Bar Item)
|-
|Shift+Tab
|Shift+Tab
|Focus on previous UI Element(such as: Menu bar, Toolbar, Toolbar Group, Status Bar Item)
|-
|Right Arrow / Down Arrow
|Right Arrow / Down Arrow
|Focus next Control(such as: toolbar button, menu, or menu item)
|-
|Left Arrow / Up Arrow
|Left Arrow / Up Arrow
|Focus previous Control(such as: toolbar button, menu, or menu item)
|-
|Down Arrow / Spacebar
|Down Arrow / Spacebar
|Open menu or toolbar menu button
|-
|Spacebar
|Spacebar
|Open group toolbar button
|-
|Down Arrow
|Down Arrow
|Open split toolbar button
|-
|Shift+Enter
|Shift+Enter
|Open the popup menu on split toolbar buttons
|-
|Right Arrow
|Right Arrow
|Open submenu
|-
|Left Arrow / Esc
|Left Arrow / Esc
|Close submenu
|-
|Esc
|Esc
|Close dialog
|-
|Esc
|Esc
|Close menu
|-
|Esc
|Esc
|Move focus back to editor body
|}
'''Note''': Browsers and Screen Readers provide additional shortcuts within the editor context.
==Site administration settings==
=== General settings ===
From ''Site administration > Plugins > Text editors > TinyMCE editor'' you can disable and enable certain settings, for example the Tiny HTML formatter, Tiny no-auto link and access the setting for the paid service TinyMCE Premium.

You can also disable the TinyMCE branding logo which appears at the bottom of the editor.

====TinyMCE Premium====
TinyMCE Premium requires a paid subscription. Your API key is available on your [https://www.tiny.cloud/ Tiny Cloud] account page if you have purchased a subscription, or if you are on a free trial. Enter the API key from Site administration > Plugins > Text editors > TinyMCE Premium.

For TinyMCE premium features charging is done on "per request" basis (number of editor loads). You can make use of the capability 'Access TinyMCE Premium features' (tiny/premium:accesspremium) (new in Moodle 4.4) to control which users can use premium features and in which context.

The TinyMCE features that may be available to your Moodle site with a Premium subscription are:

* Advanced Tables
* Advanced Typography
* Case Change
* Checklist
* Enhanced Image Editing
* Export
* Footnotes
* Format Painter
* Link Checker
* Page Embed
* Permanent Pen
* PowerPaste
* Spell Checker Pro
* Spelling Autocorrect
* Table of Contents

You can learn more about these features on [https://www.tiny.cloud/tinymce/features/#productivity TinyMCE's website]. Please note that not all plugins listed on TinyMCE's website are currently available to Moodle users.

=== Equation editor settings ===
[[File:Tiny - Equation editor settings.png|thumb]]
The equation editor has 4 tabs: Operators, Arrows, Greek symbols, and Advanced. The commands that are available on each tab and their order can be configured in ''Site administration > Plugins > Text editors > TinyMCE editor > Equation editor settings''.

For each group, the list of commands is shown in TeX format.
=== Tiny Record RTC plugin for Moodle ===
[[File:Tiny - RTC settings.png|thumb]]
Tiny fully supports media recording through. Internally, RecordRTC is utilised, an open source JavaScript library using WebRTC for audio and video recording. To configure its settings, navigate to ''Site administration > Plugins > Text editors > TinyMCE editor > RecordRTC'':

The following options have an impact on server resources, both in terms of bandwidth and disk usage:
* '''Allowed types''': You can specify whether '''Audio and video''' recording are supported or '''Audio only''' or '''Video only'''. There are two capabilities to control access to the TinyMCE buttons: '''[[Capabilities/tiny/recordrtc:recordvideo]]''' and '''[[Capabilities/tiny/recordrtc:recordaudio]]'''
* '''Audio bitrate''' and '''Video bitrate''': The lower the bitrates, the smaller the file sizes, and vice versa. The default bitrate for recorded audio (128000) should generate files of about 15 KB per minute; the default bitrate for recorded video (2500000) to files of approximately 20 MB per minute.
* '''Audio time limit in seconds''' and '''Video time limit in seconds''': The default time limit is 2 minutes for audio and video recording. Again, the longer the maximum recording length, the bigger the resulting files.

Recordings are stored in subdirectories of ''$CFG->dataroot>/filedir''. Ensure ''post_max_size'' and ''upload_max_filesize'' are configured in line with your expected maximum recording sizes.

[[es:Editor TinyMCE]]
[[de:TinyMCE-Editor]]
[[fr:Éditeur TinyMCE]]

TinyMCE editor

2024-06-13T02:52:25Z

Michaelh2: /* What is TinyMCE? */

{{Editing text}}
==What is TinyMCE?==
TinyMCE is a powerful rich-text editor that allows users to create formatted content within a user-friendly interface.

The popular editor is the default editor in all sites from Moodle 4.4 onwards. For Moodle 4.2 and 4.3, TinyMCE is the default editor for new installations only, but can be made default for upgraded sites from ''Administration > Site administration > Plugins > Text editors > Manage editors''.

If enabled, users may select the '''TinyMCE editor''' from the ''User menu > Preferences > Editor preferences.''
{{MediaPlayer | url = https://youtu.be/Q-D6nWSusrY | desc = Overview of TinyMCE}}

== Tiny Toolbar ==
The following buttons are available on the toolbar (not all buttons might show in all scenarios:)
[[File:latestTiny.png|center]]

The available buttons are as follows:
{| class="wikitable"
|+
!#
!Button
!#
!Button
!#
!Button
|-
|1
|Undo and Redo
|10
|No auto-link
|18
|Numbered list
|-
|2
|Bold and Italic
|11
|Full screen
|19
|Equation editor
|-
|3
|Insert image/modify properties
|12
|Align left
|20
|Toggle second toolbar (if present)
|-
|4
|Insert audio/video/modify properties
|13
|Align centre
|21
|
|-
|5
|[[Audio|Record audio]]
|14
|Align right
|
|
|-
|6
|[[Video|Record video]]
|15
|L/R and R/L directionality
|
|
|-
|7
|Insert H5P / modify H5P properties
|16
|Decrease/increase indent
|
|
|-
|8
|Link
|17
|Bullets list
|
|
|-
|9
|Unlink
|
|
|
|
|}
Some button have pre-requisites to display, for instance, the equation editor button will only show if either the [[MathJax filter|MathJax]] or the [[TeX notation filter|TeX notation]] filters are enabled (in ''Site administration > Plugins > Filters > Manage filters''), while the H5P option will only show if the ''tiny/h5p:addembed'' capability has been granted.

== Tiny features ==
[[File:Tiny - Insert menu.png|thumb]]
The following features are available from the '''Insert''' menu:
=== Insert / Edit image ===
The easiest way to insert an image is via drag'n'drop. Alternatively, you can use the ''Insert image'' tool, which gives you more control over some image properties:
* '''URL''': The (internal or external) address of the image. You can either enter a URL manually or select an image from the repository browser, which adds the URL automatically.
*'''Description''': Unless the image is labelled decorative only, a description must be provided for screenreader users
*'''Size''': Initially, the image's width and height are set. These can be adjusted to fit your text. When the ''Auto size'' checkbox remains ticked, the image's width-height ratio stays intact.
* '''Alignment''': Options are ''Top'', ''Middle'', and ''Bottom''.
[[File:Tiny - Image.png|border|center|frameless|450x450px]]
To modify image properties once it has been added to your text, select the image and press the ''Image'' button on the mini toolbar that shows up.
=== Insert / Edit Link ===
When inserting or editing a link to another (internal or external) page, you can provide the following settings:
* '''URL''': The address of the page to navigate to. If left empty, the option ''<top>'' and ''<bottom>'' are available
* '''Text to display''': The text that is shown in the text, represented as a link
* '''Title''': The text shown when hovering over the link
* '''Browse repositories''': Upload a file to link to.
* '''Open link in...''': The page can either be opened in the '''Current Window''' or a '''New window'''
[[File:Tiny - Link.png|border|center|frameless|450x450px]]
=== Insert / Edit Multimedia ===
To insert existing audio or videos clips, the TinyMCE editor supports Moodle standard [[Media embedding|Media embedding interface]].
[[File:Tiny - Audio & Video.png|thumb]]
=== Record audio and video ===
TinyMCE lets users record [[audio]] and [[video]] clips which will attach to the text once recorded. Each recording comprises three steps:
# '''Start recording''': when ready, press the ''Start recording'' button
# '''Stop recording''': when completed, press the ''Stop recording'' button
# '''Review recording''': you can listen to or watch the recording via the provided controls. Either attach the clip to your text or record it again.

The maximum length and quality (bitrate) can be [[TinyMCE editor#Tiny Record RTC plugin for Moodle|configured]] at admin level.
=== Insert / Edit code sample ===
The Tiny editor lets you insert and embed syntax color highlighted code snippets into the editable area.
[[File:Tiny - Code Sample.png|border|center|frameless|600x600px]]
While you can select the (programming) language at the top, it doesn't have any impact on the way the code is displayed.

Tiny also supports formatting of code elements (''Format -> Code''), which changes the selected text to the internally defined <code>code style</code>.
=== Insert Table ===
Tiny comes with comprehensive table management functionality to handle grid-like structures in your text. In addition to the Insert table menu item, an entire main menu has been dedicated to tables.
[[File:Tiny - Table.png|border|center|frameless|450x450px]]
Once a table has been added, you can customise individual cells, row, columns, and the properties of the entire table. The following self-explanatory menu items are available, all supporting standard HTML table options:
* Cell
** Cell properties
** Merge cells
** Split cells
* Row
** Insert row before
** Insert row after
** Delete row
** Row properties
** Cut row
** Copy row
** Paste row before
** Paste row after
* Column
** Insert column before
** Insert column after
** Delete column
** Cut column
** Copy column
** Paste column before
** Paste column after
* Table properties
* Delete table
[[File:Tiny - Table operations.png|border|center|frameless|600x600px]]
The table editor also shows context-sensitive menus when editing different table elements.
=== Insert special character ===
The special character picker lets you insert letters and symbols (a map of special unicode characters) that are difficult or impossible to access via your keyboard. You can either search by keyword and / or browse categories.
[[File:Tiny - Special character.png|border|center|frameless|450x450px]]
=== Insert Emojis ===
Bring a smiley to your content: The emoji picker lets you insert pictograms. You can either search by keyword and / or browse categories.
[[File:Tiny - Emojis.png|border|center|frameless|450x450px]]
=== Insert HTML elements ===
The following 4 HTML elements are supported by TinyMCE via menus:
* '''Insert horizontal line''': Adds an HTML line to your text.

* '''Insert page break''': Adds a page break (<code><nowiki></nowiki></code>) to your text.

* '''Insert nonbreaking space''': Add an nonbreaking space (<code>&nbsp;</code>) at the current cursor location.

* '''Insert anchor''': Insert anchors (sometimes referred to as a bookmarks) to your text. Users will be prompted via a dialog box to enter a string. The string will be inserted into the HTML as an anchor id at the location of the cursor. For example, a user places their cursor at the beginning of "Moodle" and clicks on the anchor button and enters "start" in the dialog box. The resulting HTML will take the form of <code><nowiki><a id="start"></a></nowiki>Moodle<nowiki></nowiki></code>.
=== Insert date/time ===
The Insert date/time options lets you easily insert the current date and/or time into the editable area at the cursor insertion point.
[[File:Tiny - DateTime.png|border|center|frameless]]
The available format options depend on the selected language.
[[File:Tiny - Equation editor.png|thumb]]
=== Equation editor ===
If either the [[MathJax filter|MathJax]] or the [[TeX notation filter|TeX]] filters are enabled (in ''Site administration > Plugins > Filters > Manage filters'') then the ''Insert equation'' option is provided in the TinyMCE editor for launching the equation editor.

Internally, the equation editor uses the [https://docs.moodle.org/400/en/TeX_notation_filter TeX notation] which can either be entered manually and / or interactively. The interactive elements are grouped into 4 categories (Operators, Arrows, Greek symbols, and Advanced). The content of each tab can be configured via the [[Equation editor settings]].

