Moodle
  1. Moodle
  2. MDL-16549

Should not be able to remove moodle/site:doanything from the Administrator Role, or add it to other roles

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 1.9.2, 2.0
    • Fix Version/s: 2.0
    • Component/s: Roles / Access, Usability
    • Labels:
      None
    • Affected Branches:
      MOODLE_19_STABLE, MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE

      Description

      It's crazy that you can edit the Administrator role. It's extremely dangerous and can lead the primary administrator to being locked out of their site. I can't think of a situation where (if you wanted a different administrator-like role) that you wouldn't create a new role or a copy of the administrator role. Additionally it should not be possible to unenrol the "primary" administrator from the administrator role.

        Gliffy Diagrams

          Issue Links

            Activity

            Hide
            Eloy Lafuente (stronk7) added a comment -

            My + 100 for this.

            Addressing for Moodle 2.0, assigning to Martin, for his consideration and adding some watchers.

            Show
            Eloy Lafuente (stronk7) added a comment - My + 100 for this. Addressing for Moodle 2.0, assigning to Martin, for his consideration and adding some watchers.
            Hide
            Eloy Lafuente (stronk7) added a comment -

            missed to assign it to Martin, doing it now.

            Show
            Eloy Lafuente (stronk7) added a comment - missed to assign it to Martin, doing it now.
            Hide
            Howard Miller added a comment -

            If I was going to be even more outspoken about this, I think a little work is called for to establish what the options are for these "I locked myself out as administrator" and then some logic should be applied to the admin settings to actively stop you doing it. There are way too many reports in the forums along these lines.

            I actually don't think that any of the "standard" roles should have been editable, but I guess it's too late for that now.

            Show
            Howard Miller added a comment - If I was going to be even more outspoken about this, I think a little work is called for to establish what the options are for these "I locked myself out as administrator" and then some logic should be applied to the admin settings to actively stop you doing it. There are way too many reports in the forums along these lines. I actually don't think that any of the "standard" roles should have been editable, but I guess it's too late for that now.
            Hide
            Martín Langhoff added a comment -

            Maybe a fixup cli script could help?

            > I actually don't think that any of the "standard" roles should have been editable

            that'd be extreme - but admin's "doanything" should be untouchable.

            Show
            Martín Langhoff added a comment - Maybe a fixup cli script could help? > I actually don't think that any of the "standard" roles should have been editable that'd be extreme - but admin's "doanything" should be untouchable.
            Hide
            Petr Skoda added a comment -

            standard roles should be editable imo

            Show
            Petr Skoda added a comment - standard roles should be editable imo
            Hide
            Howard Miller added a comment -

            I'd concede the other roles, but no way should the Admin role be editable. If you want a variation create a copy and edit that. It's just too dangerous.

            I've been working on a script that seems to be helping people - http://cvs.moodle.org/contrib/tools/adminfix/

            Adding to this (see http://moodle.org/mod/forum/discuss.php?d=107139), the admin should not be able to change their own assignment rights either.

            There used to be a rule that you could play around with Moodle and always be able to undo what you did without any damage. I'd really like to see no more admin lock-outs reported in 2.0!

            Show
            Howard Miller added a comment - I'd concede the other roles, but no way should the Admin role be editable. If you want a variation create a copy and edit that. It's just too dangerous. I've been working on a script that seems to be helping people - http://cvs.moodle.org/contrib/tools/adminfix/ Adding to this (see http://moodle.org/mod/forum/discuss.php?d=107139 ), the admin should not be able to change their own assignment rights either. There used to be a rule that you could play around with Moodle and always be able to undo what you did without any damage. I'd really like to see no more admin lock-outs reported in 2.0!
            Hide
            Ron Meske added a comment -

            It would be much appreciated if a patch for previous versions was also made. Is that in the works?

            Show
            Ron Meske added a comment - It would be much appreciated if a patch for previous versions was also made. Is that in the works?
            Hide
            Howard Miller added a comment -

            Ron,

            I think it's still in the works what this might look like.

            I think some of the role configuration settings may also contribute to locking you out, so I need to do some further experimenting to get a definite proposal.

            Show
            Howard Miller added a comment - Ron, I think it's still in the works what this might look like. I think some of the role configuration settings may also contribute to locking you out, so I need to do some further experimenting to get a definite proposal.
            Hide
            Tim Hunt added a comment -

            Actually, perhaps a good solution would be to make it so that it is not possible to edit the permission associated with moodle/site:doanything. That way, admins would always have it, and you would not be able to give it to other roles.

            That seems like a sufficient solution to this issues, and a good idea in general. If people think that is a good idea, feel free to assign this bug to me.

            Show
            Tim Hunt added a comment - Actually, perhaps a good solution would be to make it so that it is not possible to edit the permission associated with moodle/site:doanything. That way, admins would always have it, and you would not be able to give it to other roles. That seems like a sufficient solution to this issues, and a good idea in general. If people think that is a good idea, feel free to assign this bug to me.
            Hide
            Tim Hunt added a comment -

            Actually, before this can be considered finished, we need a database upgrade that:

            1. Deleted any overrides relating to doanything
            2. Ensures that in the role definitions, we have doanything if and only if the role has legacy/admin.

            Show
            Tim Hunt added a comment - Actually, before this can be considered finished, we need a database upgrade that: 1. Deleted any overrides relating to doanything 2. Ensures that in the role definitions, we have doanything if and only if the role has legacy/admin.
            Hide
            Petr Skoda added a comment -

            1/ doanything was not overridable in 1.8.x, it was always tested first before any other cap test - I suppose it was not overridable - my +1 for removing override support for doanything from 2.0 if there
            2/ I do not like this idea - legacy admin should mean nothing, I always thought that the real admin should only have doanything and nothing else which eliminates the legacy admin completely

            Show
            Petr Skoda added a comment - 1/ doanything was not overridable in 1.8.x, it was always tested first before any other cap test - I suppose it was not overridable - my +1 for removing override support for doanything from 2.0 if there 2/ I do not like this idea - legacy admin should mean nothing, I always thought that the real admin should only have doanything and nothing else which eliminates the legacy admin completely
            Hide
            Petr Skoda added a comment -

            I suppose the main reason why people are so "creative" with doanything capability is that they try to workaround the problems with course:view - there is no easy way to let ppl enter and/or administer course in stealth mode (not being members of that course, visible by students) - so again, long standing entrolment trouble

            Show
            Petr Skoda added a comment - I suppose the main reason why people are so "creative" with doanything capability is that they try to workaround the problems with course:view - there is no easy way to let ppl enter and/or administer course in stealth mode (not being members of that course, visible by students) - so again, long standing entrolment trouble
            Hide
            Tim Hunt added a comment -

            Well, I agree that the whole legacy role type thing, as currently presented in the UI, does not make any sense. However, if you think of it just as a mechanism for initialising roles to sensible defaults, then it is not so bad. I guess that is how I think about it, which is why I think 2. is the best thing to do.

            Show
            Tim Hunt added a comment - Well, I agree that the whole legacy role type thing, as currently presented in the UI, does not make any sense. However, if you think of it just as a mechanism for initialising roles to sensible defaults, then it is not so bad. I guess that is how I think about it, which is why I think 2. is the best thing to do.

              People

              • Votes:
                6 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: