Note:

This site is no longer used and is in read-only mode. Instead please go to our new Moodle Developer Resource site.

Module security improvements

From MoodleDocs
Revision as of 18:18, 16 February 2012 by Tim Hunt (talk | contribs)

Moodle has a Module securityfeature, which lets admins control which activities can be added to which courses.

However, this feature has always been problematic. The main problem is when you turn this feature on or off. What happens for courses that already exist is not really what you would want. Here is the existing admin UI:

Admin UI

UI for admins on the course settings form


Existing problems

  1. If you turn this on, on a site where some courses already exist, and ask for "Restrict modules for: requested courses" and turn on "Restrict modules by default", then actually the restrictions are not applied to any of the existing courses.
  2. If you create course using some method other than the basic create course admin UI, then the restrictions are not applied. (MDL-11894)
  3. In the database, we store a list of all allowed modules for all existing courses (in the course_allowed_modules table), which means that if the admin later wants to change the list of allowed modules, it does not really work. (MDL-19125)
  4. Currently, admins get to ignore these restrictions, and edit the list of which modules are allowed in each course. It should use specific capabilties moodle/course:adddisallowedmodules and moodle/course:editallowedmodueslist


Proposal

Proposed UI

Proposed admin UI

http://tracker.moodle.org/secure/attachment/26963/Possible+admin+interface.png


Proposed UI in the course settings, for users with moodle/course:editallowedmodueslist

http://tracker.moodle.org/secure/attachment/26968/Possible+course+settings+UI.png

New capabilities

moodle/course:adddisallowedmodules "Add any activity" - can add any activity to a course, even when some have been disallowed. By default given to Manager role.

moodle/course:editallowedmodueslist "Edit the allowed activites in a course" - edit the list of allowed modules in this course, where the admin has not set it to "Can be added to any course" or "Cannot be added to any course". By default given to Manager role.

Database changes

The course_allowed_modules table would be be changed. At the moment it just has columns (id, course (int), module (int)). This would be changed to (id, courseid (int), module (char), allowed (int)).

  • courseid is renamed to match the coding guidelines.
  • module is changed to be the module name (forum, quiz, ...) because that is more self-explanatory, and easier for backup and restore.
  • allowed this is a new column, that contains +/- 1. This stores per-course settings, but there is now only a row here where the setting in the courses is explicitly Allow or Disallow, not Default. Therefore, we are only storing exceptions to the site-wide policy.

Upgrade

We need to convert the existing settings to the new settings. I think this is doable.

Knock-on effects on the rest of the code

Searching for 'course_allowed_module' - which find both the table name, and the name of the key API function, only returns 15 hits, so it looks like this will be a surprisingly simple change to implement.

Retrieved from "https://docs.moodle.org/dev/index.php?title=Module_security_improvements&oldid=32285"
Powered by MediaWiki