Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-11451

Exporting grades with a key may accidently publish the URL


    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.9
    • Fix Version/s: 1.9
    • Component/s: Gradebook
    • Labels:
    • Affected Branches:
    • Fixed Branches:


      At the New Zealand Moodle Moot, Martin demonstrated a way to publish grades using a special URL which contains a secret key encoded in it. Giving the URL to other people gives them access to the grades.

      Since grades are quite sensitive, it becomes a security problem when they are exposed accidently to third parties.

      Here are two scenarios where this URL could become public:

      1- The user bookmarks it and is using a community bookmarking system like del.icio.us Other users of that system may now find it, but Google can also index it.

      2- Windows users sometime have "download accelerators" which report to a central server what URLs people are downloading. There have been cases where these URLs are then shared with the public, for example in "top 10" lists or "current downloads".

      Therefore, I think the potential for users unknowingly sharing their grades is real.

      One way, this could be mitigated is to split this into two pieces of information:

      • a secret key
      • a page where the user goes and where they need to enter the secret key and press submit.

        Gliffy Diagrams



            • Votes:
              0 Vote for this issue
              0 Start watching this issue


              • Created:
                Fix Release Date: