Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-31789

Teacher can not access a local system file repository in his course.

    Details

    • Database:
      MySQL
    • Testing Instructions:
      Hide

      Test case 1:

      Clean installation Moodle 2.2.1.
      Configure the repositoyr extension with System File repository. And check permission to create a repository folder into a course.
      Create a simple course with one teacher enrol it.
      Create a repository folder into a course.
      Acces Moodle with user teacher into this course. And try to create a file resource.
      Editing form using filepicker to attach a file. In the filepicker teacher can acces a repository folder course.

      Test case 2:

      1. As admin or teacher, open Filepicker inside any course (from TinyMCE or filemanager) and make sure that repository 'Server files' is in the current course folder by default.
      2. As admin enable legacy files in settings
      3. As admin enable Legacy files repository
      4. In one of the courses enable legacy files in settings (last one!)
      5. Add some files to course legacy files
      5. As teacher/admin make sure you can access legacy files in current course from filepicker

      Show
      Test case 1: Clean installation Moodle 2.2.1. Configure the repositoyr extension with System File repository. And check permission to create a repository folder into a course. Create a simple course with one teacher enrol it. Create a repository folder into a course. Acces Moodle with user teacher into this course. And try to create a file resource. Editing form using filepicker to attach a file. In the filepicker teacher can acces a repository folder course. Test case 2: 1. As admin or teacher, open Filepicker inside any course (from TinyMCE or filemanager) and make sure that repository 'Server files' is in the current course folder by default. 2. As admin enable legacy files in settings 3. As admin enable Legacy files repository 4. In one of the courses enable legacy files in settings (last one!) 5. Add some files to course legacy files 5. As teacher/admin make sure you can access legacy files in current course from filepicker
    • Affected Branches:
      MOODLE_22_STABLE, MOODLE_23_STABLE
    • Fixed Branches:
      MOODLE_22_STABLE
    • Pull Master Branch:
      wip-MDL-31789-master

      Description

      In Moodle 2.2.1+ latest stable release a teacher can access into filepicker in a local system file repository in his course.
      Moodle 2.2.1+ (Build: 20120223)

        Gliffy Diagrams

        1. Repository.odt
          657 kB
          Beverley Booker
        1. moodle221repository.png
          92 kB

          Issue Links

            Activity

            Hide
            cescobedo Carlos Escobedo Orea added a comment -

            Attachments LoginForumView.jmw is wrong, please remove it.

            Show
            cescobedo Carlos Escobedo Orea added a comment - Attachments LoginForumView.jmw is wrong, please remove it.
            Hide
            tsala Helen Foster added a comment -

            Attachment removed as requested.

            Show
            tsala Helen Foster added a comment - Attachment removed as requested.
            Hide
            cescobedo Carlos Escobedo Orea added a comment -

            Thanks a lot Helen.

            Show
            cescobedo Carlos Escobedo Orea added a comment - Thanks a lot Helen.
            Hide
            bevlexi Beverley Booker added a comment -

            There is a discussion on this:

            http://moodle.org/mod/forum/discuss.php?d=195768

            Allowing server file access to authenticated users is a security issue, this is not an acceptable workaround.

            This is a major bug!

            Show
            bevlexi Beverley Booker added a comment - There is a discussion on this: http://moodle.org/mod/forum/discuss.php?d=195768 Allowing server file access to authenticated users is a security issue, this is not an acceptable workaround. This is a major bug!
            Hide
            hwileniu Heikki Wilenius added a comment -

            Agreed, this should be a major issue.

            What are the security risks in allowing system file repository for authenticated users? We are thinking whether to enable this in our 2.2 test install.

            Show
            hwileniu Heikki Wilenius added a comment - Agreed, this should be a major issue. What are the security risks in allowing system file repository for authenticated users? We are thinking whether to enable this in our 2.2 test install.
            Hide
            jleyva Juan Leyva added a comment -

            This seems to be related to:

            http://tracker.moodle.org/browse/MDL-30452

            Show
            jleyva Juan Leyva added a comment - This seems to be related to: http://tracker.moodle.org/browse/MDL-30452
            Hide
            jleyva Juan Leyva added a comment -

            This is what happened:

            • This is stopping current Teachers to use their course levels file system repositories
            • The workaround is:
              • Change the authenticated user's repository/filesystem:view at system level to Allow

            Optional:
            – Change the student's repository/filesystem:view at course level to Not allow
            – Change the teacher's repository/filesystem:view at system level to Not Allow

            The current workaround is just to change permissions and test if it works

            I've talked with Dong (the Repos maintainer) and he is going to perform some tests on this issue, once completed, he'll update this issue

