Login 
Mahara Community
Support
Permissions?
|
Tue, 27 Jan 2009, 6:51 AM
|
Hi folks, Is there a way - via control panel or php code - to alter the default permissions that students have? We are trying to roll out Mahara to our students. I have written a block-type that extracts student grades from sims and presents them in a nice graph for them to create views and comment on their progress. All very cool and our senior leaderships team are slowly getting onboard - BUT - we are having some problems controlling what the little blighters are getting up to. In particular, naming all of their profile data to stupid things and creating ridiculous groups with silly names (the problem is any day things might not be so silly and get more offensive and then Mahara might get pulled by the powers that be)... So I'm left with the question of how can I go about reducing what students can get up to on Mahara? I would like only teachers to be able to create groups and for student names etc to be pulled from Moodle and to not be editable. Can you give me any pointers on where to start? If there is no permissions system via the control panel (I realise you are only in version 1!) then is there anything I can get my hands on with php? (ps I'm happy to contribute my code back to the project) cheers, dan |
Re: Permissions? |
|
|
Tue, 27 Jan 2009, 8:34 AM
|
Hi Dan, a way to lock field editing is in the site admin pages /admin/users/institutions.php. If your studensts login in via moodle you can lock the desired fields. I think at the moment there is no way to prevent group creation. Nigel will give you tips how to modifiy php code. It would be great if you publish you blocktype code in the "plugin dev" group (http://mahara.org/group/view.php?id=37) Greetings from the black forest Heinz
|
Re: Permissions? |
|
|
Tue, 27 Jan 2009, 9:39 AM
|
Hello Dan, I had a similar problem working with Moodle. I had to protect a block as students were displaying silly things on screen and the instituition management started to become concerned about it. It is very sad that we have to ban options from Mahara, since the holistic conception of "eportfolio" is precisely the oposite: empowering learners to have their own learning space. However, you also need to cover all the possible risks (legally speaking) for the institution you work. This is the advice I can give you, from my experience as a "censor" of Moodle: The php files that manage with groups in Mahara, are mygroups.php -to display groups- and create.php -to create new ones- in the group folder. The first thing I would do is to check the role of the user accessing both files. This is my code for doing so in Moodle: require_once("../../config.php"); redirect("block.php"); exit(); where 1 is, as you know, the role of the administrator in Moodle. I have also used the has_capability option in Moodle to preven students from filling some fields in Moodle: i.e. if (has_capability('block/ilp:view',$usercontext)) { $allow_tutor = 1; etc, Mahara allows to set up the following roles 1) Plain user 2) Site Staff 3) Site Admin These are global roles.For each institution defined in your site, additionaly, you can have instituiton staff. I would grant the teachers the role of site staff/institution staff, and I would protect the code of create.php and mygroups.pho with something similar like the former code. Unfortunatelly, I still don't know all the functions in Mahara that can help you to check the user's role. Perphaps Nigel will be able to help here, as he is the main developer. If I am not wrong, in the Mahara user table, you can use the fields "staff" and "admin" to check i the user has any of these roles. Hope that this information is useful. Regards Aaricia/Mari |
Re: Permissions? |
|
|
Wed, 28 Jan 2009, 2:23 AM
|
Your ideas for implementation should work for Dan. The appropriate code to work out who has what role: if ($USER->get('staff') || $USER->get('admin')) { // is a site staff member or site admin } $USER refers to the user viewing the page, so a check like this at the top of group/create.php should suffice: if (!$USER->get('admin') || !$USER->get('staff')) { throw new AccessDeniedException('You are not allowed to create groups'); } You might want to remove the 'create group' button for anyone but staff and admins too, which can be arranged with similar checks. This doesn't take institution staff or admins into account, by the way, there are other checks for those. |
Re: Permissions? |
|
|
Wed, 28 Jan 2009, 2:27 AM
|
Hi - see my reply to Aaricia's post about the technical details. I can see here you have a good use case for limiting who can create groups. There is a feature request for this on the tracker already, it might be worth us looking at implementing it. |
Re: Permissions? |
|
|
Wed, 28 Jan 2009, 5:51 AM
|
Thanks for the responses people! Greatly appreciated. I will look through some of the code today and try to hack it into shape ;-) Re:posting my block-type... I am certainly up for doing that, but at the moment the code is messy and I woudn't want to share it. It's kind of at proof of concept stage. It also hooks into custom code I have been developing for Moodle (a sims-activedirectory-moodle integration backend) so it might be difficult for others to use, but i will certainly share it when I get it fit for public viewing lol
dan |
Re: Permissions? |
|
|
Wed, 28 Jan 2009, 6:39 AM
|
Hi Dan, I would be interested in knowing how your SIMS > AD > Moodle integration is progressing! It would certainly be a life saver for us and a lot of other UK schools. Jon |
Re: Permissions? |
|
|
Wed, 28 Jan 2009, 8:25 AM
|
Well I have it running in three schools here in Kirklees and it's performing well. It works like this:
I have not written it in a very 'Moodle' kind of way. It is more of a bolt-on to moodle. Am not sure about releasing it through moodle because I don't know how it will be received there - but I couldn't wait any ,longer for global groups in version 2 (where is it?! lol) My Mahara block-type uses the same mappings between sims and moodle/mahara. I have another script that extracts resultsets for the current year and this is stored in a table in Moodle. My Mahara block-type pulls this data in and then uses an open flash graph class to generate a nice graph. Students then add a comments to this in the usual Mahara way. Ok, going off topic here so will stop now,
dan |
Re: Permissions? |
|
|
Wed, 28 Jan 2009, 9:18 AM
|
anyway! it's a really awesome perspective you're bringing! i'm trying to implement mahara too for the same purpose but i'm thinking of sticking to the mahara and mahara coding! |
Re: Permissions? |
|
|
Wed, 28 Jan 2009, 9:27 AM
|
Just as a record for anyone else, the code edits I made are listed below for blocking group access to all non-staff non-admin accounts. I think it actually needs to be an && in the if clause for create.php because we want both admin AND staff fields NOT to contain zero to trigger the blocking of access. If either field has a 1 then they are either staff or admin. For group/create.php if ( !$USER->get('admin') && !$USER->get('staff') ) { And then to remove the button I added a variable to be sent to the smarty tpl file in group/mygroup.php: ($USER->get('admin') || $USER->get('staff')) ? $smarty->assign('role', 'staff') : $smarty->assign('role', 'student'); And then this is tested against in mygroup.tpl: {if $role == 'staff' } |
Re: Permissions? |
|
|
Wed, 28 Jan 2009, 6:33 PM
|
Hi Dan - yes, it does need to be && if you want only people with staff AND admin to do it, although I would think in most cases, your teachers would just have the staff role while your IT team would have the admin role - thus the || is probably more suited. Rather than using die, use this: throw new AccessDeniedException('You are not allowed to create groups'); This will give you a nice Mahara-themed error page. Last thing - the $USER object is actually available in the template, so your check in the template can be: {if $USER->get('staff') && $USER->get('admin')} Without needing the $role. |
Re: Permissions? |
|
|
Thu, 29 Jan 2009, 6:29 AM
|
Ok, great, the less files hacked the better! I will access $USER directly from the template. Regarding the exception, I did try your exception but I got a blank white screen and not an error - didn't have time to look at it any further. It's only a fallback position anyway in case a very bright student manages to work out the url for create.php and tries to access it directly. Removal of the button will stop 99.9% of our kids. Regarding ANDs and ORs, I was referring to the not clause in create.php. I agree that for the template I want OR - either staff or admin want to see the button. But for the blocked access on create.php I am blocking accounts that have *neither* staff *nor* admin (ie students). so i want !X AND !Y imho. Thanks foir all your help and swift responses! Much appreciated, dan |
Re: Permissions? |
|
|
Thu, 29 Jan 2009, 7:09 AM
|
I should have used good old DeMorgan's law. Always a confusion, even though boolean algebra was something I was quite good at in university 
|
Re: Permissions? |
|
|
Thu, 29 Jan 2009, 9:43 AM
|
Hei! What if i'd need to give access to the tutor on the students arfetact resumee. Let's say i have a general goal that has to be edited only by the controlled comunity stuff(prof, admin). I have to find a way to talk to the artefact class not to listen to $USERID but to the $loggedinid. Actually i've done a really strange way: I've ported all the tpl and json files(3-4) into the user folder into a new folder let's say /user/editprofile and, changing the path actually works right, though it listends to the loggedinid, it should listen the the id of the user that it's beeing visited. I've done little testing, though i need to ask if it's incerediby difficult? How can i pass that variable to the class? And where is that $USER->id held anyway > sessions? cookies? (might seem really stupid this question i know! sorrry! :D |
Re: Permissions? |
|
|
Thu, 29 Jan 2009, 5:31 PM
|
Hi - I don't quite understand your questions The ID of the logged in user is $USER->get('id') btw. |
. If you're finding it hard to allow others access to users' portfolio data, that's because we haven't made it easy, because it's all supposed to be private by default. I guess you could hack things to make it work, but it's not a good idea.. the views interfaces is really where people should be exposing their data.