-
Bug
-
Resolution: Fixed
-
Major
-
3.7
-
MOODLE_37_STABLE
-
MOODLE_38_STABLE
-
MDL-66034-master -
-
1
-
Internationals - 3.8 Sprint 2, Internationals - 3.8 Sprint 3, Internationals - 3.8 Sprint 4
The Danish Data Privacy Agency has due a privacy incident where a role misconfigured (which gave students access to too much data) expressed their criticism on Moodle.
Currently Moodle only logs the following on a role change:
The Privacy Agency har criticized that it is not logged what the actual change in the role was, hence making it impossible to detect when the misconfiguration occurred.
Furthermore this is logged in the normal moodle-log which automatically rolls over - I think standard is 90 days or so.
We propose that role changes on system level are logged in the config-log and that the normal role-change is expanded.
Furthermore role-overrides needs to be logged in more detail as well.