Moodle

Errors in FERPA compliant setup: fixes included

Details

  • Type: Bug Bug
  • Status: Open Open
  • Priority: Minor Minor
  • Resolution: Unresolved
  • Affects Version/s: 1.5, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.7, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.8, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.9
  • Fix Version/s: 2.0.8
  • Component/s: Course, General, Gradebook, Other, Roles / Access
  • Labels:
    None
  • Environment:
    ALL
  • Database:
    Any
  • Affected Branches:
    MOODLE_15_STABLE, MOODLE_16_STABLE, MOODLE_17_STABLE, MOODLE_18_STABLE, MOODLE_19_STABLE
  • Fixed Branches:
    MOODLE_20_STABLE

Description

Ok, these problems affect Moodle when denying access to view user profiles and view hidden details (creating a FERPA compliant setup).

The following areas still linked to profiles when in FERPA complaint mode:
participants > full profile in more detailed mode
participants > all images linked to profiles
gradebooks grader report > all names linked to full profiles
tabs > profile tab existed

clicking on any of these generates an annoying error.

Here are the fixes I came up with:

user/tabs.php

around line 92
$context = get_context_instance(CONTEXT_SYSTEM);
if ($user->id == $USER->id or has_capability('moodle/user:viewdetails', $context, NULL)) { $toprow[] = new tabobject('profile', $CFG->wwwroot.'/user/view.php?id='.$user->id.'&course='.$course->id, get_string('profile')); }

instead of
$toprow[] = new tabobject('profile', $CFG->wwwroot.'/user/view.php?id='.$user->id.'&course='.$course->id, get_string('profile'));

lib/weblib.php

around line 4309
$context = get_context_instance(CONTEXT_SYSTEM);
if ($link && ($user->id == $USER->id or has_capability('moodle/user:viewdetails', $context, NULL))) {

instead of
if ($link)

around line 4486
if ($user->id == $USER->id or has_capability('moodle/user:viewdetails', $context, NULL)) { $output .= '<a href="'. $CFG->wwwroot .'/user/view.php?id='. $user->id .'&course='. $course->id .'">'. $string->fullprofile .'...</a>'; }

instead of
$output .= '<a href="'. $CFG->wwwroot .'/user/view.php?id='. $user->id .'&course='. $course->id .'">'. $string->fullprofile .'...</a>';

grade/report/grader/lib.php

around line 685
$context = get_context_instance(CONTEXT_SYSTEM);
if ($user->id == $USER->id or has_capability('moodle/user:viewdetails', $context, NULL)) { $link = '<a href="'.$CFG->wwwroot.'/user/view.php?id='.$user->id.'&course='.$this->course->id.'">'.fullname($user).'</a>'; }
else { $link = fullname($user); }
$studentshtml .= '<tr class="r'.$this->rowcount++ . $row_classes[$this->rowcount % 2] . '">'
.'<th class="header c'.$columncount++.' user" scope="row" onclick="set_row(this.parentNode.rowIndex);">'.$user_pic
.$link.'</th>';

instead of
$studentshtml .= '<tr class="r'.$this->rowcount++ . $row_classes[$this->rowcount % 2] . '">'
.'<th class="header c'.$columncount++.' user" scope="row" onclick="set_row(this.parentNode.rowIndex);">'.$user_pic
.<a href="'.$CFG->wwwroot.'/user/view.php?id='.$user->id.'&course='
.$this->course->id.'">'.fullname($user).'</a></th>';

These changes do not affect anyone not running in FERPA mode and make FERPA mode work SOOOOO much better.

Issue Links

This issue has been marked as being related by:
MDL-17219 Privacy improvements project ideas for 2.0 Minor Open

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Martin Dougiamas added a comment -

These look good, Robert, thanks, will get them in today.

Show
Martin Dougiamas added a comment - These look good, Robert, thanks, will get them in today.
Hide
Permalink
Martin Dougiamas added a comment -

A couple of things as I'm going through.

Don't check just the SYSTEM context, correctly we need to test the course and user contexts.

And man, FERPA sucks.

Show
Martin Dougiamas added a comment - A couple of things as I'm going through. Don't check just the SYSTEM context, correctly we need to test the course and user contexts. And man, FERPA sucks.
Hide
Permalink
Robert Russo added a comment - - edited

Also...

function print_user_picture($user, $courseid, $picture=NULL, $size=0, $return=false, $link=true, $target='', $alttext=true) {
global $CFG, $HTTPSPAGEREQUIRED;

should be:

function print_user_picture($user, $courseid, $picture=NULL, $size=0, $return=false, $link=true, $target='', $alttext=true) {
global $CFG, $HTTPSPAGEREQUIRED, $USER;

We are fixing the context issues as well.

And Ferpa does suck.

Show
Robert Russo added a comment - - edited Also... function print_user_picture($user, $courseid, $picture=NULL, $size=0, $return=false, $link=true, $target='', $alttext=true) { global $CFG, $HTTPSPAGEREQUIRED; should be: function print_user_picture($user, $courseid, $picture=NULL, $size=0, $return=false, $link=true, $target='', $alttext=true) { global $CFG, $HTTPSPAGEREQUIRED, $USER; We are fixing the context issues as well. And Ferpa does suck.
Hide
Permalink
Martin Dougiamas added a comment -

We're going to have to push this to a later release. The problem is that there a lot more than these fixes to make. There are 100 places or so where user names are printed as links to the profile. The best way to fix all this mess properly is to make a function to create the links, and call that function everywhere. This is just a bit too much work for us for 1.9 though and a bit late in the game.

So pushing this to 2.0

Show
Martin Dougiamas added a comment - We're going to have to push this to a later release. The problem is that there a lot more than these fixes to make. There are 100 places or so where user names are printed as links to the profile. The best way to fix all this mess properly is to make a function to create the links, and call that function everywhere. This is just a bit too much work for us for 1.9 though and a bit late in the game. So pushing this to 2.0
Hide
Permalink
Martin Dougiamas added a comment -

If someone comes up with a neat patch for 1.9.1 I'd certainly consider it.

Show
Martin Dougiamas added a comment - If someone comes up with a neat patch for 1.9.1 I'd certainly consider it.
Hide
Permalink
Martin Dougiamas added a comment -

A patch I didn't apply to 1.9 yet

Show
Martin Dougiamas added a comment - A patch I didn't apply to 1.9 yet
Hide
Permalink
Robert Russo added a comment -

Martin,

This is on our (albeit long) development schedule. We will make sure it works in 1.9 and 2.0 and when it is done we'll get the updates to you.

The idea is to create a function for the links and call it everywhere links are created, but we also want to go a few steps further and include hooks for FERPA/Buckley holds, and allow instructors to see student profiles almost as they are now (except for other courses with is the whole reason for the FERPA work anyway).

We would also like to add in a configuration area where students could select who can see what and if they allow everyone to see everything, then their links would exist. The admin would set the defaults.

We need to also add Classification, School Year (jr, sr, etc..), idnumber, and Credit Hours to the system.

I think this solution would solve any international privacy laws.

Right now our timeframe is up in the air due to our other Moodle development. Thanks for all the great work.

Show
Robert Russo added a comment - Martin, This is on our (albeit long) development schedule. We will make sure it works in 1.9 and 2.0 and when it is done we'll get the updates to you. The idea is to create a function for the links and call it everywhere links are created, but we also want to go a few steps further and include hooks for FERPA/Buckley holds, and allow instructors to see student profiles almost as they are now (except for other courses with is the whole reason for the FERPA work anyway). We would also like to add in a configuration area where students could select who can see what and if they allow everyone to see everything, then their links would exist. The admin would set the defaults. We need to also add Classification, School Year (jr, sr, etc..), idnumber, and Credit Hours to the system. I think this solution would solve any international privacy laws. Right now our timeframe is up in the air due to our other Moodle development. Thanks for all the great work.

People

Vote (3)
Watch (4)

Dates

  • Created:
    Updated:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.