Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-72194

Policy discussion: Drop support for $CFG->admin

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Minor
    • Resolution: Cannot Reproduce
    • 4.0
    • None
    • Administration, Policy

    Description

      Policy: Support status of $CFG->admin feature

      Since 20th September 2021, these points have been agreed:

      • The $CFG->admin feature has been deprecated
      • Bugs affecting supported versions prior to Moodle 4.0 will be considered for fix
      • Bugs affecting Moodle 4.0 onwards will not be fixed
      • Appropriate environment checks will be added to warn administrators that the feature will no longer be available

      What is this?

      I'd like to propose that we drop support for the $CFG->admin feature in Moodle.

      The $CFG->admin setting allows the /admin/ folder to be relocated.

      Why does this exist?

      As far as I am aware, this feature exists for two purposes:

      • 'security' - to hide admin features of Moodle away from prying eyes; and
      • where other software on a site is squatting in the /admin location.

      Personally I think that these are both terrible reasons. This feature causes us a number of headaches every release and the rationale for its existence are ill defined. We should therefore look to stop supporting it and potentially remove it entirely.

      To address the above rationales:

      Security

      This does nothing to improve the actual security of the system and there is plenty of writing around why Security through Obscurity is a bad thing. In short, it doesn't actually do anything to improve security at all because it's relatively easy to find where the new admin folder really is. It gives a false sense of security for no tangible benefit and a large amount of risk (in broken features).

      Folder squatting

      The reasoning here is that some hosting software may insist on providing its administration features at /admin on your domain - i.e. https://example.com is your site, and you can access the Host Admin panel at https://example.com/admin

      This is a host configuration problem. If your host is still squatting on your paid-for hosting locations in 2021, then it's time you found a new host. This is server mis-configuration pure and simple.

      Summary from the documentation:

      //=========================================================================
      // 5. DIRECTORY LOCATION  (most people can just ignore this setting)
      //=========================================================================
      // A very few webhosts use /admin as a special URL for you to access a
      // control panel or something.  Unfortunately this conflicts with the
      // standard location for the Moodle admin pages.  You can work around this
      // by renaming the admin directory in your installation, and putting that
      // new name here.  eg "moodleadmin".  This should fix all admin links in Moodle.
      // After any change you need to visit your new admin directory
      // and purge all caches.
       
      $CFG->admin = 'admin';
      

      Voting

      Voting options

      A) Drop support entirely (following deprecation policy)

      This will likely be in the form of:

      • an initial announcement
      • close all related new feature bugs
      • add a note to any bugs related to this feature to inform the assignee that they the feature is going away
      • deprecation notice introduced to the environment.xml to warn on all versions of Moodle that the feature is going away
      • create MDL for removal as per the deprecation policy

      B) Do not drop support

      • Leave the feature as-is

      C) Drop support for all development environments, but allow it in production

      • initial announcement
      • close all related bugs where the target is development (e.g. NodeJS tooling)

      Attachments

        Issue Links

          Activity

            People

              dobedobedoh Andrew Lyons
              dobedobedoh Andrew Lyons
              Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Adrian Greeve, Andrew Lyons, Eloy Lafuente (stronk7), Juan Leyva, Jun Pataleta, Sander Bangma
              Votes:
              8 Vote for this issue
              Watchers:
              20 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: