Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66034

Log role changes in more detail

XMLWordPrintable

    • MOODLE_37_STABLE
    • MOODLE_38_STABLE
    • MDL-66034-master
    • Hide
      Setup
      1. You’ll need to be logged in as admin.
      2. Open two separated browser windows:
        • Window 1 - Open Site administration > Users > Permissions > Define roles
        • Window 2 - Open Site administration > Reports > Live logs
      3. On window 1, add a new role so we can use it for testing.
      Testing role updated event
      1. On window 1, pick that role and click in the cog icon.
      2. Change the name and description of that role and click Save changes button.
      3. On window 2 confirm that Role updated event has been triggered.
      4. Click in the Role updated and confirm it takes you to Define roles page.
      Testing capability assigned event
      1. On window 1 go back to Define roles page and edit that role again.
      2. Scroll down and pick one capability that is Not set and change it to Allow and save.
      3. On window 2, refresh the page and confirm the Capability assigned event has been triggered.
        • The event description should look like “The user id id '2' changed the 'block/admin_bookmarks:myaddinstance' capability permission for role '1' from '0' to '1'”.
      Testing capability unassigned event
      1. On window 1 go back to Define roles page and edit that role again.
      2. Scroll down and pick one capability that is Allow and change it to Not set and save.
      3. On window 2, refresh the page and confirm the Capability unassigned event has been triggered.
        • The event description should look like “The user id id '2' has unassigned the 'block/admin_bookmarks:myaddinstance' capability permission for role '1'”.
      Testing "Allow role assignments" events
      1. On window 1 go back to Define roles page, but this time click on Allow role assignments tab.
      2. Tick a couple of checkboxes, can be any role to any role.
      3. On window 2, refresh the page and confirm the Allow role assignment event has been triggered.
        • The event description should look like “The user with id '2' allowed role assignments to role '4' for 5”.
      4. Click in the Allow role assignment and confirm it takes you back to Allow role assignments page.
      5. On window 1 go back to Define roles page and edit any role again.
      6. Find Allow role assignments field, press and hold Ctrl and click in a role that is not selected yet.
      7. Click Save changes button.
      8. On window 2, refresh the page and confirm the Allow role assignment event has been triggered.
        • The event description should look like “The user with id '2' allowed role assignments to role '4' for 5”.
      Testing "Allow role overrides" events
      1. On window 1 go back to Define roles page, but this time click on Allow role overrides tab.
      2. Tick a couple of checkboxes, can be any role to any role.
      3. On window 2, refresh the page and confirm the Allow role override event has been triggered.
        • The event description should look like “The user with id '2' updated Allow role override to role '1' for 8”.
      4. Click in the Allow role override and confirm it takes you back to Allow role overrides page.
      5. On window 1 go back to Define roles page and edit any role again.
      6. Find Allow role overrides field, press and hold Ctrl and click in a role that is not selected yet.
      7. Click Save changes button.
      8. On window 2, refresh the page and confirm the Allow role overrides event has been triggered.
        • The event description should look like “The user with id '2' allowed role override to role '4' for 5”.
      Testing "Allow role switches" events
      1. On window 1 go back to Define roles page, but this time click on Allow role switches tab.
      2. Tick a couple of checkboxes, can be any role to any role.
      3. On window 2, refresh the page and confirm the Allow role switch event has been triggered.
        • The event description should look like “The user with id '2' allowed role switch to role '4' for 5”.
      4. Click in the Allow role switch and confirm it takes you back to Allow role switches page.
      5. On window 1 go back to Define roles page and edit any role again.
      6. Find Allow role switches field, press and hold Ctrl and click in a role that is not selected yet.
      7. Click Save changes button.
      8. On window 2, refresh the page and confirm the Allow role switches event has been triggered.
        • The event description should look like “The user with id '2' allowed role switches to role '4' for 5”.
      Testing "Allow role to view" events
      1. On window 1 go back to Define roles page, but this time click on Allow role to view tab.
      2. Tick a couple of checkboxes, can be any role to any role.
      3. On window 2, refresh the page and confirm the Allow role to view event has been triggered.
        • The event description should look like “The user with id '2' allowed role to view to role '4' for 5”.
      4. Click in the Allow role to view and confirm it takes you back to Allow role to view page.
      5. On window 1 go back to Define roles page and edit any role again.
      6. Find Allow role to view field, press and hold Ctrl and click in a role that is not selected yet.
      7. Click Save changes button.
      8. On window 2, refresh the page and confirm the Allow role to view event has been triggered.
        • The event description should look like “The user with id '2' allowed role to view to role '4' for 5”.
      Show
      Setup You’ll need to be logged in as admin. Open two separated browser windows: Window 1 - Open Site administration > Users > Permissions > Define roles Window 2 - Open Site administration > Reports > Live logs On window 1 , add a new role so we can use it for testing. Testing role updated event On window 1 , pick that role and click in the cog icon. Change the name and description of that role and click Save changes button. On window 2 confirm that Role updated event has been triggered. Click in the Role updated and confirm it takes you to Define roles page. Testing capability assigned event On window 1 go back to Define roles page and edit that role again. Scroll down and pick one capability that is Not set and change it to Allow and save. On window 2 , refresh the page and confirm the Capability assigned event has been triggered. The event description should look like “The user id id '2' changed the 'block/admin_bookmarks:myaddinstance' capability permission for role '1' from '0' to '1'”. Testing capability unassigned event On window 1 go back to Define roles page and edit that role again. Scroll down and pick one capability that is Allow and change it to Not set and save. On window 2 , refresh the page and confirm the Capability unassigned event has been triggered. The event description should look like “The user id id '2' has unassigned the 'block/admin_bookmarks:myaddinstance' capability permission for role '1'”. Testing "Allow role assignments" events On window 1 go back to Define roles page, but this time click on Allow role assignments tab. Tick a couple of checkboxes, can be any role to any role. On window 2 , refresh the page and confirm the Allow role assignment event has been triggered. The event description should look like “The user with id '2' allowed role assignments to role '4' for 5”. Click in the Allow role assignment and confirm it takes you back to Allow role assignments page. On window 1 go back to Define roles page and edit any role again. Find Allow role assignments field, press and hold Ctrl and click in a role that is not selected yet. Click Save changes button. On window 2 , refresh the page and confirm the Allow role assignment event has been triggered. The event description should look like “The user with id '2' allowed role assignments to role '4' for 5”. Testing "Allow role overrides" events On window 1 go back to Define roles page, but this time click on Allow role overrides tab. Tick a couple of checkboxes, can be any role to any role. On window 2 , refresh the page and confirm the Allow role override event has been triggered. The event description should look like “The user with id '2' updated Allow role override to role '1' for 8”. Click in the Allow role override and confirm it takes you back to Allow role overrides page. On window 1 go back to Define roles page and edit any role again. Find Allow role overrides field, press and hold Ctrl and click in a role that is not selected yet. Click Save changes button. On window 2 , refresh the page and confirm the Allow role overrides event has been triggered. The event description should look like “The user with id '2' allowed role override to role '4' for 5”. Testing "Allow role switches" events On window 1 go back to Define roles page, but this time click on Allow role switches tab. Tick a couple of checkboxes, can be any role to any role. On window 2 , refresh the page and confirm the Allow role switch event has been triggered. The event description should look like “The user with id '2' allowed role switch to role '4' for 5”. Click in the Allow role switch and confirm it takes you back to Allow role switches page. On window 1 go back to Define roles page and edit any role again. Find Allow role switches field, press and hold Ctrl and click in a role that is not selected yet. Click Save changes button. On window 2 , refresh the page and confirm the Allow role switches event has been triggered. The event description should look like “The user with id '2' allowed role switches to role '4' for 5”. Testing "Allow role to view" events On window 1 go back to Define roles page, but this time click on Allow role to view tab. Tick a couple of checkboxes, can be any role to any role. On window 2 , refresh the page and confirm the Allow role to view event has been triggered. The event description should look like “The user with id '2' allowed role to view to role '4' for 5”. Click in the Allow role to view and confirm it takes you back to Allow role to view page. On window 1 go back to Define roles page and edit any role again. Find Allow role to view field, press and hold Ctrl and click in a role that is not selected yet. Click Save changes button. On window 2 , refresh the page and confirm the Allow role to view event has been triggered. The event description should look like “The user with id '2' allowed role to view to role '4' for 5”.
    • 1
    • Internationals - 3.8 Sprint 2, Internationals - 3.8 Sprint 3, Internationals - 3.8 Sprint 4

      The Danish Data Privacy Agency has due a privacy incident where a role misconfigured (which gave students access to too much data) expressed their criticism on Moodle. 

      Currently Moodle only logs the following on a role change:

      The Privacy Agency har criticized that it is not logged what the actual change in the role was, hence making it impossible to detect when the misconfiguration occurred. 

      Furthermore this is logged in the normal moodle-log which automatically rolls over  - I think standard is 90 days or so.

      We propose that role changes on system level are logged in the config-log and that the normal role-change is expanded.

      Furthermore role-overrides needs to be logged in more detail as well.  

        1. 3.png
          3.png
          308 kB
        2. 2.png
          2.png
          298 kB
        3. 1.png
          1.png
          142 kB

            lameze Simey Lameze
            tuekorsgaard Tue Korsgaard
            Mathew May Mathew May
            Andrew Lyons Andrew Lyons
            Janelle Barcega Janelle Barcega
            Votes:
            6 Vote for this issue
            Watchers:
            15 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 week, 2 days, 2 hours
                1w 2d 2h

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.