Details

    • Type: Sub-task Sub-task
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.9.3
    • Fix Version/s: 1.9.4
    • Component/s: General
    • Labels:
      None
    • Difficulty:
      Difficult
    • Affected Branches:
      MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_19_STABLE
    • Rank:
      33390

      Description

      The idea is to create a new plugin type directory in /admin/. Plugins would be similar to current environment check (XML, strings and some custom code).

      spam overview plugin: it would go through all settings that allow ppl to spam (like force login for profiles, self registering) and display list of all potential problems with some detailed description and some links to solutions

      security overview plugin: this would replicate the checks we have in admin/index.php; list all accounts with do anything, verify https cookie security, etc.

      privacy reports: these would be probably country specific because each country or school type is regulated by different laws. There are two possible solutions - either create new plugin for each different type/country or store the report definition as XML in moodledata - the second solution would allow us to download the definitions for central server.

        Issue Links

          Activity

          Hide
          Tim Hunt added a comment -

          Petr, if you do this, it would be a great to incorporate everything from admin/health.php too - you new plugin system should be able to do everything that does and more.

          Would it be better to have a single sort of 'check' plugin, for the sake of simplicity, but have each one choose which reports it wants to be included in as a setting? Or perhaps that is actually more complicated.

          Show
          Tim Hunt added a comment - Petr, if you do this, it would be a great to incorporate everything from admin/health.php too - you new plugin system should be able to do everything that does and more. Would it be better to have a single sort of 'check' plugin, for the sake of simplicity, but have each one choose which reports it wants to be included in as a setting? Or perhaps that is actually more complicated.
          Hide
          Tim Hunt added a comment -

          Also, note the Dongshen and Martin recently wrote a report for finding spam. I think it is in contrib.

          Show
          Tim Hunt added a comment - Also, note the Dongshen and Martin recently wrote a report for finding spam. I think it is in contrib.
          Hide
          Petr Škoda added a comment -

          at the moment I am focusing on finding of all security/privacy related issues that could arise and are detectable and writing some explanation that would be easy to understand for majority of our admins,
          I suppose in 1.9.x it could be released as a hardcoded admin report, but I agree that there should be something more flexible in 2.0 that should also probably replace current health center & admin tests and environment tests.

          Show
          Petr Škoda added a comment - at the moment I am focusing on finding of all security/privacy related issues that could arise and are detectable and writing some explanation that would be easy to understand for majority of our admins, I suppose in 1.9.x it could be released as a hardcoded admin report, but I agree that there should be something more flexible in 2.0 that should also probably replace current health center & admin tests and environment tests.
          Hide
          Helen Foster added a comment -

          Typo fix

          Show
          Helen Foster added a comment - Typo fix
          Hide
          Helen Foster added a comment -

          Hi Petr,

          Thanks a lot for your security overview report in Moodle 2.0 - it looks really cool!

          Just to recap my comments in the dev chat, I like the way it provides links to change settings easily, however I was wondering whether more descriptive link text could be provided, rather than it always being "Configuration".

          e.g. issue - open user profiles
          Could the link text for admin/settings.php?section=sitepolicies be changed from "Configuration" to "Site policies"?

          PS Hope to have chance to go through the lang file soon, though I doubt much will need changing, as your English is excellent these days!

          Show
          Helen Foster added a comment - Hi Petr, Thanks a lot for your security overview report in Moodle 2.0 - it looks really cool! Just to recap my comments in the dev chat, I like the way it provides links to change settings easily, however I was wondering whether more descriptive link text could be provided, rather than it always being "Configuration". e.g. issue - open user profiles Could the link text for admin/settings.php?section=sitepolicies be changed from "Configuration" to "Site policies"? PS Hope to have chance to go through the lang file soon, though I doubt much will need changing, as your English is excellent these days!
          Hide
          Petr Škoda added a comment -

          now in cvs, please reopen in case of nay problems, or file a new feature request.

          Show
          Petr Škoda added a comment - now in cvs, please reopen in case of nay problems, or file a new feature request.
          Hide
          Petr Škoda added a comment -

          thanks everybody for feedback and help!

          Show
          Petr Škoda added a comment - thanks everybody for feedback and help!
          Hide
          Tim Hunt added a comment -

          Nice report. Closing.

          Show
          Tim Hunt added a comment - Nice report. Closing.
          Hide
          Helen Foster added a comment -

          Renaming issue

          Show
          Helen Foster added a comment - Renaming issue
          Hide
          Helen Foster added a comment -

          From developer chat:

          David Mudrák: report_security.php :: "Used only default course role." (check_courserole_notyet) - what is this supposed to mean?

          Petr ?koda: it means that setting teacher role as default course role would be very silly for production servers

          nicolasconnault: or Only the default course role is used

          Petr ?koda: I like only the default course role is used

          David Mudrák: Well... How does "check_courserole_notyet" (see above) differ from check_courserole_ok = "Default course role definitions OK." ???

          David Mudrák: Also - see Security overview strings. It is displaying <a href="$a">context</a> while $a points to a role definition. A little bit confusing...

          David Mudrák: Helen - regarding (11:13:30) nicolasconnault: or Only the default course role is used - I propose to word "Only the site default course role is used"

          Show
          Helen Foster added a comment - From developer chat: David Mudrák: report_security.php :: "Used only default course role." (check_courserole_notyet) - what is this supposed to mean? Petr ?koda: it means that setting teacher role as default course role would be very silly for production servers nicolasconnault: or Only the default course role is used Petr ?koda: I like only the default course role is used David Mudrák: Well... How does "check_courserole_notyet" (see above) differ from check_courserole_ok = "Default course role definitions OK." ??? David Mudrák: Also - see Security overview strings. It is displaying <a href="$a">context</a> while $a points to a role definition. A little bit confusing... David Mudrák: Helen - regarding (11:13:30) nicolasconnault: or Only the default course role is used - I propose to word "Only the site default course role is used"
          Hide
          Helen Foster added a comment -

          Meta issue created for newly reported security overview report issues - MDL-18039

          Show
          Helen Foster added a comment - Meta issue created for newly reported security overview report issues - MDL-18039

            People

            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: