-
Improvement
-
Resolution: Fixed
-
Minor
-
3.4.3, 3.5, 3.6, 3.7, 3.8
-
MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE
-
MOODLE_39_STABLE
-
MDL-62815_mod_lti -
One of our partner universities found a major data protection problem with Moodle in connection to LTI.
They want to prevent the creation of unsanctioned external services through the external tools LTI.
When a tool is pre-configured globally it is possible to define whether it appears separately (from the standard external tool activity) as a selectable activity on the activity selector when editing a course.
Currently, access to preconfigured "external activities" cannot be restricted to specific roles with course editing capability. If this were possible, data security for all activities would be under the control of the administrators.
Therefore, the restriction needs to be applied to "editing" tutor roles, who can already manage activities on courses.
As of now, only mod/lti:addcoursetool and mod/lti:addinstance are used to control adding the tool, if both are allowed, the user can add any type of tool to the course.
A possible solution to this problem would be:
- The ability to add an instance of the external tool to their courses BUT only if a tool is configured globally to be shown in the activity chooser
- Not have the ability to configure a new pre-configured tool OR re-configure a tool instance when they have added an External tool activity to a course
We have provided a patch for this solution, which we would like to contribute.