            I'm going to ask to Michael also to raise the priority of this issue

            Show
            jleyva Juan Leyva added a comment - This is what happened: New Moodle versions since January 2012 has the system authenticated user permissions for view file repositories disabled http://tracker.moodle.org/browse/MDL-30452 This is stopping current Teachers to use their course levels file system repositories The workaround is: Change the authenticated user's repository/filesystem:view at system level to Allow Optional: – Change the student's repository/filesystem:view at course level to Not allow – Change the teacher's repository/filesystem:view at system level to Not Allow The current workaround is just to change permissions and test if it works I've talked with Dong (the Repos maintainer) and he is going to perform some tests on this issue, once completed, he'll update this issue I'm going to ask to Michael also to raise the priority of this issue
            Hide
            dongsheng Dongsheng Cai added a comment - - edited

            OK, I figured out, MDL-30452 triggered this issue, but the real problem is the refactor of accesslib.php: MDL-29602.

            context is an object with protected id, level, depth after refactoring, when formlib generated options for filepicker/editor/filemanager using json_encode(), we got an empty object, then no contextid send to filepicker ajax script, when no context id provided, ajax script will assume this is in system context, two solution for this issue:

            1. implement __toString() in context class to dump json string, doesn't look quite nice in this way
            2. Manually construct context object with public properties in formlib, make sure json_encode works as expected
            Show
            dongsheng Dongsheng Cai added a comment - - edited OK, I figured out, MDL-30452 triggered this issue, but the real problem is the refactor of accesslib.php: MDL-29602 . context is an object with protected id, level, depth after refactoring, when formlib generated options for filepicker/editor/filemanager using json_encode(), we got an empty object, then no contextid send to filepicker ajax script, when no context id provided, ajax script will assume this is in system context, two solution for this issue: implement __toString() in context class to dump json string, doesn't look quite nice in this way Manually construct context object with public properties in formlib, make sure json_encode works as expected
            Hide
            rajeshtaneja Rajesh Taneja added a comment -

            Please include testing instructions covering MDL-30869 (Duplicate bug)

            Show
            rajeshtaneja Rajesh Taneja added a comment - Please include testing instructions covering MDL-30869 (Duplicate bug)
            Hide
            marina Marina Glancy added a comment -

            Petr, can you please peer review it.
            This issue is a regression caused by MDL-29602
            Thanks
            Marina

            Show
            marina Marina Glancy added a comment - Petr, can you please peer review it. This issue is a regression caused by MDL-29602 Thanks Marina
            Hide
            skodak Petr Skoda added a comment -

            +1

            Show
            skodak Petr Skoda added a comment - +1
            Hide
            stronk7 Eloy Lafuente (stronk7) added a comment -

            The main moodle.git repository has just been updated with latest weekly modifications. You may wish to rebase your PULL branches to simplify history and avoid any possible merge conflicts. This would also make integrator's life easier next week.

            TIA and ciao

            Show
            stronk7 Eloy Lafuente (stronk7) added a comment - The main moodle.git repository has just been updated with latest weekly modifications. You may wish to rebase your PULL branches to simplify history and avoid any possible merge conflicts. This would also make integrator's life easier next week. TIA and ciao
            Hide
            nebgor Aparup Banerjee added a comment -

            Thanks for this fix Marina.

            This is up for integration testing on MOODLE_22_STABLE and master.

            Show
            nebgor Aparup Banerjee added a comment - Thanks for this fix Marina. This is up for integration testing on MOODLE_22_STABLE and master.
            Hide
            ankit_frenz Ankit Agarwal added a comment -

            Hi,
            I and Apu tried to test it, seems to be working expect a few things:-

            ->"In the file-picker teacher can access a repository folder course." I was able to access the file system repo via the file picker, but it displayed only the files that were uploaded to the folder via the linux file system. All files uploaded via moodle (course>folder res>edit>add) doesn't seem to be present here. I guess that is expected behavior?
            -> We are not sure what exactly am supposed to verify by this "make sure that repository 'Server files' is in the current course folder by default."

            -> If you create a file system repo based on a existing folder on your system. You can see its files if you goto course>folder resources>edit>add>filepicker but when you try to access it from tinymce>insert image> upload image> filepicker , the files donot appear. This seems to be an issue even before the patch.

            Thanks

            Show
            ankit_frenz Ankit Agarwal added a comment - Hi, I and Apu tried to test it, seems to be working expect a few things:- ->"In the file-picker teacher can access a repository folder course." I was able to access the file system repo via the file picker, but it displayed only the files that were uploaded to the folder via the linux file system. All files uploaded via moodle (course>folder res>edit>add) doesn't seem to be present here. I guess that is expected behavior? -> We are not sure what exactly am supposed to verify by this "make sure that repository 'Server files' is in the current course folder by default." -> If you create a file system repo based on a existing folder on your system. You can see its files if you goto course>folder resources>edit>add>filepicker but when you try to access it from tinymce>insert image> upload image> filepicker , the files donot appear. This seems to be an issue even before the patch. Thanks
            Hide
            poltawski Dan Poltawski added a comment -

            These testing instructions are confusing

            All files uploaded via moodle (course>folder res>edit>add) doesn't seem to be present here. I guess that is expected behavior?

            Yes - the filesystem repository only contains files uploaded to the filesystem, it does not interact with moodle files uploads.

            We are not sure what exactly am supposed to verify by this "make sure that repository 'Server files' is in the current course folder by default."

            I think that this means ensure that the server files repository is enabled for the current course.

            If you create a file system repo based on a existing folder on your system. You can see its files if you goto course>folder resources>edit>add>filepicker but when you try to access it from tinymce>insert image> upload image> filepicker , the files donot appear. This seems to be an issue even before the patch.

            Yes, this repository doesn't define 'supported_filetypes' I do not think this testing instruciton is valid and so I think that this can be passed.

            Show
            poltawski Dan Poltawski added a comment - These testing instructions are confusing All files uploaded via moodle (course>folder res>edit>add) doesn't seem to be present here. I guess that is expected behavior? Yes - the filesystem repository only contains files uploaded to the filesystem, it does not interact with moodle files uploads. We are not sure what exactly am supposed to verify by this "make sure that repository 'Server files' is in the current course folder by default." I think that this means ensure that the server files repository is enabled for the current course. If you create a file system repo based on a existing folder on your system. You can see its files if you goto course>folder resources>edit>add>filepicker but when you try to access it from tinymce>insert image> upload image> filepicker , the files donot appear. This seems to be an issue even before the patch. Yes, this repository doesn't define 'supported_filetypes' I do not think this testing instruciton is valid and so I think that this can be passed.
            Hide
            ankit_frenz Ankit Agarwal added a comment -

            Had a talk with Dan and Rajesh...Looks like this issue can be passed now.
            Thanks

            Show
            ankit_frenz Ankit Agarwal added a comment - Had a talk with Dan and Rajesh...Looks like this issue can be passed now. Thanks
            Hide
            nebgor Aparup Banerjee added a comment -

            The code here has been spread to upstream moodle repositories and mirrors for anyone to use .

            Closing, have a good weekend!

            Show
            nebgor Aparup Banerjee added a comment - The code here has been spread to upstream moodle repositories and mirrors for anyone to use . Closing, have a good weekend!
            Hide
            brodock Gabriel Mazetto added a comment -

            convert_to_array messes with valid data.

            For example, it doesn't accept:

            array('first' => array('second'), 'third' => array('second'));

            Please check MDL-35001 for more details.

            Show
            brodock Gabriel Mazetto added a comment - convert_to_array messes with valid data. For example, it doesn't accept: array('first' => array('second'), 'third' => array('second')); Please check MDL-35001 for more details.
            Hide
            siete Jorge Ramos added a comment -

            Hi! We've upgrade 2.2.7 -> 2.2.8 and this bug is suddenly happening, with teacher role we cant access to Server Files nor Legacy Files...

            Can you reopened the issue??

            Show
            siete Jorge Ramos added a comment - Hi! We've upgrade 2.2.7 -> 2.2.8 and this bug is suddenly happening, with teacher role we cant access to Server Files nor Legacy Files... Can you reopened the issue??
            Hide
            schach Heiko Schach added a comment -

            After upgrading from 2.3.4 to 2.3.5 we have received reports from our teachers.
            Adding file from File picker doesn't work as it did before. The user gets an error: "No permission to access this repository."

            Steps to reproduce:
            Log in as teacher
            Turn editing on
            Add a resource... > File
            Content > Select Files > Add...

            Error message: "No permission to access this repository."

            Show
            schach Heiko Schach added a comment - After upgrading from 2.3.4 to 2.3.5 we have received reports from our teachers. Adding file from File picker doesn't work as it did before. The user gets an error: "No permission to access this repository." Steps to reproduce: Log in as teacher Turn editing on Add a resource... > File Content > Select Files > Add... Error message: "No permission to access this repository."
            Hide
            danmarsden Dan Marsden added a comment -

            Hi Jorge, We don't re-open issues when a patch has been submitted/integrated into code - you should create a new bug describing the issues you are having and can add a link back to this bug as a reference.

            Show
            danmarsden Dan Marsden added a comment - Hi Jorge, We don't re-open issues when a patch has been submitted/integrated into code - you should create a new bug describing the issues you are having and can add a link back to this bug as a reference.
            Hide
            fred Frédéric Massart added a comment -

            Hi, I have raised the issue MDL-38474 to take care of that error.

            Show
            fred Frédéric Massart added a comment - Hi, I have raised the issue MDL-38474 to take care of that error.
            Hide
            siete Jorge Ramos added a comment -

            Thank you very much Dan&Fréderic!!

            Show
            siete Jorge Ramos added a comment - Thank you very much Dan&Fréderic!!

              People

              • Votes:
                19 Vote for this issue
                Watchers:
                22 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  14/May/12