Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66034

Log role changes in more detail

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      Setup
      1. You’ll need to be logged in as admin.
      2. Open two separated browser windows:
        • Window 1 - Open Site administration > Users > Permissions > Define roles
        • Window 2 - Open Site administration > Reports > Live logs
      3. On window 1, add a new role so we can use it for testing.
      Testing role updated event
      1. On window 1, pick that role and click in the cog icon.
      2. Change the name and description of that role and click Save changes button.
      3. On window 2 confirm that Role updated event has been triggered.
      4. Click in the Role updated and confirm it takes you to Define roles page.
      Testing capability assigned event
      1. On window 1 go back to Define roles page and edit that role again.
      2. Scroll down and pick one capability that is Not set and change it to Allow and save.
      3. On window 2, refresh the page and confirm the Capability assigned event has been triggered.
        • The event description should look like “The user id id '2' changed the 'block/admin_bookmarks:myaddinstance' capability permission for role '1' from '0' to '1'”.
      Testing capability unassigned event
      1. On window 1 go back to Define roles page and edit that role again.
      2. Scroll down and pick one capability that is Allow and change it to Not set and save.
      3. On window 2, refresh the page and confirm the Capability unassigned event has been triggered.
        • The event description should look like “The user id id '2' has unassigned the 'block/admin_bookmarks:myaddinstance' capability permission for role '1'”.
      Testing "Allow role assignments" events
      1. On window 1 go back to Define roles page, but this time click on Allow role assignments tab.
      2. Tick a couple of checkboxes, can be any role to any role.
      3. On window 2, refresh the page and confirm the Allow role assignment event has been triggered.
        • The event description should look like “The user with id '2' allowed role assignments to role '4' for 5”.
      4. Click in the Allow role assignment and confirm it takes you back to Allow role assignments page.
      5. On window 1 go back to Define roles page and edit any role again.
      6. Find Allow role assignments field, press and hold Ctrl and click in a role that is not selected yet.
      7. Click Save changes button.
      8. On window 2, refresh the page and confirm the Allow role assignment event has been triggered.
        • The event description should look like “The user with id '2' allowed role assignments to role '4' for 5”.
      Testing "Allow role overrides" events
      1. On window 1 go back to Define roles page, but this time click on Allow role overrides tab.
      2. Tick a couple of checkboxes, can be any role to any role.
      3. On window 2, refresh the page and confirm the Allow role override event has been triggered.
        • The event description should look like “The user with id '2' updated Allow role override to role '1' for 8”.
      4. Click in the Allow role override and confirm it takes you back to Allow role overrides page.
      5. On window 1 go back to Define roles page and edit any role again.
      6. Find Allow role overrides field, press and hold Ctrl and click in a role that is not selected yet.
      7. Click Save changes button.
      8. On window 2, refresh the page and confirm the Allow role overrides event has been triggered.
        • The event description should look like “The user with id '2' allowed role override to role '4' for 5”.
      Testing "Allow role switches" events
      1. On window 1 go back to Define roles page, but this time click on Allow role switches tab.
      2. Tick a couple of checkboxes, can be any role to any role.
      3. On window 2, refresh the page and confirm the Allow role switch event has been triggered.
        • The event description should look like “The user with id '2' allowed role switch to role '4' for 5”.
      4. Click in the Allow role switch and confirm it takes you back to Allow role switches page.
      5. On window 1 go back to Define roles page and edit any role again.
      6. Find Allow role switches field, press and hold Ctrl and click in a role that is not selected yet.
      7. Click Save changes button.
      8. On window 2, refresh the page and confirm the Allow role switches event has been triggered.
        • The event description should look like “The user with id '2' allowed role switches to role '4' for 5”.
      Testing "Allow role to view" events
      1. On window 1 go back to Define roles page, but this time click on Allow role to view tab.
      2. Tick a couple of checkboxes, can be any role to any role.
      3. On window 2, refresh the page and confirm the Allow role to view event has been triggered.
        • The event description should look like “The user with id '2' allowed role to view to role '4' for 5”.
      4. Click in the Allow role to view and confirm it takes you back to Allow role to view page.
      5. On window 1 go back to Define roles page and edit any role again.
      6. Find Allow role to view field, press and hold Ctrl and click in a role that is not selected yet.
      7. Click Save changes button.
      8. On window 2, refresh the page and confirm the Allow role to view event has been triggered.
        • The event description should look like “The user with id '2' allowed role to view to role '4' for 5”.
      Show
      Setup You’ll need to be logged in as admin. Open two separated browser windows: Window 1 - Open Site administration > Users > Permissions > Define roles Window 2 - Open Site administration > Reports > Live logs On window 1 , add a new role so we can use it for testing. Testing role updated event On window 1 , pick that role and click in the cog icon. Change the name and description of that role and click Save changes button. On window 2 confirm that Role updated event has been triggered. Click in the Role updated and confirm it takes you to Define roles page. Testing capability assigned event On window 1 go back to Define roles page and edit that role again. Scroll down and pick one capability that is Not set and change it to Allow and save. On window 2 , refresh the page and confirm the Capability assigned event has been triggered. The event description should look like “The user id id '2' changed the 'block/admin_bookmarks:myaddinstance' capability permission for role '1' from '0' to '1'”. Testing capability unassigned event On window 1 go back to Define roles page and edit that role again. Scroll down and pick one capability that is Allow and change it to Not set and save. On window 2 , refresh the page and confirm the Capability unassigned event has been triggered. The event description should look like “The user id id '2' has unassigned the 'block/admin_bookmarks:myaddinstance' capability permission for role '1'”. Testing "Allow role assignments" events On window 1 go back to Define roles page, but this time click on Allow role assignments tab. Tick a couple of checkboxes, can be any role to any role. On window 2 , refresh the page and confirm the Allow role assignment event has been triggered. The event description should look like “The user with id '2' allowed role assignments to role '4' for 5”. Click in the Allow role assignment and confirm it takes you back to Allow role assignments page. On window 1 go back to Define roles page and edit any role again. Find Allow role assignments field, press and hold Ctrl and click in a role that is not selected yet. Click Save changes button. On window 2 , refresh the page and confirm the Allow role assignment event has been triggered. The event description should look like “The user with id '2' allowed role assignments to role '4' for 5”. Testing "Allow role overrides" events On window 1 go back to Define roles page, but this time click on Allow role overrides tab. Tick a couple of checkboxes, can be any role to any role. On window 2 , refresh the page and confirm the Allow role override event has been triggered. The event description should look like “The user with id '2' updated Allow role override to role '1' for 8”. Click in the Allow role override and confirm it takes you back to Allow role overrides page. On window 1 go back to Define roles page and edit any role again. Find Allow role overrides field, press and hold Ctrl and click in a role that is not selected yet. Click Save changes button. On window 2 , refresh the page and confirm the Allow role overrides event has been triggered. The event description should look like “The user with id '2' allowed role override to role '4' for 5”. Testing "Allow role switches" events On window 1 go back to Define roles page, but this time click on Allow role switches tab. Tick a couple of checkboxes, can be any role to any role. On window 2 , refresh the page and confirm the Allow role switch event has been triggered. The event description should look like “The user with id '2' allowed role switch to role '4' for 5”. Click in the Allow role switch and confirm it takes you back to Allow role switches page. On window 1 go back to Define roles page and edit any role again. Find Allow role switches field, press and hold Ctrl and click in a role that is not selected yet. Click Save changes button. On window 2 , refresh the page and confirm the Allow role switches event has been triggered. The event description should look like “The user with id '2' allowed role switches to role '4' for 5”. Testing "Allow role to view" events On window 1 go back to Define roles page, but this time click on Allow role to view tab. Tick a couple of checkboxes, can be any role to any role. On window 2 , refresh the page and confirm the Allow role to view event has been triggered. The event description should look like “The user with id '2' allowed role to view to role '4' for 5”. Click in the Allow role to view and confirm it takes you back to Allow role to view page. On window 1 go back to Define roles page and edit any role again. Find Allow role to view field, press and hold Ctrl and click in a role that is not selected yet. Click Save changes button. On window 2 , refresh the page and confirm the Allow role to view event has been triggered. The event description should look like “The user with id '2' allowed role to view to role '4' for 5”.
    • Affected Branches:
      MOODLE_37_STABLE
    • Fixed Branches:
      MOODLE_38_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-66034-master
    • Story Points:
      1
    • Sprint:
      Internationals - 3.8 Sprint 2, Internationals - 3.8 Sprint 3, Internationals - 3.8 Sprint 4

      Description

      The Danish Data Privacy Agency has due a privacy incident where a role misconfigured (which gave students access to too much data) expressed their criticism on Moodle. 

      Currently Moodle only logs the following on a role change:

      The Privacy Agency har criticized that it is not logged what the actual change in the role was, hence making it impossible to detect when the misconfiguration occurred. 

      Furthermore this is logged in the normal moodle-log which automatically rolls over  - I think standard is 90 days or so.

      We propose that role changes on system level are logged in the config-log and that the normal role-change is expanded.

      Furthermore role-overrides needs to be logged in more detail as well.  

        Attachments

        1. 1.png
          1.png
          142 kB
        2. 2.png
          2.png
          298 kB
        3. 3.png
          3.png
          308 kB

          Issue Links

            Activity

              People

              • Assignee:
                lameze Simey Lameze
                Reporter:
                tuekorsgaard Tue Korsgaard
                Peer reviewer:
                Mathew May
                Integrator:
                Andrew Nicols
                Tester:
                Janelle Barcega
                Participants:
                Component watchers:
                Andrew Nicols, Mathew May, Michael Hawkins, Shamim Rezaie, Simey Lameze, Andrew Nicols, Mathew May, Michael Hawkins, Shamim Rezaie, Simey Lameze, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón
              • Votes:
                6 Vote for this issue
                Watchers:
                13 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  18/Nov/19

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 week, 2 days, 2 hours
                  1w 2d 2h