At the bottom of the editor, a preview is shown.
=== Configure H5P content ===
You can embed [[H5P]] content via the ''Configure H5P content'' menu as follows:
# Browse the Content bank repository and select an H5P file
# Choose to either make a copy of the file or create a shortcut
# Optionally, configure the H5P options (Allow download, Embed button, Copyright button)
# Click the button 'Select this file'
# Click 'Insert H5P'These steps will automatically enter the internal address in the H5P URL field. Alternatively, you can enter any internal or external H5P URL manually.
Note: If you create a shortcut to the file, you can edit it in the Content bank and any activities with a link to the file will be updated.
== Tiny tools ==
[[File:Tiny - Tools menu.png|thumb]]
The following tools are available in vie the '''Tools''' menu:
=== View source code ===
The source code pop up window displays the code of the page, usually HTML or JS. The code can be modified in plain text; once the window is closed, any changes will be reflected in the WYSIWYG mode.
[[File:Tiny - Source code.png|center|frameless|900x900px]]
=== Word count ===
The word pop up windows displays the number of words and the number of characters (with and without spaces) of the entire document and the selected text, respectively.
[[File:Tiny - Word count.png|border|center|frameless|600x600px|alt=]]

The number of words are also shown in the editor's footer.
=== Accessibility checker ===
The automated [[accessibility]] checker checks for some common errors in the text. These are usually elements in the way the text is constructed that can prevent all users from having equal access to information and functionality. The list of problems that the accessibility checker looks for is:
* Images with missing or empty alt text (unless they have the presentation role)
* Contrast of font colour and background colour meets [https://en.wikipedia.org/wiki/Web_Content_Accessibility_Guidelines WCAG AA guidelines]
* Long blocks of text are sufficiently broken up into headings
* All tables require captions
* Tables should not contain merged cells as they are difficult to navigate with screen readers
* All tables should contain row or column headers
=== Media Manager ===
The media manager shows all media files that have been embedded in the text.

The top part of the media manager shows the familiar file management element where you can add, download, and delete attached files.

Files that have been attached and deleted again are shown at the bottom half of the screen.
[[File:Tiny - Media manager.png|border|center|frameless|600x600px]]
== Keyboard shortcuts ==
The following keyboard shortcuts will work in the Tiny text editor in most browsers. Note that for many of these commands to work you need to either click in the text editor or select content in the text editor.
=== Editor shortcuts ===
{| class="wikitable"
!Windows Command
!Mac Command
!Function
|-
|Ctrl + Shift + f
|⌘ + Shift + f
|Full screen toggle
|-
|Ctrl + c
|⌘ + c
|Copy
|-
|Ctrl + v
|⌘ + v
|Paste
|-
|Ctrl + Shift + v
|⌘ + Shift + v
|Paste without formatting (very useful)
|-
|Ctrl + x
|⌘ + x
|Cut
|-
|Ctrl + z
|⌘ + z
|Undo
|-
|Ctrl + y
|⌘ + y
|Redo
|-
|Ctrl + a
|⌘ + a
|Select all
|-
|Ctrl + f
|⌘ + f
|Find and replace
|-
|F3
|<s>F3</s>
|Find next
|-
|Shift + F3
|<s>Shift + F3</s>
|Find previous
|-
|Ctrl + b
|⌘ + b
|Bold
|-
|Ctrl + i
|⌘ + i
|Italics
|-
|Ctrl + u
|⌘ + u
|Underline
|-
|Ctrl + k
|⌘ + k
|Insert/edit link
|-
|Ctrl + Right arrow
|Option + Right arrow
|Move to the end of the next word
|-
|Ctrl + Left arrow
|Option + Left arrow
|Move to the end of the previous word
|-
|Ctrl + Shift + Right arrow
|Shift + Option + Right arrow
|Select the next word or letter
|-
|Ctrl + Shift + Left arrow
|Shift + Option + Left arrow
|Select the previous word or letter
|-
|Ctrl + Shift + Home
|<s>⌘ + Shift + Home</s>
|Select from the cursor to the beginning of the page
|-
|Ctrl + Shift + End
|<s>⌘ + Shift + End</s>
|Select from the cursor to the end of the page
|-
|Ctrl + Home
|⌘ + Up arrow
|Move to the beginning of the page
|-
|Ctrl + End
|⌘ + Down arrow
|Move to the end of the page
|-
|Ctrl + Backspace
|<s>⌘ + Backspace</s>
|Delete word or letter to the left
|-
|Ctrl + Delete
|<s>⌘ + Delete</s>
|Delete word or letter to the right
|-
|Ctrl + P
|⌘ + P
|Print
|-
|Alt+Shift+1
|Ctrl+Option+1
|Header 1
|-
|Alt+Shift+2
|Ctrl+Option+2
|Header 2
|-
|Alt+Shift+3
|Ctrl+Option+3
|Header 3
|-
|Alt+Shift+4
|Ctrl+Option+4
|Header 4
|-
|Alt+Shift+5
|Ctrl+Option+5
|Header 5
|-
|Alt+Shift+6
|Ctrl+Option+6
|Header 6
|-
|Alt+Shift+7
|Ctrl+Option+7
|Paragraph
|-
|Alt+Shift+8
|Ctrl+Option+8
|Div
|-
|Alt+Shift+9
|Ctrl+Option+9
|Address
|-
|Alt+0
|Option+0
|Help dialogue (list of shortcuts)
|-
|Ctrl and +
|⌘ and +
|Zoom in (not specific to the editor, but very useful)
|-
|Ctrl and -
|⌘ and -
|Zoom out (not specific to the editor, but very useful)
|-
|Ctrl and 0
|⌘ and 0
|Reset zoom (not specific to the editor, but very useful)
|-
|Double-click
|Double-click
|Select word
|-
|Triple-click
|Triple-click
|Select line
|}
=== Keyboard navigation ===
The sections of the outer UI of the editor - the menubar, toolbar, sidebar and footer - are all keyboard navigable.
==== Activating keyboard navigation ====
There are multiple ways to activate keyboard navigation:
* Focus the menubar: Alt + F9 (Windows) or ⌥F9 (MacOS)
* Focus the toolbar: Alt + F10 (Windows) or ⌥F10 (MacOS)
* Focus the footer: Alt + F11 (Windows) or ⌥F11 (MacOS)
Focusing the menubar or toolbar will start keyboard navigation at the first item in the menubar or toolbar, which will be highlighted with a gray background. Focusing the footer will start keyboard navigation at the first item in the element path, which will be highlighted with an underline.
==== Moving between UI sections ====
When keyboard navigation is active, pressing tab will move the focus to the next major section of the UI, where applicable. These sections are:
* the menubar
* each group of the toolbar
* the sidebar
* the element path in the footer
* the wordcount toggle button in the footer
* the branding link in the footer
* the editor resize handle in the footer
Pressing shift + tab will move backwards through the same sections, except when moving from the footer to the toolbar. Focusing the element path then pressing shift + tab will move focus to the first toolbar group, not the last.
==== Moving within UI sections ====
Keyboard navigation within UI sections can usually be achieved using the left and right arrow keys. This includes:
* moving between menus in the menubar
* moving between buttons in a toolbar group
* moving between items in the element path
In all these UI sections, keyboard navigation will cycle within the section. For example, focusing the last button in a toolbar group then pressing right arrow will move focus to the first item in the same toolbar group.
==== Executing buttons ====
To execute a button, navigate the selection to the desired button and hit space or enter.
==== Opening, navigating and closing menus ====
When focusing a menubar button or a toolbar button with a menu, pressing space, enter or down arrow will open the menu. When the menu opens the first item will be selected. To move up or down the menu, press the up or down arrow key respectively. This is the same for submenus, which can also be opened and closed using the left and right arrow keys.

To close any active menu, hit the escape key. When a menu is closed the selection will be restored to its previous selection. This also works for closing submenus.
==== Context toolbars and menus ====
To focus an open context toolbar such as the table context toolbar, press Ctrl + F9 (Windows) or ⌃F9 (MacOS).

Context toolbar navigation is the same as toolbar navigation, and context menu navigation is the same as standard menu navigation.
==== Dialog navigation ====
There are two types of dialog UIs in TinyMCE: tabbed dialogs and non-tabbed dialogs.

When a non-tabbed dialog is opened, the first interactive component in the dialog will be focused. Users can navigate between interactive components by pressing tab. This includes any footer buttons. Navigation will cycle back to the first dialog component if tab is pressed while focusing the last component in the dialog. Pressing shift + tab will navigate backwards.

When a tabbed dialog is opened, the first button in the tab menu is focused. Pressing tab will navigate to the first interactive component in that tab, and will cycle through the tab's components, the footer buttons, then back to the tab button. To switch to another tab, focus the tab button for the current tab, then use the arrow keys to cycle through the tab buttons.
==== Accessibility shortcuts ====
This is a list of available keyboard shortcuts within the editor user interface.
{| class="wikitable"
!Windows Command
!Mac Command
!Function
|-
|Enter / Spacebar
|Enter / Spacebar
|Execute command
|-
|Tab
|Tab
|Focus on next UI Element(such as: Menu bar, Toolbar, Toolbar Group, Status Bar Item)
|-
|Shift+Tab
|Shift+Tab
|Focus on previous UI Element(such as: Menu bar, Toolbar, Toolbar Group, Status Bar Item)
|-
|Right Arrow / Down Arrow
|Right Arrow / Down Arrow
|Focus next Control(such as: toolbar button, menu, or menu item)
|-
|Left Arrow / Up Arrow
|Left Arrow / Up Arrow
|Focus previous Control(such as: toolbar button, menu, or menu item)
|-
|Down Arrow / Spacebar
|Down Arrow / Spacebar
|Open menu or toolbar menu button
|-
|Spacebar
|Spacebar
|Open group toolbar button
|-
|Down Arrow
|Down Arrow
|Open split toolbar button
|-
|Shift+Enter
|Shift+Enter
|Open the popup menu on split toolbar buttons
|-
|Right Arrow
|Right Arrow
|Open submenu
|-
|Left Arrow / Esc
|Left Arrow / Esc
|Close submenu
|-
|Esc
|Esc
|Close dialog
|-
|Esc
|Esc
|Close menu
|-
|Esc
|Esc
|Move focus back to editor body
|}
'''Note''': Browsers and Screen Readers provide additional shortcuts within the editor context.
==Site administration settings==
=== General settings ===
From ''Site administration > Plugins > Text editors > TinyMCE editor'' you can disable and enable certain settings, for example the Tiny HTML formatter, Tiny no-auto link and access the setting for the paid service TinyMCE Premium.

You can also disable the TinyMCE branding logo which appears at the bottom of the editor.

====TinyMCE Premium====
TinyMCE Premium requires a paid subscription. Your API key is available on your [https://www.tiny.cloud/ Tiny Cloud] account page if you have purchased a subscription, or if you are on a free trial. Enter the API key from Site administration > Plugins > Text editors > TinyMCE Premium.

For TinyMCE premium features charging is done on "per request" basis (number of editor loads). You can make use of the capability 'Access TinyMCE Premium features' (tiny/premium:accesspremium) (new in Moodle 4.4) to control which users can use premium features and in which context.

The TinyMCE features that may be available to your Moodle site with a Premium subscription are:

* Advanced Tables
* Advanced Typography
* Case Change
* Checklist
* Enhanced Image Editing
* Export
* Footnotes
* Format Painter
* Link Checker
* Page Embed
* Permanent Pen
* PowerPaste
* Spell Checker Pro
* Spelling Autocorrect
* Table of Contents

You can learn more about these features on [https://www.tiny.cloud/tinymce/features/#productivity TinyMCE's website]. Please note that not all plugins listed on TinyMCE's website are currently available to Moodle users.

=== Equation editor settings ===
[[File:Tiny - Equation editor settings.png|thumb]]
The equation editor has 4 tabs: Operators, Arrows, Greek symbols, and Advanced. The commands that are available on each tab and their order can be configured in ''Site administration > Plugins > Text editors > TinyMCE editor > Equation editor settings''.

For each group, the list of commands is shown in TeX format.
=== Tiny Record RTC plugin for Moodle ===
[[File:Tiny - RTC settings.png|thumb]]
Tiny fully supports media recording through. Internally, RecordRTC is utilised, an open source JavaScript library using WebRTC for audio and video recording. To configure its settings, navigate to ''Site administration > Plugins > Text editors > TinyMCE editor > RecordRTC'':

The following options have an impact on server resources, both in terms of bandwidth and disk usage:
* '''Allowed types''': You can specify whether '''Audio and video''' recording are supported or '''Audio only''' or '''Video only'''. There are two capabilities to control access to the TinyMCE buttons: '''[[Capabilities/tiny/recordrtc:recordvideo]]''' and '''[[Capabilities/tiny/recordrtc:recordaudio]]'''
* '''Audio bitrate''' and '''Video bitrate''': The lower the bitrates, the smaller the file sizes, and vice versa. The default bitrate for recorded audio (128000) should generate files of about 15 KB per minute; the default bitrate for recorded video (2500000) to files of approximately 20 MB per minute.
* '''Audio time limit in seconds''' and '''Video time limit in seconds''': The default time limit is 2 minutes for audio and video recording. Again, the longer the maximum recording length, the bigger the resulting files.

