Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-35429

Correct the permissions required to download and restore course automated backups

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Setup

      As an admin user:

      1. Fresh install is required!
      2. Create a course and enrol a manager, a teacher and a student. Please make sure you do this on a fresh install so that the default capabilities for both roles are guaranteed.
      3. Go to admin settings -> automated backup setup
      4. Set:
        • 'Active' to 'Enabled'.
        • 'Automated backup storage' to 'Course backup filearea'
        • 'Max number of backups kept' to 'All'
        • 'Skip courses not modified since' to 'Never'
        • Schedule for the current day (the schedule and execute at settings), and the next 5 minute time period. If you schedule this for a past time, it won't run until the following week, so make sure it's definitely in the future, preferably within a few minutes time.
      5. Now, go the Admin settings -> Scheduled tasks
      6. For the automated backups task, click 'run now' when the time reaches your scheduled time.
      7. You'll see some output - check this. If the scheduled time for automated backups has not yet passed, you'll need to wait until the time is reached and run agagin. Make sure you see the course backups processing.
      8. Go into the course and go to 'Restore'. Make sure you see the automated backup in the 'Automated backups' file area at the bottom. If you don't, reschedule and run in another few minutes until you do see the backup file.
      9. Log out.

      As the Manager:

      1. Log in and go to the course restore page.
      2. Verify you can download the automated backup file.
      3. Click the 'Restore' link next to it.
      4. Continue with a 'merge into existing course' restore and confirm that this runs to completion. No errors expected here.

      As the teacher:

      1. Log in and go to the course restore page.
      2. Verify you don't see:
        • A link to download the automated backup file or
        • A button below the automated backup files titled 'Manage backup files'
      3. Click the 'Restore' link next to it.
      4. Continue with a 'merge into existing course' restore and confirm that:
        • You aren't permitted to restore user info.
        • The restore runs to completion.
      5. Now, as an admin, edit the teacher role and set 'moodle/restore:userinfo' to 'Allow' and save.
      6. Log in again as the teacher and go to the course restore page again.
      7. Verify you can now see:
        • A link to download the automated backup file and
        • A button below the automated backup files titled 'Manage backup files'
      1. Click 'Download' and confirm you get the file.
      2. Click 'Manage files' and confirm you are taken to a new page where you can download and delete the file. Don't delete it.
      3. Stay on this page as the teacher.
      4. Open another browser session and log in as admin. Remove the 'moodle/restore:userinfo cap from the teacher role ('Not set' will be fine)
      5. Now, back on the teacher session, refresh the page and Verify you see a message stating 'Sorry, but you do not currently have permissions to do that (Download backup files)'
      6. On the admin session, unset the 'moodle/restore:viewautomatedfilearea' capability for the teacher role and save.
      7. Now, on the teacher session go back to the course restore page and Verify you don't see the 'Restore' link next to the automated backup file.
      Show
      Setup As an admin user: Fresh install is required! Create a course and enrol a manager, a teacher and a student. Please make sure you do this on a fresh install so that the default capabilities for both roles are guaranteed. Go to admin settings -> automated backup setup Set: 'Active' to 'Enabled'. 'Automated backup storage' to 'Course backup filearea' 'Max number of backups kept' to 'All' 'Skip courses not modified since' to 'Never' Schedule for the current day (the schedule and execute at settings), and the next 5 minute time period. If you schedule this for a past time, it won't run until the following week, so make sure it's definitely in the future, preferably within a few minutes time. Now, go the Admin settings -> Scheduled tasks For the automated backups task, click 'run now' when the time reaches your scheduled time. You'll see some output - check this. If the scheduled time for automated backups has not yet passed, you'll need to wait until the time is reached and run agagin. Make sure you see the course backups processing. Go into the course and go to 'Restore'. Make sure you see the automated backup in the 'Automated backups' file area at the bottom. If you don't, reschedule and run in another few minutes until you do see the backup file. Log out. As the Manager : Log in and go to the course restore page. Verify you can download the automated backup file. Click the 'Restore' link next to it. Continue with a 'merge into existing course' restore and confirm that this runs to completion. No errors expected here. As the teacher : Log in and go to the course restore page. Verify you don't see: A link to download the automated backup file or A button below the automated backup files titled 'Manage backup files' Click the 'Restore' link next to it. Continue with a 'merge into existing course' restore and confirm that : You aren't permitted to restore user info. The restore runs to completion. Now, as an admin, edit the teacher role and set 'moodle/restore:userinfo' to 'Allow' and save. Log in again as the teacher and go to the course restore page again. Verify you can now see: A link to download the automated backup file and A button below the automated backup files titled 'Manage backup files' Click 'Download' and confirm you get the file. Click 'Manage files' and confirm you are taken to a new page where you can download and delete the file. Don't delete it. Stay on this page as the teacher. Open another browser session and log in as admin. Remove the 'moodle/restore:userinfo cap from the teacher role ('Not set' will be fine) Now, back on the teacher session, refresh the page and  Verify  you see a message stating 'Sorry, but you do not currently have permissions to do that (Download backup files)' On the admin session, unset the 'moodle/restore:viewautomatedfilearea' capability for the teacher role and save. Now, on the teacher session go back to the course restore page and  Verify you don't see the 'Restore' link next to the automated backup file.
    • Workaround:
      Hide

      Using the Automated backups area 'Manage backup files' button does allow the teacher to download the automated backup.

      Show
      Using the Automated backups area 'Manage backup files' button does allow the teacher to download the automated backup.
    • Affected Branches:
      MOODLE_22_STABLE, MOODLE_34_STABLE
    • Fixed Branches:
      MOODLE_34_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-35429-master
    • Sprint:
      3.4 Sprint 5

      Description

      The main problems originally reported on this issue:

      1. Incorrect capability ('moode/site:config') used to control downloading of automated course backups. Teachers are unable to download these files.
      2. Teachers are unable to restore automated backup files. The capability 'moodle/restore:viewautomatedfilearea' exists, but was badly labelled and not set by default for teachers or managers.

      The restore page and its associated capabilities have a number of nuances described in detail in this comment, however, in summary, what this issue aims to achieve is resticted to the 'automated' backup file area, and is as follows:

      1. Do not change anything in stable branches. Users can already download backup files via the 'Manage backup files' page here and can restore if granted the 'moodle/restore:viewautomatedfilearea' capability.
      2. Allow downloading of automated backups by checking 2 capabilities ('moodle/backup:downloadfile' and 'moodle/restore:userinfo'), instead of the erroneous 'site:config' check. Please read the linked comment for details on why 'downloadfile' is not sufficient.
      3. Allow management of automated backup files (the 'Manage backup files' button and page) using the same two capabilities menitoned above.
      4. Ensure teachers cannot download automated backup files by default. They will need to be given the restore:userinfo capability to do this.
      5. Allow teachers and managers to restore automated backups by default on new installs.
      6. Remove the links to 'download' and 'restore' automated backup files when the user does not have the respective capability.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                23 Vote for this issue
                Watchers:
                29 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  13/Nov/17