27 January 2009, 6:51

Hi folks,

Is there a way - via control panel or php code - to alter the default permissions that students have?

We are trying to roll out Mahara to our students. I have written a block-type that extracts student grades from sims and presents them in a nice graph for them to create views and comment on their progress. All very cool and our senior leaderships team are slowly getting onboard - BUT - we are having some problems controlling what the little blighters are getting up to. In particular, naming all of their profile data to stupid things and creating ridiculous groups with silly names (the problem is any day things might not be so silly and get more offensive and then Mahara might get pulled by the powers that be)...

So I'm left with the question of how can I go about reducing what students can get up to on Mahara? I would like only teachers to be able to create groups and for student names etc to be pulled from Moodle and to not be editable.

Can you give me any pointers on where to start? If there is no permissions system via the control panel (I realise you are only in version 1!) then is there anything I can get my hands on with php?

(ps I'm happy to contribute my code back to the project)

 cheers,

 dan 

27 January 2009, 8:34

Hi Dan,

a way to lock field editing is in the site admin pages /admin/users/institutions.php.

If your studensts login in via moodle you can lock the desired fields. I think at the moment there is no way to prevent group creation. Nigel will give you tips how to modifiy php code.

It would be great if you publish you blocktype code in the "plugin dev" group (http://mahara.org/group/view.php?id=37)

Greetings from the black forest

Heinz

27 January 2009, 9:39

Hello Dan,

 I had a similar problem working with Moodle. I had to protect a block as students were displaying silly things on screen and the instituition management started to become concerned about it.

It is very sad that we have to ban options from Mahara, since the holistic conception of  "eportfolio" is precisely the oposite: empowering learners to have their own learning space. However, you also need to cover all the possible risks (legally speaking) for the institution you work.

This is the advice I can give you, from my experience as a "censor" of Moodle:

 The php files that manage with groups in Mahara, are mygroups.php -to display groups- and create.php -to create new ones- in the group folder.

The first thing I would do is to check the role of the user accessing both files. This is my code for doing so in  Moodle:

require_once("../../config.php");
require_login();

global $USER;
$adminContext = get_context_instance(CONTEXT_SYSTEM, SITEID);
if(!user_has_role_assignment($USER->id,1,$adminContext->id)){

redirect("block.php");

    exit();
}

where 1 is, as you know, the role of the administrator in Moodle.

 I have also used the has_capability option in Moodle to preven students from filling some fields in Moodle:

i.e.

 if (has_capability('block/ilp:view',$usercontext)) {

    $allow_tutor = 1;
    }
    if (!($allow_tutor)) {
        error("insufficient access");
    }

etc, 

Mahara allows to set up the following roles

1) Plain user

2)  Site Staff

3) Site Admin

These are global roles.For each institution defined in your site, additionaly, you can have instituiton staff.

I would grant the teachers the role of site staff/institution staff, and  I would protect the code of create.php and mygroups.pho with something similar like the former code.

Unfortunatelly, I still don't know all the functions in Mahara that can help you to check the user's role. Perphaps Nigel will be able to help here, as he is the main developer.

If I am not wrong, in the Mahara user table, you can use the fields "staff" and "admin" to check i the user has any of these roles. 

Hope that this information is useful.

Regards

Aaricia/Mari

28 January 2009, 2:23

Your ideas for implementation should work for Dan. The appropriate code to work out who has what role:

if ($USER->get('staff') || $USER->get('admin')) {

  // is a site staff member or site admin

}

$USER refers to the user viewing the page, so a check like this at the top of group/create.php should suffice:

if (!$USER->get('admin') || !$USER->get('staff')) {

    throw new AccessDeniedException('You are not allowed to create groups');

}

You might want to remove the 'create group' button for anyone but staff and admins too, which can be arranged with similar checks.

This doesn't take institution staff or admins into account, by the way, there are other checks for those.

28 January 2009, 2:27

Hi - see my reply to Aaricia's post about the technical details.

I can see here you have a good use case for limiting who can create groups. There is a feature request for this on the tracker already, it might be worth us looking at implementing it.

28 January 2009, 5:51

Thanks for the responses people! Greatly appreciated. I will look through some of the code today and try to hack it into shape ;-)

 Re:posting my block-type... I am certainly up for doing that, but at the moment the code is messy and I woudn't want to share it. It's kind of at proof of concept stage. It also hooks into custom code I have been developing for Moodle (a sims-activedirectory-moodle integration backend) so it might be difficult for others to use, but i will certainly share it when I get it fit for public viewing lol

dan

28 January 2009, 6:39

Hi Dan,

I would be interested in knowing how your SIMS > AD > Moodle integration is progressing! It would certainly be a life saver for us and a lot of other UK schools.

 Jon

28 January 2009, 8:25

Well I have it running in three schools here in Kirklees and it's performing well.

It works like this:

• Run 2 reports in sims and upload to Moodle via web page
• Run backend admin interface
• According to the username formats set in the config file, the code tries to match each sims student and staff member to a moodle account (moodle is set to get its accounts via ldap from AD)
• On all 3 systems I have set up, there are a number of accounts that have problems auto-matching - usually to do with inaccurate data entry on sims and AD. These accounts are matched by hand with the admin interface. These exceptions are stored so that they only need to be matched once.
• Run the database update.
• Now when a teacher goes to assign roles ->student there is a new groups view, with sims groups available for batch student enrolling. It also auto-creates a local group and populates with the correct students so that when you look at assignments by group etc - the correct groups are displayed.
  

I have not written it in a very 'Moodle' kind of way. It is more of a bolt-on to moodle. Am not sure about releasing it through moodle because I don't know how it will be received there - but I couldn't wait any ,longer for global groups in version 2 (where is it?! lol)

 My Mahara block-type uses the same mappings between sims and moodle/mahara. I have another script that extracts resultsets for the current year and this is stored in a table in Moodle. My Mahara block-type pulls this data in and then uses an open flash graph class to generate a nice graph. Students then add a comments to this in the usual Mahara way.

Ok, going off topic here so will stop now,

dan 

28 January 2009, 9:18

28 January 2009, 9:27

Just as a record for anyone else, the code edits I made are listed below for blocking group access to all non-staff non-admin accounts.

I think it actually needs to be an && in the if clause for create.php because we want both admin AND staff fields NOT to contain zero to trigger the blocking of access. If either field has a 1 then they are either staff or admin.

For group/create.php

if ( !$USER->get('admin') && !$USER->get('staff') ) {

    die('You are not allowed to create groups');

}

And then to remove the button I added a variable to be sent to the smarty tpl file in group/mygroup.php:

($USER->get('admin') || $USER->get('staff')) ? $smarty->assign('role', 'staff') : $smarty->assign('role', 'student');

And then this is tested against in mygroup.tpl:

{if $role == 'staff' }
    <div class="addgrouplink">
        <span class="addicon fr">
            <a href="{$WWWROOT}group/create.php">{str tag="creategroup" section="group"}</a>
        </span>
    </div>
{/if}