Recordings are stored in subdirectories of ''$CFG->dataroot>/filedir''. Ensure ''post_max_size'' and ''upload_max_filesize'' are configured in line with your expected maximum recording sizes.

[[es:Editor TinyMCE]]
[[de:TinyMCE-Editor]]
[[fr:Éditeur TinyMCE]]

TinyMCE editor

2024-03-11T06:40:40Z

Michaelh2: Minor tweaks to TinyMCE Premium wording for clarification/consistency.

{{Editing text}}
==What is TinyMCE?==
TinyMCE is a powerful rich-text editor that allows users to create formatted content within a user-friendly interface.

The popular editor is the default editor in new installations of Moodle 4.2 onwards and can be made default in upgraded sites from ''Administration > Site administration > Plugins > Text editors > Manage editors''.

If enabled, users may select the '''TinyMCE editor''' from the ''User menu > Preferences > Editor preferences.''
{{MediaPlayer | url = https://youtu.be/Q-D6nWSusrY | desc = Overview of TinyMCE}}

== Tiny Toolbar ==
The following buttons are available on the toolbar (not all buttons might show in all scenarios:)
[[File:latestTiny.png|center]]

The available buttons are as follows:
{| class="wikitable"
|+
!#
!Button
!#
!Button
!#
!Button
|-
|1
|Undo and Redo
|10
|No auto-link NEW IN 4.3
|18
|Numbered list
|-
|2
|Bold and Italic
|11
|Full screen NEW IN 4.3
|19
|Equation editor
|-
|3
|Insert image/modify properties
|12
|Align left
|20
|Toggle second toolbar (if present)
|-
|4
|Insert audio/video/modify properties
|13
|Align centre
|21
|
|-
|5
|[[Audio|Record audio]]
|14
|Align right
|
|
|-
|6
|[[Video|Record video]]
|15
|L/R and R/L directionality
|
|
|-
|7
|Insert H5P / modify H5P properties
|16
|Decrease/increase indent
|
|
|-
|8
|Link
|17
|Bullets list
|
|
|-
|9
|Unlink
|
|
|
|
|}
Some button have pre-requisites to display, for instance, the equation editor button will only show if either the [[MathJax filter|MathJax]] or the [[TeX notation filter|TeX notation]] filters are enabled (in ''Site administration > Plugins > Filters > Manage filters''), while the H5P option will only show if the ''tiny/h5p:addembed'' capability has been granted.

== Tiny features ==
[[File:Tiny - Insert menu.png|thumb]]
The following features are available from the '''Insert''' menu:
=== Insert / Edit image ===
The easiest way to insert an image is via drag'n'drop. Alternatively, you can use the ''Insert image'' tool, which gives you more control over some image properties:
* '''URL''': The (internal or external) address of the image. You can either enter a URL manually or select an image from the repository browser, which adds the URL automatically.
*'''Description''': Unless the image is labelled decorative only, a description must be provided for screenreader users
*'''Size''': Initially, the image's width and height are set. These can be adjusted to fit your text. When the ''Auto size'' checkbox remains ticked, the image's width-height ratio stays intact.
* '''Alignment''': Options are ''Top'', ''Middle'', and ''Bottom''.
[[File:Tiny - Image.png|border|center|frameless|450x450px]]
To modify image properties once it has been added to your text, select the image and press the ''Image'' button on the mini toolbar that shows up.
=== Insert / Edit Link ===
When inserting or editing a link to another (internal or external) page, you can provide the following settings:
* '''URL''': The address of the page to navigate to. If left empty, the option ''<top>'' and ''<bottom>'' are available
* '''Text to display''': The text that is shown in the text, represented as a link
* '''Title''': The text shown when hovering over the link
* '''Browse repositories''': Upload a file to link to.
* '''Open link in...''': The page can either be opened in the '''Current Window''' or a '''New window'''
[[File:Tiny - Link.png|border|center|frameless|450x450px]]
=== Insert / Edit Multimedia ===
To insert existing audio or videos clips, the TinyMCE editor supports Moodle standard [[Media embedding|Media embedding interface]].
[[File:Tiny - Audio & Video.png|thumb]]
=== Record audio and video ===
TinyMCE lets users record [[audio]] and [[video]] clips which will attach to the text once recorded. Each recording comprises three steps:
# '''Start recording''': when ready, press the ''Start recording'' button
# '''Stop recording''': when completed, press the ''Stop recording'' button
# '''Review recording''': you can listen to or watch the recording via the provided controls. Either attach the clip to your text or record it again.

The maximum length and quality (bitrate) can be [[TinyMCE editor#Tiny Record RTC plugin for Moodle|configured]] at admin level.
=== Insert / Edit code sample ===
The Tiny editor lets you insert and embed syntax color highlighted code snippets into the editable area.
[[File:Tiny - Code Sample.png|border|center|frameless|600x600px]]
While you can select the (programming) language at the top, it doesn't have any impact on the way the code is displayed.

Tiny also supports formatting of code elements (''Format -> Code''), which changes the selected text to the internally defined <code>code style</code>.
=== Insert Table ===
Tiny comes with comprehensive table management functionality to handle grid-like structures in your text. In addition to the Insert table menu item, an entire main menu has been dedicated to tables.
[[File:Tiny - Table.png|border|center|frameless|450x450px]]
Once a table has been added, you can customise individual cells, row, columns, and the properties of the entire table. The following self-explanatory menu items are available, all supporting standard HTML table options:
* Cell
** Cell properties
** Merge cells
** Split cells
* Row
** Insert row before
** Insert row after
** Delete row
** Row properties
** Cut row
** Copy row
** Paste row before
** Paste row after
* Column
** Insert column before
** Insert column after
** Delete column
** Cut column
** Copy column
** Paste column before
** Paste column after
* Table properties
* Delete table
[[File:Tiny - Table operations.png|border|center|frameless|600x600px]]
The table editor also shows context-sensitive menus when editing different table elements.
=== Insert special character ===
The special character picker lets you insert letters and symbols (a map of special unicode characters) that are difficult or impossible to access via your keyboard. You can either search by keyword and / or browse categories.
[[File:Tiny - Special character.png|border|center|frameless|450x450px]]
=== Insert Emojis ===
Bring a smiley to your content: The emoji picker lets you insert pictograms. You can either search by keyword and / or browse categories.
[[File:Tiny - Emojis.png|border|center|frameless|450x450px]]
=== Insert HTML elements ===
The following 4 HTML elements are supported by TinyMCE via menus:
* '''Insert horizontal line''': Adds an HTML line to your text.

* '''Insert page break''': Adds a page break (<code><nowiki></nowiki></code>) to your text.

* '''Insert nonbreaking space''': Add an nonbreaking space (<code>&nbsp;</code>) at the current cursor location.

* '''Insert anchor''': Insert anchors (sometimes referred to as a bookmarks) to your text. Users will be prompted via a dialog box to enter a string. The string will be inserted into the HTML as an anchor id at the location of the cursor. For example, a user places their cursor at the beginning of "Moodle" and clicks on the anchor button and enters "start" in the dialog box. The resulting HTML will take the form of <code><nowiki><a id="start"></a></nowiki>Moodle<nowiki></nowiki></code>.
=== Insert date/time ===
The Insert date/time options lets you easily insert the current date and/or time into the editable area at the cursor insertion point.
[[File:Tiny - DateTime.png|border|center|frameless]]
The available format options depend on the selected language.
[[File:Tiny - Equation editor.png|thumb]]
=== Equation editor ===
If either the [[MathJax filter|MathJax]] or the [[TeX notation filter|TeX]] filters are enabled (in ''Site administration > Plugins > Filters > Manage filters'') then the ''Insert equation'' option is provided in the TinyMCE editor for launching the equation editor.

Internally, the equation editor uses the [https://docs.moodle.org/400/en/TeX_notation_filter TeX notation] which can either be entered manually and / or interactively. The interactive elements are grouped into 4 categories (Operators, Arrows, Greek symbols, and Advanced). The content of each tab can be configured via the [[Equation editor settings]].

At the bottom of the editor, a preview is shown.
=== Configure H5P content ===
You can embed [[H5P]] content via the ''Configure H5P content'' menu as follows:
# Browse the Content bank repository and select an H5P file
# Choose to either make a copy of the file or create a shortcut
# Optionally, configure the H5P options (Allow download, Embed button, Copyright button)
# Click the button 'Select this file'
# Click 'Insert H5P'These steps will automatically enter the internal address in the H5P URL field. Alternatively, you can enter any internal or external H5P URL manually.
Note: If you create a shortcut to the file, you can edit it in the Content bank and any activities with a link to the file will be updated.
== Tiny tools ==
[[File:Tiny - Tools menu.png|thumb]]
The following tools are available in vie the '''Tools''' menu:
=== View source code ===
The source code pop up window displays the code of the page, usually HTML or JS. The code can be modified in plain text; once the window is closed, any changes will be reflected in the WYSIWYG mode.
[[File:Tiny - Source code.png|center|frameless|900x900px]]
=== Word count ===
The word pop up windows displays the number of words and the number of characters (with and without spaces) of the entire document and the selected text, respectively.
[[File:Tiny - Word count.png|border|center|frameless|600x600px|alt=]]

The number of words are also shown in the editor's footer.
=== Accessibility checker ===
The automated [[accessibility]] checker checks for some common errors in the text. These are usually elements in the way the text is constructed that can prevent all users from having equal access to information and functionality. The list of problems that the accessibility checker looks for is:
* Images with missing or empty alt text (unless they have the presentation role)
* Contrast of font colour and background colour meets [https://en.wikipedia.org/wiki/Web_Content_Accessibility_Guidelines WCAG AA guidelines]
* Long blocks of text are sufficiently broken up into headings
* All tables require captions
* Tables should not contain merged cells as they are difficult to navigate with screen readers
* All tables should contain row or column headers
=== Media Manager ===
The media manager shows all media files that have been embedded in the text.

The top part of the media manager shows the familiar file management element where you can add, download, and delete attached files.

Files that have been attached and deleted again are shown at the bottom half of the screen.
[[File:Tiny - Media manager.png|border|center|frameless|600x600px]]
== Keyboard shortcuts ==
The following keyboard shortcuts will work in the Tiny text editor in most browsers. Note that for many of these commands to work you need to either click in the text editor or select content in the text editor.
=== Editor shortcuts ===
{| class="wikitable"
!Windows Command
!Mac Command
!Function
|-
|Ctrl + Shift + f
|⌘ + Shift + f
|Full screen toggle
|-
|Ctrl + c
|⌘ + c
|Copy
|-
|Ctrl + v
|⌘ + v
|Paste
|-
|Ctrl + Shift + v
|⌘ + Shift + v
|Paste without formatting (very useful)
|-
|Ctrl + x
|⌘ + x
|Cut
|-
|Ctrl + z
|⌘ + z
|Undo
|-
|Ctrl + y
|⌘ + y
|Redo
|-
|Ctrl + a
|⌘ + a
|Select all
|-
|Ctrl + f
|⌘ + f
|Find and replace
|-
|F3
|<s>F3</s>
|Find next
|-
|Shift + F3
|<s>Shift + F3</s>
|Find previous
|-
|Ctrl + b
|⌘ + b
|Bold
|-
|Ctrl + i
|⌘ + i
|Italics
|-
|Ctrl + u
|⌘ + u
|Underline
|-
|Ctrl + k
|⌘ + k
|Insert/edit link
|-
|Ctrl + Right arrow
|Option + Right arrow
|Move to the end of the next word
|-
|Ctrl + Left arrow
|Option + Left arrow
|Move to the end of the previous word
|-
|Ctrl + Shift + Right arrow
|Shift + Option + Right arrow
|Select the next word or letter
|-
|Ctrl + Shift + Left arrow
|Shift + Option + Left arrow
|Select the previous word or letter
|-
|Ctrl + Shift + Home
|<s>⌘ + Shift + Home</s>
|Select from the cursor to the beginning of the page
|-
|Ctrl + Shift + End
|<s>⌘ + Shift + End</s>
|Select from the cursor to the end of the page
|-
|Ctrl + Home
|⌘ + Up arrow
|Move to the beginning of the page
|-
|Ctrl + End
|⌘ + Down arrow
|Move to the end of the page
|-
|Ctrl + Backspace
|<s>⌘ + Backspace</s>
|Delete word or letter to the left
|-
|Ctrl + Delete
|<s>⌘ + Delete</s>
|Delete word or letter to the right
|-
|Ctrl + P
|⌘ + P
|Print
|-
|Alt+Shift+1
|Ctrl+Option+1
|Header 1
|-
|Alt+Shift+2
|Ctrl+Option+2
|Header 2
|-
|Alt+Shift+3
|Ctrl+Option+3
|Header 3
|-
|Alt+Shift+4
|Ctrl+Option+4
|Header 4
|-
|Alt+Shift+5
|Ctrl+Option+5
|Header 5
|-
|Alt+Shift+6
|Ctrl+Option+6
|Header 6
|-
|Alt+Shift+7
|Ctrl+Option+7
|Paragraph
|-
|Alt+Shift+8
|Ctrl+Option+8
|Div
|-
|Alt+Shift+9
|Ctrl+Option+9
|Address
|-
|Alt+0
|Option+0
|Help dialogue (list of shortcuts)
|-
|Ctrl and +
|⌘ and +
|Zoom in (not specific to the editor, but very useful)
|-
|Ctrl and -
|⌘ and -
|Zoom out (not specific to the editor, but very useful)
|-
|Ctrl and 0
|⌘ and 0
|Reset zoom (not specific to the editor, but very useful)
|-
|Double-click
|Double-click
|Select word
|-
|Triple-click
|Triple-click
|Select line
|}
=== Keyboard navigation ===
The sections of the outer UI of the editor - the menubar, toolbar, sidebar and footer - are all keyboard navigable.
==== Activating keyboard navigation ====
There are multiple ways to activate keyboard navigation:
* Focus the menubar: Alt + F9 (Windows) or ⌥F9 (MacOS)
* Focus the toolbar: Alt + F10 (Windows) or ⌥F10 (MacOS)
* Focus the footer: Alt + F11 (Windows) or ⌥F11 (MacOS)
Focusing the menubar or toolbar will start keyboard navigation at the first item in the menubar or toolbar, which will be highlighted with a gray background. Focusing the footer will start keyboard navigation at the first item in the element path, which will be highlighted with an underline.
==== Moving between UI sections ====
When keyboard navigation is active, pressing tab will move the focus to the next major section of the UI, where applicable. These sections are:
* the menubar
* each group of the toolbar
* the sidebar
* the element path in the footer
* the wordcount toggle button in the footer
* the branding link in the footer
* the editor resize handle in the footer
Pressing shift + tab will move backwards through the same sections, except when moving from the footer to the toolbar. Focusing the element path then pressing shift + tab will move focus to the first toolbar group, not the last.
==== Moving within UI sections ====
Keyboard navigation within UI sections can usually be achieved using the left and right arrow keys. This includes:
* moving between menus in the menubar
* moving between buttons in a toolbar group
* moving between items in the element path
In all these UI sections, keyboard navigation will cycle within the section. For example, focusing the last button in a toolbar group then pressing right arrow will move focus to the first item in the same toolbar group.
==== Executing buttons ====
To execute a button, navigate the selection to the desired button and hit space or enter.
==== Opening, navigating and closing menus ====
When focusing a menubar button or a toolbar button with a menu, pressing space, enter or down arrow will open the menu. When the menu opens the first item will be selected. To move up or down the menu, press the up or down arrow key respectively. This is the same for submenus, which can also be opened and closed using the left and right arrow keys.

To close any active menu, hit the escape key. When a menu is closed the selection will be restored to its previous selection. This also works for closing submenus.
==== Context toolbars and menus ====
To focus an open context toolbar such as the table context toolbar, press Ctrl + F9 (Windows) or ⌃F9 (MacOS).

Context toolbar navigation is the same as toolbar navigation, and context menu navigation is the same as standard menu navigation.
==== Dialog navigation ====
There are two types of dialog UIs in TinyMCE: tabbed dialogs and non-tabbed dialogs.

When a non-tabbed dialog is opened, the first interactive component in the dialog will be focused. Users can navigate between interactive components by pressing tab. This includes any footer buttons. Navigation will cycle back to the first dialog component if tab is pressed while focusing the last component in the dialog. Pressing shift + tab will navigate backwards.

When a tabbed dialog is opened, the first button in the tab menu is focused. Pressing tab will navigate to the first interactive component in that tab, and will cycle through the tab's components, the footer buttons, then back to the tab button. To switch to another tab, focus the tab button for the current tab, then use the arrow keys to cycle through the tab buttons.
==== Accessibility shortcuts ====
This is a list of available keyboard shortcuts within the editor user interface.
{| class="wikitable"
!Windows Command
!Mac Command
!Function
|-
|Enter / Spacebar
|Enter / Spacebar
|Execute command
|-
|Tab
|Tab
|Focus on next UI Element(such as: Menu bar, Toolbar, Toolbar Group, Status Bar Item)
|-
|Shift+Tab
|Shift+Tab
|Focus on previous UI Element(such as: Menu bar, Toolbar, Toolbar Group, Status Bar Item)
|-
|Right Arrow / Down Arrow
|Right Arrow / Down Arrow
|Focus next Control(such as: toolbar button, menu, or menu item)
|-
|Left Arrow / Up Arrow
|Left Arrow / Up Arrow
|Focus previous Control(such as: toolbar button, menu, or menu item)
|-
|Down Arrow / Spacebar
|Down Arrow / Spacebar
|Open menu or toolbar menu button
|-
|Spacebar
|Spacebar
|Open group toolbar button
|-
|Down Arrow
|Down Arrow
|Open split toolbar button
|-
|Shift+Enter
|Shift+Enter
|Open the popup menu on split toolbar buttons
|-
|Right Arrow
|Right Arrow
|Open submenu
|-
|Left Arrow / Esc
|Left Arrow / Esc
|Close submenu
|-
|Esc
|Esc
|Close dialog
|-
|Esc
|Esc
|Close menu
|-
|Esc
|Esc
|Move focus back to editor body
|}
'''Note''': Browsers and Screen Readers provide additional shortcuts within the editor context.
==Site administration settings==
=== General settings ===
From ''Site administration > Plugins > Text editors > TinyMCE editor'' you can disable and enable certain settings, for example '''New in 4.3''' the Tiny HTML formatter, Tiny no-auto link and access the setting for the paid service TinyMCE Premium.

You can also disable the TinyMCE branding logo which appears at the bottom of the editor.
{{New features}}
====TinyMCE Premium====
TinyMCE Premium requires a paid subscription. Your API key is available on your [https://www.tiny.cloud/ Tiny Cloud] account page if you have purchased a subscription, or if you are on a free trial. Enter the API key from Site administration > Plugins > Text editors > TinyMCE Premium.

The TinyMCE features that may be available to your Moodle site with a Premium subscription are:

* Advanced Tables
* Advanced Typography
* Case Change
* Checklist
* Enhanced Image Editing
* Export
* Footnotes
* Format Painter
* Link Checker
* Page Embed
* Permanent Pen
* PowerPaste
* Spell Checker Pro
* Spelling Autocorrect
* Table of Contents

You can learn more about these features on [https://www.tiny.cloud/tinymce/features/#productivity TinyMCE's website]. Please note that not all plugins listed on TinyMCE's website are currently available to Moodle users.

=== Equation editor settings ===
[[File:Tiny - Equation editor settings.png|thumb]]
The equation editor has 4 tabs: Operators, Arrows, Greek symbols, and Advanced. The commands that are available on each tab and their order can be configured in ''Site administration > Plugins > Text editors > TinyMCE editor > Equation editor settings''.

For each group, the list of commands is shown in TeX format.
=== Tiny Record RTC plugin for Moodle ===
[[File:Tiny - RTC settings.png|thumb]]
Tiny fully supports media recording through. Internally, RecordRTC is utilised, an open source JavaScript library using WebRTC for audio and video recording. To configure its settings, navigate to ''Site administration > Plugins > Text editors > TinyMCE editor > RecordRTC'':

The following options have an impact on server resources, both in terms of bandwidth and disk usage:
* '''Allowed types''': You can specify whether '''Audio and video''' recording are supported or '''Audio only''' or '''Video only'''. There are two capabilities to control access to the TinyMCE buttons: '''[[Capabilities/tiny/recordrtc:recordvideo]]''' and '''[[Capabilities/tiny/recordrtc:recordaudio]]'''
* '''Audio bitrate''' and '''Video bitrate''': The lower the bitrates, the smaller the file sizes, and vice versa. The default bitrate for recorded audio (128000) should generate files of about 15 KB per minute; the default bitrate for recorded video (2500000) to files of approximately 20 MB per minute.
* '''Audio time limit in seconds''' and '''Video time limit in seconds''': The default time limit is 2 minutes for audio and video recording. Again, the longer the maximum recording length, the bigger the resulting files.

Recordings are stored in subdirectories of ''$CFG->dataroot>/filedir''. Ensure ''post_max_size'' and ''upload_max_filesize'' are configured in line with your expected maximum recording sizes.

[[es:Editor TinyMCE]]
[[de:TinyMCE-Editor]]
[[fr:Éditeur TinyMCE]]

Environment - PHP extension sodium

2023-04-20T05:58:55Z

Michaelh2: Updated to reflect the 4.2 requirement

{{Environment}}
The php-sodium extension provides strong encryption capabilities in an easy and consistent way. This extension is required from Moodle 4.2.

Note that it is still highly recommended to use php-sodium in Moodle 3.11, 4.0 and 4.1, which also support the extension. Sites which do not have this extension installed use a php-openssl based solution as a fallback, which is considered sub-optimal. See MDL-71421 for more details.

See also <nowiki>https://www.php.net/manual/book.sodium.php</nowiki> and <nowiki>https://py-ipv8.readthedocs.io/en/latest/preliminaries/install_libsodium/</nowiki>
[[Category:Environment|PHP]]
[[es:admin/environment/php extension/sodium]]
[[fr:admin/environment/php extension/sodium]]

report/security/report security check preventexecpath

2021-08-25T03:09:56Z

Michaelh2: Small layout tweak.

{{Security overview report}}Some administration options allow setting the path to executable files on the web server such as du, aspell, ghostscript and others. This can potentially cause a security risk. You can prevent administrators from changing these paths by adding the following setting to your config.php file:

<code php>
$CFG->preventexecpath = true;
</code>

You should also explicitly set the relevant paths in your config.php file such as:
<code php>
$CFG->pathtodu = 'PATH';
$CFG->pathtounoconv = 'PATH';
$CFG->aspellpath = 'PATH';
</code>

[[es:report/security/report security check preventexecpath]]

Site security settings

2021-06-02T06:12:02Z

Michaelh2:

.
{{Security}}
===Protect usernames===

If enabled, when a user attempts to reset their password and enters a username or email address, the following message is displayed: "If you supplied a correct username or email address then an email should have been sent to you." This is to prevent a malicious party from using the interface to determine which usernames and email addresses are in use in valid accounts.

If the protect usernames setting is disabled, when a user attempts to reset their password they are provided with feedback regarding whether an account exists with the username or email address supplied. For example, the message "The email address was not found in the database" may be displayed.

===Force users to login===

If you turn this setting on, all users must login before they even see the [[Front Page]] of the site. Note however that this does not prevent guest access to courses, if you have autologin guests enabled in [[User policies]].

===Force users to login for profiles===

Leave this set to Yes to keep anonymous visitors away from user profiles.

===Force users to login to view user pictures===

If enabled, users must login in order to view user profile pictures and the default user picture will be used in all notification emails.

===Open to search engines===

Enabling this setting allows search engines crawlers guest access to your site. Any part of the site that allows guest access will then be searchable on search engines. In addition, people coming in to your site via a search engine search will automatically be logged in as a guest.

=== Referrer policy ===

A referrer policy can be set, various parts of moodle rely on the referrer being set so it's generally best to only remove or reduce the referrer for external links. So a policy of origin-when-cross-origin is probably the best balance.
See the MDN docs for more details:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

===Allow indexing by search engines===
This determines whether to allow search engines to index your site. The default is Everywhere except login and signup pages.

===Profile visible roles===
Any role which is checked/ticked here will be visible on user profiles and the Participation screen.

===Maximum uploaded file size===

Probably the most frequently asked question in the Moodle.org Using Moodle forums is "How do I increase the upload file size limit?"

Upload file sizes are restricted in a number of ways - each one in this list restricts the following ones:

1. The Apache server setting LimitRequestBody ... default in Apache 2.x or greater is set to 0 or an unlimited upload size

2. The PHP site settings post_max_size and upload_max_filesize in php.ini : '''modify php.ini in web server directories''' ( apache2.x.x/bin/php.ini ) not in php directories :

post_max_size = 128M; to increase limit to 128 Megabytes;
upload_max_filesize = 128M; to increase limit to 128 Megabytes;
max_execution_time = 600 ; Maximum execution time of each script, in seconds;

3. The Moodle site-wide maximum uploaded file size setting: ''Settings > Site administration > Security > Site policies > Maximum uploaded file size''.

4. The Moodle course maximum uploaded file size setting in the course default settings: ''Settings > Site administration > Courses > Course default settings''

5. The file size settings in each individual course in ''Course Administration>Settings''.

5. Certain course activity module settings (for example, Assignment)

* See [[File upload size]] for more details.

===User quota===

The maximum number of bytes that a user can store in their own [[Private files]] area.

===Allow EMBED and OBJECT tags===
Allowing these presents a security risk but if you wish normal users such as students to be able to use them then check the box here.

===Enable trusted content===

By default Moodle will always thoroughly clean text that comes from users to remove any possible bad scripts, media etc that could be a security risk. The Trusted Content system is a way of giving particular users that you trust the ability to include these advanced features in their content without interference. To enable this system, you need to first enable this setting, and then grant the [[Capabilities/moodle/site:trustcontent|Trust submitted content]] capability to a specific Moodle role. Texts created or uploaded by such users will be marked as trusted and will not be cleaned before display.

===Maximum time to edit posts===

This sets the editing time for forum postings. The editing time is the amount of time users have to change forum postings before they are mailed to subscribers.

Please refer to the forum discussions [http://moodle.org/mod/forum/discuss.php?d=28679 Editing a forum post after the 30 minutes deadline] and [http://moodle.org/mod/forum/discuss.php?d=5367 The philosophy underlying "no editing after 30 minutes"]

===Full name format===

This setting has been moved in Moodle 2.6 onwards to ''Administration > Site administration > Users > Permissions > [[Roles settings|User policies]]''.

===Allow extended characters in usernames===

The default here, unchecked = unenabled, can only contain alphabetical letters in lowercase, numbers, hypen '-', underscore '_', period '.', or at sign '@'. If you enable this, it will be possible to have any characters for the username, but they must still be lowercase. This setting would allow you for example to have usernames with accents such as ö or ê and so on.

Note: In Moodle 3.4.2 onwards, the Site policy URL and Site policy URL for guests settings have been moved to 'Policy settings' in the Site administration.

===Keep tag name casing===

If checked, then tags like the following will be displayed: SOCCER, gUiTaR, MacDonalds, music

If unchecked, then all tags will be displayed as follows: Soccer, Guitar, Macdonalds, Music

:''Tips'':
:* For English, off is useful.
:* For Japanese, no changes are made either way.
:* For languages where this kind of capitalization changes the meaning, it is best to keep this option on.

===Profiles for enrolled users only===

To prevent misuse by spammers, profile descriptions of users who are not yet enrolled in any course are hidden. New users must enrol in at least one course before they can add a profile description.

===Cron execution via command line only===

[[Cron]] is an action that runs various administrative jobs on your Moodle such as sending out forum posts. Running the cron from a web browser can expose privileged information to anonymous users. Thus it is recommended to only run the cron from the command line or set a cron password for remote access.

===Cron password for remote access===

Setting a password will mean that users can only run cron from the browser if they know the password and add it like this:
www.YOURMOODLE.com/admin/cron.php/?password=THEPASSWORDYOUSET.

===Account lockout===

Account lockout may be enabled.

Account lockout threshold: After a specified number of failed login attempts, a user's account is locked and they are sent an email containing a URL to unlock the account. Setting this to 'No' means there is no threshold and an account attempting to log in can do so an unlimited number of times.

Account lockout observation window: Observation time for lockout threshold, if there are no failed attempts the threshold counter is reset after this time. This is the counter for how long to watch for more failed attempts by an account trying to log in even after being locked out, the counter will reset at each attempt and last this long.

Account lockout duration: Locked out account is automatically unlocked after this duration.

The account may also be unlocked by an administrator in ''Administration > Site administration > Users > Accounts > Browse list of users'' or by waiting for the account lockout duration to elapse.

===Password policy===

It is highly recommended that a password policy is set to force users to use stronger passwords that are less susceptible to being cracked by a intruder.
[[Image:Password policy.png|thumb|Password policy]]

The password policy includes option to set the minimum length of the password, the minimum number of digits, the minimum number of lower-case characters, the minimum number of upper-case characters and the minimum number of non alphanumeric characters.

The password policy is enabled by default. Default (recommended) settings are:
* Password length - 8
* Digits - 1
* Lowercase letters - 1
* Uppercase letters - 1
* Non-alphanumeric characters - 1

If a user enters a password that does not meet the requirements, they are given an error message indicating the nature of the problem with the entered password.

Enabling the password policy does not affect existing users until they decide to or are required to change their password. An admin can force all users to change their password using the force password change option in [[Bulk user actions]].

:''Tip'': The password policy may also be applied to [[Enrolment key|enrolment keys]] by ticking the 'Use password policy' checkbox in the [[Self enrolment]] settings.

===Password rotation limit===

Here you can specify how often a user must change their password before they can re-use a previous password. Note that this might not work with some external authentication plugins.

===Log out after password change===

By default, users can change their password and remain logged in. Enabling this setting will log them out of existing sessions except the one in which they specify their new password. This setting only applies to users manually changing their password, not to bulk password changes.

===User created token duration===

A new setting in Moodle 3.4 onwards enables the duration of a web services token created by a user (for example via the mobile app) to be set. (Previously the duration was 3 months and this value could not be changed.)

===Group enrolment key policy===
If this is enabled then when a teacher sets a group enrolment key, they will have to set a key which follows the password policy set above. Note that the group enrolment key policy requires the password policy to be enabled.

===Disable user profile images===

Check/tick this box if you don't want your users to be able to change their [[User pictures|profile images]].

===Email change confirmation===

A confirmation step is required for users to change their email address unless the ''emailchangeconfirmation'' box is unchecked.

===Remember username===
If you want usernames to be stored during login then set this to "yes". This will store permanent cookies and in some countries may be considered a privacy issue if used without consent. From a UK point of view, see http://tracker.moodle.org/secure/attachment/24290/UK+Laws+Relating+to+Cookies-LUNS2011.pdf See also the Using Moodle forum discussion [http://moodle.org/mod/forum/discuss.php?d=201558 EU Cookie Law].

===Strict validation of required fields===
If enabled, users are prevented from entering a space or line break only in required fields in forms. (note: add more info)

==See also==
* [[Policies plugin]] - The Policies plugin provides a new user sign-on process, with ability to define multiple policies (site, privacy, third party), track user consents, and manage updates and versioning of the policies

[[es:Políticas del sitio]]
[[eu:Gunearen_politikak]]
[[fr:Règles site]]
[[ja:サイトポリシー]]
[[de:Sicherheitsregeln der Website]]

Security recommendations

2021-05-20T09:50:42Z

Michaelh2: /* See also */

{{Security}}All web application software is highly complex, and every application has security issues that are found from time to time, usually involving some combination of input that the programmers did not anticipate. The Moodle project takes security seriously, and is continuously improving Moodle to close such holes as we find them.

==Introduction==
*This page contains important security measures for your Moodle installation.
*You should report security problems to the [http://tracker.moodle.org/secure/CreateIssue!default.jspa Moodle tracker] (and mark it as a security issue!) so that developers can see it and inform registered Moodle sites about fixes as soon as possible.
*You should not post actual exploits in the forums or elsewhere on the web (to protect Moodle admins who have not upgraded yet).

==Simple security measures==
*The best security strategy is a good backup! But you don't have a good backup unless you are able to restore it. Test your restoration procedures!
*Load only software or services you will use
*Perform regular updates
*Model your security after the layers of clothing you wear on a cold winter day

==Basic recommendations==

;Update Moodle regularly on each release
:Published security holes draw crackers' attention after release. The older the version, the more vulnerabilities it is likely to contain.
; Use https to secure all pages (not just the login page)
:Protect all traffic from your Moodle instance and your users by making all pages accessible via https only. This not only protects passwords on login but also ensures the privacy of your users so that all user data cannot be intercepted or manipulated ("ad injections") from third parties like WLAN providers for example. Free https certificates are available from https://letsencrypt.org/. In addition, set httpslogin=yes in your moodle config to add an extra layer of protection for submitting login credentials.
;[[admin/environment/custom check/php check register globals|Register globals '''MUST''' be disabled]]
:This will help prevent against possible XSS problems in third-party scripts.
;Run the [[Security_overview_report|Security Overview Report]]
:This identifies various configurations within your Moodle site that may pose a security risk, so any issues raised by that report should be investigated and action taken if necessary.
;Use strong passwords for admin and teachers
:Choosing "difficult" passwords is a basic security practice to protect against "brute force" cracking of accounts.
;Only give teacher accounts to trusted users. Avoid creating public sandboxes with free teacher accounts on production servers.
:Teacher accounts have much more liberal permissions and it is easier to create situations where data can be abused or stolen.
;Separate your systems as much as possible
:Another basic security technique is to use different passwords on different systems, use different machines for different services and so on. This will prevent damage being widespread even if one account or one server is compromised.

==Run regular updates==
*Use auto update systems
*Windows Update
*Linux: up2date, yum, apt-get
:Consider automating updates with a script scheduled via cron
*Mac OSX update system
*Stay current with php, apache, and moodle

==Use mailing lists to stay updated==
*CERT - http://www.us-cert.gov/cas/signup.html
*PHP - http://www.php.net/mailing-lists.php - sign up for Announcements list
*MySQL - http://lists.mysql.com - sign up for MySQL Announcements

==Firewalls==
*Security experts recommend a dual firewall
:Differing hardware/software combinations
*Disabling unused services is often as effective as a firewall
:Use netstat -a to review open network ports
*Not a guarantee of protection
*Allow ports
:80, 443(ssl), and 9111 (for chat),
:Remote admin: ssh 22, or rdp 3389

==Password policy==

A password policy may be set up in ''Settings > Site administration > Security > [[Site policies]]''.

There is a check box to determine if password complexity should be enforced or not, the option to set the minimum length of the password, the minimum number of digits, the minimum number of lowercase characters, the minimum number of uppercase characters and the minimum number of non alphanumeric characters.

If a user enters a password that does not meet those requirements, they are given an error message indicating the nature of the problem with the entered password.

Enforcing password complexity along with requiring users to change their initial password go a long way in helping ensure that users choose and are in fact using "good passwords".

However, making the check too onerous just results in them writing it down so be realistic.

==Be prepared for the worst==
*Have backups ready
*Practice recovery procedures ahead of time
*Use a rootkit detector on a regular basis
**Linux/MacOSX - http://www.chkrootkit.org/
**Windows - http://technet.microsoft.com/en-en/sysinternals/bb897445.aspx and http://technet.microsoft.com/de-de/sysinternals/bb897445.aspx

==Moodle security alerts==
*Register your site with Moodle.org
:Registered users receive email alerts
*Security alerts also posted online
*Web - http://moodle.org/security
*RSS feed - http://moodle.org/rss/file.php/1/1/forum/996/rss.xml

==Miscellaneous considerations==
These are all things you might consider that impact your overall security:
*Use the secure forms setting
*Always set a mysql root user password
*Turn off mysql network access
*Use SSL, httpslogins=yes
*Use good passwords - set up a password policy in ''Settings > Site administration > Security > [[Site policies]]''
*Do not enable the ''opentowebcrawlers'' setting (in ''Settings > Site administration > Security > [[Site policies]]'')
*Disable guest access
*Place enrollment keys on all courses or set Course Enrollable = No for all courses
*Ensure the enrolment key hint is disabled (which it is by default) in ''Administration > Site administration > Plugins > Enrolment > Self enrolment.''

==Most secure/paranoid file permissions==

'''Note''': The following information applies to Linux/Unix based installations only, as MS Windows permission system is quite different.

Depending on your server set-up there are two different scenarios:
# You are running Moodle on your own dedicated server.
# You are running Moodle on a shared hosting environment.

In the sections below, you are required to use the web service user account and group to set the permissions, so you need to know them. This can vary quite a bit from server to server but if this feature has not been disabled in your server, you can go to ''<nowiki>http://your.moodle.site/admin/phpinfo.php</nowiki>'' (logging in as admin), and then search for the line that reads 'User/Group', inside the 'apache' table. For example, I get 'www-data' for the user account and 'www-data' for the group too.

=== Running Moodle on a dedicated server ===
Assuming you are running Moodle on a sealed server (i.e. no user logins allowed on the machine) and that root takes care of the modifications to both moodle code and moodle config (config.php), then this are the most tight permissions I can think of:

1. moodledata directory and all of its contents (and subdirectories, includes sessions):
owner: apache user (apache, httpd, www-data, whatever; see above)
group: apache group (apache, httpd, www-data, whatever; see above)
permissions: 700 on directories, 600 on files

2. moodle directory and all of its contents and subdirectories (including config.php):
owner: root
group: root
permissions: 755 on directories, 644 on files.

If you allow local logins for regular users, then 2. should be:
owner: root
group: apache group (apache, httpd, www-data, whatever; see above)
permissions: 750 on directories, 640 on files.

