Chamilo LMS

It seems that when a course is marked as Private access (site accessible only to people on the user list) then its content is still publically accessible when the URL is known. This has far reaching consequences when the Dokeos installation is on a internet facing system and content could be spidered by Google. URLs will load regardless of the course being private.

an example of a presentation that showed up in google is:
http://<system>/main/document/showinframes.php?cidReq=<course>&file=<file>

I would expect that when a course is marked Private Access that not just the course homepage but all pages and content are inaccessible for everyone that is not on the userlist including anonymous visitors and spiders. It's then very disappointing that in our system this is not the case in 1.8.6. It is not on the changelog for 1.8.6.1 and not listed as a known issue.
To recreate the issue:

• create a new course (or take an existing course) * add documents * modify it and mark it as private * add a document * open the document * launch the same url in a different browser (or logout and launch the url)

Result:
Content is readable (logged in as anonymous user)

Expected:
Access denied.

Also if the anonymous user is set inactive then the content can still be viewed.

Issue exist also for Closed courses that are Completely closed; the unit is only accessible to the unit admin.

Sent it by sander.vandragt
http://www.dokeos.com/forum/viewtopic.php?t=29720