Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-43819

Access Controls for Email Authentication



    • Type: New Feature
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.3.3, 3.4
    • Fix Version/s: None
    • Component/s: Authentication
    • Labels:
    • Affected Branches:


      Add further granularity for the signup.php page. Not the whole site (IP blocker already does this).

      My organization has a mandate to allow self-registered Moodle accounts and to not block any email domains. Disabling self-registration is not an option at any time. Enabling the reCAPTCHA has offered only a slight deterrent to the creation of spam accounts. Moodle needs a better solution to protect against the creation of spam accounts and I would like to further the discussion towards proposing a solution.

      I am already using geoip to allow only IPs from within Canada to access signup.php on my server (in conjunction with the Moodle IP blocker to prevent access from known spam networks within Canada). This approach has proven effective to mitigate creation of new spam accounts, while continuing to allow our existing learners to access Moodle even while vacationing outside the country.

      In my experience, selectively geoblocking the signup.php page signficantly reduces the creation of bogus spam accounts. Integrating this functionality within Moodle rather than at the web server config would make this solution more available to a wider audience of Moodle users.

      See the discussion and my solution here:

      criteria / functionality:

      • Add server checks for working geoip.dat or other necessary pre-requisites in Server > Environment ?
      • Geoip.dat (geoipfile setting) already gets checked within Location > Location Settings.
      • Moodle already uses country code list similar to (subset of?) the ISO 3166 used by geoip, so this would seem to be a suitable fit.

      These additional settings should probably be located within Plugins > Authentication > Email-based self-registration:

      Checkbox - "Use Geoblocking feature to allow email registration from only selected countries" (unchecked by default)

      Multiple select box with list of countries - a smart / nice feature would be to have the Default Country from the Location Settings selected automatically?

      Checkbox - "Block email registration from localized private networks" (i.e. RFC1918 address space, unchecked by default)" - This may be useful for encouraging internal users to use their existing LDAP accounts, rather than signing up for a new Moodle account via email.

      Textbox - Message for Blocked Email Registration - When attempting to access signup.php, all / any blocked IP addresses view a message that is set by Admin via a textbox (similar to Maintenance Message while Moodle is in Maintenance Mode). E.g. "Your IP has been denied from viewing this page. Please sign in using your existing LDAP credentials instead".




            Unassigned Unassigned
            flatlander Greg Padberg
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
            4 Vote for this issue
            7 Start watching this issue