Think of these permissions as the most paranoid ones. You can be secure enough with less tighter permissions, both in moodledata and moodle directories (and subdirectories).

=== Running Moodle on a shared hosting environment ===
If you are running Moodle on a shared hosting environment, then above permissions are probably wrong. If you set 700 as the permission for directories (and 600 for files), you are probably denying the web service user account access to your directories and files.

If you want to tighten your permissions as much as possible, you will need to know:

# the user account and the group the web service is running under (see above).
# the owner of the directories/files of both moodledata and the moodle directory (this should normally be your client user account), and the group of the directories/files. You can usually get this information from the file manager of your hosting control panel. Go to the moodle folder and pick any directory or file and try to view/change the permissions, owner and group of that file. That would normally show the current permissions, owner and group. Do the same for the moodledata directory.

Then, depending on the following scenarios you should use a different set of permissions (listed from more secure to less secure) for your moodledata directory:

# if the web service account and the owner of the directories/files is the same, you should use 700 for directories and 600 for files.
# if the web service group and the group of the directories/files is the same, you should use 770 for directories and 660 for the files.
# if none of the above, you will need to use 777 for directories and 666 for files, which is less secure but it is your only option. 707 and 606 would be more secure, but it might or might not work, depending on your particular setup.

In fact, you just need to set moodledata the permissions specified above, as all the directories and files inside are created by the web service itself, and will have the right permissions.

Regarding the moodle directory, as long as the web service user account can read the files plus read and execute the directories, that should be enough. There is no need to grant write permission to the web service account/group on any of the files or subdirectories. The only drawback is that you will need to create the config.php by hand during the installation process, as Moodle will not be able to create it. But that should not be a big problem.

==See also==

*[[Security FAQ]]
*[https://moodle.com/news/top-security-tips-for-moodle-administrators/ Top security tips for Moodle administrators article]
Using Moodle forum discussions:
*[http://moodle.org/mod/forum/discuss.php?d=39404 Guide to Securing your Moodle Server]
*[http://moodle.org/mod/forum/discuss.php?d=93561 How to secure Moodle website from hacking] including recommendations on emergency recovery

[[es:Recomendaciones de Seguridad]]
[[fr:Sécurité]]

Security checks

2021-04-13T10:06:19Z

Michaelh2:

{{Security}}
A security overview report is available via 'Security checks' in the Site administration "Reports" section.

Some of the checks included are as follows:

*[[report/security/report security check globals|Register globals]]
:register_globals is a PHP setting that must be disabled for Moodle to operate safely.

*[[report/security/report security check unsecuredataroot|Insecure dataroot]]
:The dataroot is the directory where Moodle stores user files. It should not be directly accessible via the web.

*[[report/security/report security check displayerrors|Displaying of PHP errors]]
:If PHP is set to display errors, then anyone can enter a faulty URL causing PHP to give up valuable information about directory structures and so on.

*[[Vendor directory security check|Vendor directory]]
:The vendor directory should not be present on public sites.

*[[report/security/report security check noauth|No authentication]]
:Use of the "no authentication" plugin can be dangerous, allowing people to access the site without authenticating.

*[[report/security/report security check embed|Allow EMBED and OBJECT]]
:Allowing ordinary users to embed Flash and other media in their texts (eg forum posts) can be a problem because those rich media objects can be used to steal admin or teacher access, even if the media object is on another server.

*[[report/security/report_security_check_preventexecpath|Execuable paths]]
:Allowing executable paths to be set via the Admin GUI is a vector for privilege escalation. This can be prevented by setting the following config.php: <code php>$CFG->preventexecpath = true;</code>

*[[report/security/report security check mediafilterswf‎|Enabled .swf media filter]]
:Even the flash media filter can be abused to include malicious flash files.

*[[report/security/report security check openprofiles|Open user profiles]]
:User profiles should not be open to the web without authentication, both for privacy reasons and because spammers then have a platform to publish spam on your site.

*[[report/security/report security check google|Open to Google]]
:Allowing Google to enter your site means that all the contents become available to the world. Don't use this unless it's a really public site.

*[[report/security/report security check passwordpolicy|Password policy]]
:Using a password policy will force your users to use stronger passwords that are less susceptible to being cracked by a intruder.

*[[Password salting|Password salt]]
:Setting a password salt greatly reduces the risk of password theft.

*[[report/security/report security check emailchangeconfirmation‎|Email change confirmation]]
:You should generally always force users to confirm email address changes via an extra step where a confirmation link is sent to the user.

*[[report/security/report security check cookiesecure|Secure cookies]]
:It is recommended to use secure cookies only when serving over SSL.

*[[report/security/report security check configrw|Writable config.php]]
:The config.php file must not be writeable by the web server process. If it is, then it is possible for another vulnerability to allow attackers to rewrite the Moodle code and display whatever they want.

*[[report/security/report security check riskxss|XSS trusted users]]
:Make sure that you trust all the people on this list: they are the ones with permissions to potentially write XSS exploits in forums etc.

*[[report/security/report security check riskadmin|Administrators]]
:Review your administrator accounts and make sure you only have what you need.

*[[Backup of user data]]
:Make sure that only roles that need to backup user data can do so and that all users who have the capability are trusted.

*[[report/security/report security check defaultuserrole‎ |Default role for all users]]
:This checks that the registered user role is defined with sane permissions.

*[[report/security/report security check guestrole|Guest role]]
:This checks that the guest role is defined with sane permissions.

*[[report/security/report security check frontpagerole‎|Frontpage role]]
:This checks that the frontpage user role is defined with sane permissions.

==See also==

* [http://moodle.org/mod/forum/view.php?id=7301 Security and Privacy forum] on moodle.org

[[Category:Report]]
[[Category:Site administration]]

[[de:Sicherheitsbericht]]
[[es:Reporte Vista general de Seguridad]]
[[eu:Seguratasunaren_ikuspegi_orokorra]]
[[fr:Panorama de sécurité]]
[[ja:セキュリティオーバービュー]]

Security recommendations

2021-04-13T09:59:11Z

Michaelh2: /* Basic recommendations */

{{Security}}All web application software is highly complex, and every application has security issues that are found from time to time, usually involving some combination of input that the programmers did not anticipate. The Moodle project takes security seriously, and is continuously improving Moodle to close such holes as we find them.

==Introduction==
*This page contains important security measures for your Moodle installation.
*You should report security problems to the [http://tracker.moodle.org/secure/CreateIssue!default.jspa Moodle tracker] (and mark it as a security issue!) so that developers can see it and inform registered Moodle sites about fixes as soon as possible.
*You should not post actual exploits in the forums or elsewhere on the web (to protect Moodle admins who have not upgraded yet).

==Simple security measures==
*The best security strategy is a good backup! But you don't have a good backup unless you are able to restore it. Test your restoration procedures!
*Load only software or services you will use
*Perform regular updates
*Model your security after the layers of clothing you wear on a cold winter day

==Basic recommendations==

;Update Moodle regularly on each release
:Published security holes draw crackers' attention after release. The older the version, the more vulnerabilities it is likely to contain.
; Use https to secure all pages (not just the login page)
:Protect all traffic from your Moodle instance and your users by making all pages accessible via https only. This not only protects passwords on login but also ensures the privacy of your users so that all user data cannot be intercepted or manipulated ("ad injections") from third parties like WLAN providers for example. Free https certificates are available from https://letsencrypt.org/. In addition, set httpslogin=yes in your moodle config to add an extra layer of protection for submitting login credentials.
;[[admin/environment/custom check/php check register globals|Register globals '''MUST''' be disabled]]
:This will help prevent against possible XSS problems in third-party scripts.
;Run the [[Security_overview_report|Security Overview Report]]
:This identifies various configurations within your Moodle site that may pose a security risk, so any issues raised by that report should be investigated and action taken if necessary.
;Use strong passwords for admin and teachers
:Choosing "difficult" passwords is a basic security practice to protect against "brute force" cracking of accounts.
;Only give teacher accounts to trusted users. Avoid creating public sandboxes with free teacher accounts on production servers.
:Teacher accounts have much more liberal permissions and it is easier to create situations where data can be abused or stolen.
;Separate your systems as much as possible
:Another basic security technique is to use different passwords on different systems, use different machines for different services and so on. This will prevent damage being widespread even if one account or one server is compromised.

==Run regular updates==
*Use auto update systems
*Windows Update
*Linux: up2date, yum, apt-get
:Consider automating updates with a script scheduled via cron
*Mac OSX update system
*Stay current with php, apache, and moodle

==Use mailing lists to stay updated==
*CERT - http://www.us-cert.gov/cas/signup.html
*PHP - http://www.php.net/mailing-lists.php - sign up for Announcements list
*MySQL - http://lists.mysql.com - sign up for MySQL Announcements

==Firewalls==
*Security experts recommend a dual firewall
:Differing hardware/software combinations
*Disabling unused services is often as effective as a firewall
:Use netstat -a to review open network ports
*Not a guarantee of protection
*Allow ports
:80, 443(ssl), and 9111 (for chat),
:Remote admin: ssh 22, or rdp 3389

==Password policy==

A password policy may be set up in ''Settings > Site administration > Security > [[Site policies]]''.

There is a check box to determine if password complexity should be enforced or not, the option to set the minimum length of the password, the minimum number of digits, the minimum number of lowercase characters, the minimum number of uppercase characters and the minimum number of non alphanumeric characters.

If a user enters a password that does not meet those requirements, they are given an error message indicating the nature of the problem with the entered password.

Enforcing password complexity along with requiring users to change their initial password go a long way in helping ensure that users choose and are in fact using "good passwords".

However, making the check too onerous just results in them writing it down so be realistic.

==Be prepared for the worst==
*Have backups ready
*Practice recovery procedures ahead of time
*Use a rootkit detector on a regular basis
**Linux/MacOSX - http://www.chkrootkit.org/
**Windows - http://technet.microsoft.com/en-en/sysinternals/bb897445.aspx and http://technet.microsoft.com/de-de/sysinternals/bb897445.aspx

==Moodle security alerts==
*Register your site with Moodle.org
:Registered users receive email alerts
*Security alerts also posted online
*Web - http://moodle.org/security
*RSS feed - http://moodle.org/rss/file.php/1/1/forum/996/rss.xml

==Miscellaneous considerations==
These are all things you might consider that impact your overall security:
*Use the secure forms setting
*Always set a mysql root user password
*Turn off mysql network access
*Use SSL, httpslogins=yes
*Use good passwords - set up a password policy in ''Settings > Site administration > Security > [[Site policies]]''
*Do not enable the ''opentowebcrawlers'' setting (in ''Settings > Site administration > Security > [[Site policies]]'')
*Disable guest access
*Place enrollment keys on all courses or set Course Enrollable = No for all courses
*Ensure the enrolment key hint is disabled (which it is by default) in ''Administration > Site administration > Plugins > Enrolment > Self enrolment.''

==Most secure/paranoid file permissions==

'''Note''': The following information applies to Linux/Unix based installations only, as MS Windows permission system is quite different.

Depending on your server set-up there are two different scenarios:
# You are running Moodle on your own dedicated server.
# You are running Moodle on a shared hosting environment.

In the sections below, you are required to use the web service user account and group to set the permissions, so you need to know them. This can vary quite a bit from server to server but if this feature has not been disabled in your server, you can go to ''<nowiki>http://your.moodle.site/admin/phpinfo.php</nowiki>'' (logging in as admin), and then search for the line that reads 'User/Group', inside the 'apache' table. For example, I get 'www-data' for the user account and 'www-data' for the group too.

=== Running Moodle on a dedicated server ===
Assuming you are running Moodle on a sealed server (i.e. no user logins allowed on the machine) and that root takes care of the modifications to both moodle code and moodle config (config.php), then this are the most tight permissions I can think of:

1. moodledata directory and all of its contents (and subdirectories, includes sessions):
owner: apache user (apache, httpd, www-data, whatever; see above)
group: apache group (apache, httpd, www-data, whatever; see above)
permissions: 700 on directories, 600 on files

2. moodle directory and all of its contents and subdirectories (including config.php):
owner: root
group: root
permissions: 755 on directories, 644 on files.

If you allow local logins for regular users, then 2. should be:
owner: root
group: apache group (apache, httpd, www-data, whatever; see above)
permissions: 750 on directories, 640 on files.

Think of these permissions as the most paranoid ones. You can be secure enough with less tighter permissions, both in moodledata and moodle directories (and subdirectories).

=== Running Moodle on a shared hosting environment ===
If you are running Moodle on a shared hosting environment, then above permissions are probably wrong. If you set 700 as the permission for directories (and 600 for files), you are probably denying the web service user account access to your directories and files.

If you want to tighten your permissions as much as possible, you will need to know:

# the user account and the group the web service is running under (see above).
# the owner of the directories/files of both moodledata and the moodle directory (this should normally be your client user account), and the group of the directories/files. You can usually get this information from the file manager of your hosting control panel. Go to the moodle folder and pick any directory or file and try to view/change the permissions, owner and group of that file. That would normally show the current permissions, owner and group. Do the same for the moodledata directory.

Then, depending on the following scenarios you should use a different set of permissions (listed from more secure to less secure) for your moodledata directory:

# if the web service account and the owner of the directories/files is the same, you should use 700 for directories and 600 for files.
# if the web service group and the group of the directories/files is the same, you should use 770 for directories and 660 for the files.
# if none of the above, you will need to use 777 for directories and 666 for files, which is less secure but it is your only option. 707 and 606 would be more secure, but it might or might not work, depending on your particular setup.

In fact, you just need to set moodledata the permissions specified above, as all the directories and files inside are created by the web service itself, and will have the right permissions.

Regarding the moodle directory, as long as the web service user account can read the files plus read and execute the directories, that should be enough. There is no need to grant write permission to the web service account/group on any of the files or subdirectories. The only drawback is that you will need to create the config.php by hand during the installation process, as Moodle will not be able to create it. But that should not be a big problem.

==See also==

*[[Security FAQ]]
Using Moodle forum discussions:
*[http://moodle.org/mod/forum/discuss.php?d=39404 Guide to Securing your Moodle Server]
*[http://moodle.org/mod/forum/discuss.php?d=93561 How to secure Moodle website from hacking] including recommendations on emergency recovery

[[es:Recomendaciones de Seguridad]]
[[fr:Sécurité]]

Security recommendations

2021-04-13T09:56:29Z

Michaelh2: /* Basic recommendations */

{{Security}}All web application software is highly complex, and every application has security issues that are found from time to time, usually involving some combination of input that the programmers did not anticipate. The Moodle project takes security seriously, and is continuously improving Moodle to close such holes as we find them.

==Introduction==
*This page contains important security measures for your Moodle installation.
*You should report security problems to the [http://tracker.moodle.org/secure/CreateIssue!default.jspa Moodle tracker] (and mark it as a security issue!) so that developers can see it and inform registered Moodle sites about fixes as soon as possible.
*You should not post actual exploits in the forums or elsewhere on the web (to protect Moodle admins who have not upgraded yet).

==Simple security measures==
*The best security strategy is a good backup! But you don't have a good backup unless you are able to restore it. Test your restoration procedures!
*Load only software or services you will use
*Perform regular updates
*Model your security after the layers of clothing you wear on a cold winter day

==Basic recommendations==

;Update Moodle regularly on each release
:Published security holes draw crackers' attention after release. The older the version, the more vulnerabilities it is likely to contain.
; Use https to secure all pages (not just the login page)
:Protect all traffic from your Moodle instance and your users by making all pages accessible via https only. This not only protects passwords on login but also ensures the privacy of your users so that all user data cannot be intercepted or manipulated ("ad injections") from third parties like WLAN providers for example. Free https certificates are available from https://letsencrypt.org/. In addition, set httpslogin=yes in your moodle config to add an extra layer of protection for submitting login credentials.
;[[admin/environment/custom check/php check register globals|Register globals '''MUST''' be disabled]]
:This will help prevent against possible XSS problems in third-party scripts.
;Run the [[Security_overview_report|Security Overview Report]] and address any issues identified.
;Use strong passwords for admin and teachers
:Choosing "difficult" passwords is a basic security practice to protect against "brute force" cracking of accounts.
;Only give teacher accounts to trusted users. Avoid creating public sandboxes with free teacher accounts on production servers.
:Teacher accounts have much more liberal permissions and it is easier to create situations where data can be abused or stolen.
;Separate your systems as much as possible
:Another basic security technique is to use different passwords on different systems, use different machines for different services and so on. This will prevent damage being widespread even if one account or one server is compromised.

==Run regular updates==
*Use auto update systems
*Windows Update
*Linux: up2date, yum, apt-get
:Consider automating updates with a script scheduled via cron
*Mac OSX update system
*Stay current with php, apache, and moodle

==Use mailing lists to stay updated==
*CERT - http://www.us-cert.gov/cas/signup.html
*PHP - http://www.php.net/mailing-lists.php - sign up for Announcements list
*MySQL - http://lists.mysql.com - sign up for MySQL Announcements

==Firewalls==
*Security experts recommend a dual firewall
:Differing hardware/software combinations
*Disabling unused services is often as effective as a firewall
:Use netstat -a to review open network ports
*Not a guarantee of protection
*Allow ports
:80, 443(ssl), and 9111 (for chat),
:Remote admin: ssh 22, or rdp 3389

==Password policy==

A password policy may be set up in ''Settings > Site administration > Security > [[Site policies]]''.

There is a check box to determine if password complexity should be enforced or not, the option to set the minimum length of the password, the minimum number of digits, the minimum number of lowercase characters, the minimum number of uppercase characters and the minimum number of non alphanumeric characters.

If a user enters a password that does not meet those requirements, they are given an error message indicating the nature of the problem with the entered password.

Enforcing password complexity along with requiring users to change their initial password go a long way in helping ensure that users choose and are in fact using "good passwords".

However, making the check too onerous just results in them writing it down so be realistic.

==Be prepared for the worst==
*Have backups ready
*Practice recovery procedures ahead of time
*Use a rootkit detector on a regular basis
**Linux/MacOSX - http://www.chkrootkit.org/
**Windows - http://technet.microsoft.com/en-en/sysinternals/bb897445.aspx and http://technet.microsoft.com/de-de/sysinternals/bb897445.aspx

==Moodle security alerts==
*Register your site with Moodle.org
:Registered users receive email alerts
*Security alerts also posted online
*Web - http://moodle.org/security
*RSS feed - http://moodle.org/rss/file.php/1/1/forum/996/rss.xml

==Miscellaneous considerations==
These are all things you might consider that impact your overall security:
*Use the secure forms setting
*Always set a mysql root user password
*Turn off mysql network access
*Use SSL, httpslogins=yes
*Use good passwords - set up a password policy in ''Settings > Site administration > Security > [[Site policies]]''
*Do not enable the ''opentowebcrawlers'' setting (in ''Settings > Site administration > Security > [[Site policies]]'')
*Disable guest access
*Place enrollment keys on all courses or set Course Enrollable = No for all courses
*Ensure the enrolment key hint is disabled (which it is by default) in ''Administration > Site administration > Plugins > Enrolment > Self enrolment.''

==Most secure/paranoid file permissions==

'''Note''': The following information applies to Linux/Unix based installations only, as MS Windows permission system is quite different.

Depending on your server set-up there are two different scenarios:
# You are running Moodle on your own dedicated server.
# You are running Moodle on a shared hosting environment.

In the sections below, you are required to use the web service user account and group to set the permissions, so you need to know them. This can vary quite a bit from server to server but if this feature has not been disabled in your server, you can go to ''<nowiki>http://your.moodle.site/admin/phpinfo.php</nowiki>'' (logging in as admin), and then search for the line that reads 'User/Group', inside the 'apache' table. For example, I get 'www-data' for the user account and 'www-data' for the group too.

=== Running Moodle on a dedicated server ===
Assuming you are running Moodle on a sealed server (i.e. no user logins allowed on the machine) and that root takes care of the modifications to both moodle code and moodle config (config.php), then this are the most tight permissions I can think of:

1. moodledata directory and all of its contents (and subdirectories, includes sessions):
owner: apache user (apache, httpd, www-data, whatever; see above)
group: apache group (apache, httpd, www-data, whatever; see above)
permissions: 700 on directories, 600 on files

2. moodle directory and all of its contents and subdirectories (including config.php):
owner: root
group: root
permissions: 755 on directories, 644 on files.

If you allow local logins for regular users, then 2. should be:
owner: root
group: apache group (apache, httpd, www-data, whatever; see above)
permissions: 750 on directories, 640 on files.

Think of these permissions as the most paranoid ones. You can be secure enough with less tighter permissions, both in moodledata and moodle directories (and subdirectories).

=== Running Moodle on a shared hosting environment ===
If you are running Moodle on a shared hosting environment, then above permissions are probably wrong. If you set 700 as the permission for directories (and 600 for files), you are probably denying the web service user account access to your directories and files.

If you want to tighten your permissions as much as possible, you will need to know:

# the user account and the group the web service is running under (see above).
# the owner of the directories/files of both moodledata and the moodle directory (this should normally be your client user account), and the group of the directories/files. You can usually get this information from the file manager of your hosting control panel. Go to the moodle folder and pick any directory or file and try to view/change the permissions, owner and group of that file. That would normally show the current permissions, owner and group. Do the same for the moodledata directory.

Then, depending on the following scenarios you should use a different set of permissions (listed from more secure to less secure) for your moodledata directory:

# if the web service account and the owner of the directories/files is the same, you should use 700 for directories and 600 for files.
# if the web service group and the group of the directories/files is the same, you should use 770 for directories and 660 for the files.
# if none of the above, you will need to use 777 for directories and 666 for files, which is less secure but it is your only option. 707 and 606 would be more secure, but it might or might not work, depending on your particular setup.

In fact, you just need to set moodledata the permissions specified above, as all the directories and files inside are created by the web service itself, and will have the right permissions.

Regarding the moodle directory, as long as the web service user account can read the files plus read and execute the directories, that should be enough. There is no need to grant write permission to the web service account/group on any of the files or subdirectories. The only drawback is that you will need to create the config.php by hand during the installation process, as Moodle will not be able to create it. But that should not be a big problem.

==See also==

*[[Security FAQ]]
Using Moodle forum discussions:
*[http://moodle.org/mod/forum/discuss.php?d=39404 Guide to Securing your Moodle Server]
*[http://moodle.org/mod/forum/discuss.php?d=93561 How to secure Moodle website from hacking] including recommendations on emergency recovery

[[es:Recomendaciones de Seguridad]]
[[fr:Sécurité]]

HTTP security

2021-04-13T06:01:04Z

Michaelh2:

{{Security}}
*In Moodle 3.4 onwards, the setting 'Use HTTPS for logins' (loginhttps) has been removed.
* There is a [[HTTPS conversion tool]] for converting embedded content to HTTPS.

==Secure cookies only==

It is recommended to use secure cookies only when serving over [https://en.wikipedia.org/wiki/Transport_Layer_Security SSL]. When not serving over SSL, the setting is ignored. In Moodle 3.1.2 onwards, the 'Secure cookies only' default setting is on.

==cURL blocked hosts list==

This allows you to block Moodle's cURL implementation from accessing the specified hosts, wherever it is used to fetch content (such as by the URL downloader in the file picker). Generally it is recommended that as a minimum this is configured to prevent access to any internal network resources. The following is an example list of hosts which can be configured, which prevents access to various versions of "localhost", as well as an address commonly used by AWS and some other cloud providers to provide meta data about the server instance (169.254.169.254):

<code php>
127.0.0.1
192.168.0.0/16
10.0.0.0/8
172.16.0.0/12
0.0.0.0
localhost
169.254.169.254
0000::1
</code>

In future, some logical default values such as those above will be configured automatically for new Moodle sites. See MDL-56873 for more details.

'''Note:''' In addition to configuring this at the application level via this setting, it is also recommended that sufficient firewall/network security measures are in place, including restricting access to internal network endpoints to those users/services that require them.

==cURL allowed ports list==

This allows you to restrict Moodle's cURL implementation to only access the specified list of port numbers, wherever it is used to fetch content (such as by the URL downloader in the file picker). Generally it is recommended that this is configured to only allow standard web ports, as follows:

<code php>
80
443
</code>

In future, some logical default values such as those above will be configured automatically for new Moodle sites. See MDL-56873 for more details.

'''Note:''' In addition to configuring this at the application level via this setting, it is also recommended that sufficient firewall/network security measures are in place, including restricting access to open ports on the internal network to those users/services that require them.

==See also==

* MDL-55662 for removing the secure cookies only setting

[[Category:Site administration]]

[[de:HTTP-Sicherheit]]
[[es:Seguridad HTTP]]

Security recommendations

2020-11-12T08:56:42Z

Michaelh2: /* Miscellaneous considerations */

{{Security}}All web application software is highly complex, and every application has security issues that are found from time to time, usually involving some combination of input that the programmers did not anticipate. The Moodle project takes security seriously, and is continuously improving Moodle to close such holes as we find them.

==Introduction==
*This page contains important security measures for your Moodle installation.
*You should report security problems to the [http://tracker.moodle.org/secure/CreateIssue!default.jspa Moodle tracker] (and mark it as a security issue!) so that developers can see it and inform registered Moodle sites about fixes as soon as possible.
*You should not post actual exploits in the forums or elsewhere on the web (to protect Moodle admins who have not upgraded yet).

==Simple security measures==
*The best security strategy is a good backup! But you don't have a good backup unless you are able to restore it. Test your restoration procedures!
*Load only software or services you will use
*Perform regular updates
*Model your security after the layers of clothing you wear on a cold winter day

==Basic recommendations==

;Update Moodle regularly on each release
:Published security holes draw crackers attention after release. The older the version, the more vulnerabilities it is likely to contain.
; Use https to secure all pages (not just the login page)
:Protect all traffic from your Moodle instance and your users by making all pages accessible via https only. This not only protects passwords on login but also ensures the privacy of your users so that all user data cannot be intercepted or manipulated ("ad injections") from third parties like WLAN providers for example. Free https certificates are available from https://letsencrypt.org/. In addition, set httpslogin=yes in your moodle config to add an extra layer of protection for submitting login credentials.
;[[admin/environment/custom check/php check register globals|Register globals '''MUST''' be disabled]]
:This will help prevent against possible XSS problems in third-party scripts.
;Use strong passwords for admin and teachers
:Choosing "difficult" passwords is a basic security practice to protect against "brute force" cracking of accounts.
;Only give teacher accounts to trusted users. Avoid creating public sandboxes with free teacher accounts on production servers.
:Teacher accounts have much freer permissions and it is easier to create situations where data can be abused or stolen.
;Separate your systems as much as possible
:Another basic security technique is to use different passwords on different systems, use different machines for different services and so on. This will prevent damage being widespread even if one account or one server is compromised.

==Run regular updates==
*Use auto update systems
*Windows Update
*Linux: up2date, yum, apt-get
:Consider automating updates with a script scheduled via cron
*Mac OSX update system
*Stay current with php, apache, and moodle

==Use mailing lists to stay updated==
*CERT - http://www.us-cert.gov/cas/signup.html
*PHP - http://www.php.net/mailing-lists.php - sign up for Announcements list
*MySQL - http://lists.mysql.com - sign up for MySQL Announcements

==Firewalls==
*Security experts recommend a dual firewall
:Differing hardware/software combinations
*Disabling unused services is often as effective as a firewall
:Use netstat -a to review open network ports
*Not a guarantee of protection
*Allow ports
:80, 443(ssl), and 9111 (for chat),
:Remote admin: ssh 22, or rdp 3389

==Password policy==

A password policy may be set up in ''Settings > Site administration > Security > [[Site policies]]''.

There is a check box to determine if password complexity should be enforced or not, the option to set the minimum length of the password, the minimum number of digits, the minimum number of lowercase characters, the minimum number of uppercase characters and the minimum number of non alphanumeric characters.

If a user enters a password that does not meet those requirements, they are given an error message indicating the nature of the problem with the entered password.

Enforcing password complexity along with requiring users to change their initial password go a long way in helping ensure that users choose and are in fact using "good passwords".

However, making the check too onerous just results in them writing it down so be realistic.

==Be prepared for the worst==
*Have backups ready
*Practice recovery procedures ahead of time
*Use a rootkit detector on a regular basis
**Linux/MacOSX - http://www.chkrootkit.org/
**Windows - http://technet.microsoft.com/en-en/sysinternals/bb897445.aspx and http://technet.microsoft.com/de-de/sysinternals/bb897445.aspx

==Moodle security alerts==
*Register your site with Moodle.org
:Registered users receive email alerts
*Security alerts also posted online
*Web - http://moodle.org/security
*RSS feed - http://moodle.org/rss/file.php/1/1/forum/996/rss.xml

==Miscellaneous considerations==
These are all things you might consider that impact your overall security:
*Use the secure forms setting
*Always set a mysql root user password
*Turn off mysql network access
*Use SSL, httpslogins=yes
*Use good passwords - set up a password policy in ''Settings > Site administration > Security > [[Site policies]]''
*Do not enable the ''opentowebcrawlers'' setting (in ''Settings > Site administration > Security > [[Site policies]]'')
*Disable guest access
*Place enrollment keys on all courses or set Course Enrollable = No for all courses
*Ensure the enrolment key hint is disabled (which it is by default) in ''Administration > Site administration > Plugins > Enrolment > Self enrolment.''

==Most secure/paranoid file permissions==

'''Note''': The following information applies to Linux/Unix based installations only, as MS Windows permission system is quite different.

Depending on your server set-up there are two different scenarios:
# You are running Moodle on your own dedicated server.
# You are running Moodle on a shared hosting environment.

In the sections below, you are required to use the web service user account and group to set the permissions, so you need to know them. This can vary quite a bit from server to server but if this feature has not been disabled in your server, you can go to ''<nowiki>http://your.moodle.site/admin/phpinfo.php</nowiki>'' (logging in as admin), and then search for the line that reads 'User/Group', inside the 'apache' table. For example, I get 'www-data' for the user account and 'www-data' for the group too.

=== Running Moodle on a dedicated server ===
Assuming you are running Moodle on a sealed server (i.e. no user logins allowed on the machine) and that root takes care of the modifications to both moodle code and moodle config (config.php), then this are the most tight permissions I can think of:

1. moodledata directory and all of its contents (and subdirectories, includes sessions):
owner: apache user (apache, httpd, www-data, whatever; see above)
group: apache group (apache, httpd, www-data, whatever; see above)
permissions: 700 on directories, 600 on files

2. moodle directory and all of its contents and subdirectories (including config.php):
owner: root
group: root
permissions: 755 on directories, 644 on files.

If you allow local logins for regular users, then 2. should be:
owner: root
group: apache group (apache, httpd, www-data, whatever; see above)
permissions: 750 on directories, 640 on files.

Think of these permissions as the most paranoid ones. You can be secure enough with less tighter permissions, both in moodledata and moodle directories (and subdirectories).

=== Running Moodle on a shared hosting environment ===
If you are running Moodle on a shared hosting environment, then above permissions are probably wrong. If you set 700 as the permission for directories (and 600 for files), you are probably denying the web service user account access to your directories and files.

If you want to tighten your permissions as much as possible, you will need to know:

# the user account and the group the web service is running under (see above).
# the owner of the directories/files of both moodledata and the moodle directory (this should normally be your client user account), and the group of the directories/files. You can usually get this information from the file manager of your hosting control panel. Go to the moodle folder and pick any directory or file and try to view/change the permissions, owner and group of that file. That would normally show the current permissions, owner and group. Do the same for the moodledata directory.

Then, depending on the following scenarios you should use a different set of permissions (listed from more secure to less secure) for your moodledata directory:

# if the web service account and the owner of the directories/files is the same, you should use 700 for directories and 600 for files.
# if the web service group and the group of the directories/files is the same, you should use 770 for directories and 660 for the files.
# if none of the above, you will need to use 777 for directories and 666 for files, which is less secure but it is your only option. 707 and 606 would be more secure, but it might or might not work, depending on your particular setup.

In fact, you just need to set moodledata the permissions specified above, as all the directories and files inside are created by the web service itself, and will have the right permissions.

Regarding the moodle directory, as long as the web service user account can read the files plus read and execute the directories, that should be enough. There is no need to grant write permission to the web service account/group on any of the files or subdirectories. The only drawback is that you will need to create the config.php by hand during the installation process, as Moodle will not be able to create it. But that should not be a big problem.

==See also==

*[[Security FAQ]]
Using Moodle forum discussions:
*[http://moodle.org/mod/forum/discuss.php?d=39404 Guide to Securing your Moodle Server]
*[http://moodle.org/mod/forum/discuss.php?d=93561 How to secure Moodle website from hacking] including recommendations on emergency recovery

[[es:Recomendaciones de Seguridad]]
[[fr:Sécurité]]

OAuth 2 LinkedIn service

2019-05-29T05:27:55Z

Michaelh2:

{{OAuth2}}

From 1 May 2019, LinkedIn no longer support their v1 API, which could previously be configured as an OAuth 2 authentication method in Moodle. According to LinkedIn's v2 API [https://docs.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/migration-faq?context=linkedin/consumer/context migration documentation], the new API replaces the old basic user information endpoint with a 'lite' endpoint, which does not include a user's email address (which must be retrieved from a separate endpoint).

Since email address is a required field in Moodle, and our OAuth 2 implementation currently requires all user information to be retrieved from a single endpoint, the LinkedIn v2 API currently appears to be incompatible with Moodle's "Custom OAuth 2 Service" feature.

We are continuing to investigate a workaround for the new API, and will update this documentation further when a solution can be found. In the meantime, if you have any information that may assist with this, please contribute to Tracker issue MDL-65637.
[[es:Servicio OAuth 2 Linkedln]]
[[de:OAuth2 LinkedIn Service]]

report/security/report security check google

2019-05-22T05:56:00Z

Michaelh2:

{{Security overview report}}Allowing search engines to enter your site means that all the contents become available to the world. Don't use this unless it's a really public site.

==See also==

* Using Moodle [http://moodle.org/mod/forum/view.php?id=7301 Security and Privacy forum]

Security FAQ

2019-01-10T07:42:09Z

Michaelh2: /* Who is able to view security issues in the Tracker? */

{{Security}}
==How do I report a security issue?==

See [[:dev:Moodle security procedures|Moodle security procedures]] in the dev docs for details on how to report a security issue.

Previously fixed security issues are listed in the [http://moodle.org/security/ Moodle.org Security news]. If you are unsure whether a problem has been fixed or not, it's best to report it anyway.

==How can I keep my site secure?==

It's good practice to always use the latest stable release of the version you are using. It is safe to upgrade to a more recent version on the branch you are using, say from Moodle 2.X.1 to the latest version on the 2.X branch. [[Git for Administrators|Downloading via Git]] makes it very easy way to do this.

==How do I keep track of recent security issues?==

* [[Site registration | Register your Moodle site with moodle.org]], making sure to enable the option of being notified about security issues and updates. After your registration is accepted, your email address will be automatically added to our low-volume security alerts mailing list.

* Eventually, all important security issues are published to the general public via the [http://moodle.org/mod/forum/view.php?f=996 Moodle Security forum]. You can subscribe to the forum or [http://twitter.com/moodlesecurity follow moodlesecurity on Twitter].

==Who is able to view security issues in the Tracker?==

Depending upon the security level of a Tracker issue, access is restricted to developers, testers or members of the security team. Specific details are available in the [[dev:Tracker guide#When_creating_an_issue|Security Level field description in the Tracker guide]].

==Which versions of Moodle are supported?==

Currently supported versions are listed on [http://download.moodle.org/ download.moodle.org].

==My site was hacked. What do I do?==

See [[Hacked site recovery]].

==How can I reduce spam in Moodle?==

See [[Reducing spam in Moodle]].

==How can I increase privacy in Moodle?==

See [[Increasing privacy in Moodle]].

==How do I enable reCAPTCHA?==

To add spam protection to the [[Email-based self-registration]] new account form with a CAPTCHA element:

#Obtain a reCAPTCHA key from http://recaptcha.net by [https://admin.recaptcha.net/accounts/signup/?next= signing up for an account] (free) then entering a domain.
#Copy and paste the public and private keys provided into the ''recaptchapublickey'' and ''recaptchaprivatekey'' fields in the manage authentication common settings in ''Administration > Plugins > Authentication > [[Manage authentication]]''.
#Click the "Save changes" button at the bottom of the page.
#Follow the settings link for email-based self-registration in ''Administration > Plugins > Authentication > Manage authentication'' and enable the reCAPTCHA element.
#Click the "Save changes" button at the bottom of the page.

==How can I run the security overview report?==

To run the [[Security overview|security overview report]], go to ''Administration > Site administration > Reports > Security overview''.

== I have discovered Cross Site Scripting (XSS) is possible with Moodle ==

Some forms of rich content used by teachers to enhance their courses use the same technologies that malicious users can use for cross-site scripting attacks. If Moodle was solely concerned with security, it would not allow this. However, Moodle is also concerned with education and so a balance has to be struck between securing the system and supporting teachers with their needs.

In order to strike a balance between authoring rich educational content and securing the system, access to post XSS-capable content is controlled by capabilites flagged with the 'XSS risk' - see [[Risks]]. In general this means that admins and teachers can post XSS-capable content, but students can not - see [[XSS_trusted_users]].

Occasionally security bugs are discovered in Moodle's handling of XSS capable content and we are greatful to the community for reporting these through [https://docs.moodle.org/dev/Moodle_security_procedures responsible disclosure]. Before reporting an XSS bug to Moodle, please ensure that the user posting the XSS content does not have capabilities flagged with the XSS risk.

==See also==

* Using Moodle [http://moodle.org/mod/forum/view.php?id=7301 Security and Privacy forum]

[[Category:FAQ]]

[[es:Seguridad FAQ]]