Bug #378
Course with private access BUG
100%
Description
It seems that when a course is marked as Private access (site accessible only to people on the user list) then its content is still publically accessible when the URL is known. This has far reaching consequences when the Dokeos installation is on a internet facing system and content could be spidered by Google. URLs will load regardless of the course being private.
an example of a presentation that showed up in google is:
http://<system>/main/document/showinframes.php?cidReq=<course>&file=<file>
I would expect that when a course is marked Private Access that not just the course homepage but all pages and content are inaccessible for everyone that is not on the userlist including anonymous visitors and spiders. It's then very disappointing that in our system this is not the case in 1.8.6. It is not on the changelog for 1.8.6.1 and not listed as a known issue.
To recreate the issue:
- create a new course (or take an existing course) * add documents * modify it and mark it as private * add a document * open the document * launch the same url in a different browser (or logout and launch the url)
Result:
Content is readable (logged in as anonymous user)
Expected:
Access denied.
Also if the anonymous user is set inactive then the content can still be viewed.
Issue exist also for Closed courses that are Completely closed; the unit is only accessible to the unit admin.
Sent it by sander.vandragt
http://www.dokeos.com/forum/viewtopic.php?t=29720
History
Updated by Carlos Vargas about 10 years ago
Actualizado por Julio Montoya hace alrededor de 1 mes
- Tema changed from Private courses' content not private. to Course with private access BUG
#2
Actualizado por Yannick Warnier hace alrededor de 1 mes
Comment
This should only happen when there is no .htaccess in the courses/ directory or when .htaccess are not supported by the Apache installation. Please try on an .htaccess-enabled installation before delving more into it.
Updated by Yannick Warnier almost 10 years ago
- Target version changed from 1.8.6.2 alpha to 1.8.6.2 RC1
Updated by Christian Alberto Fasanando Flores almost 10 years ago
- Assignee set to Christian Alberto Fasanando Flores
Updated by Christian Alberto Fasanando Flores almost 10 years ago
I try on an .htaccess-enabled installation it looks fine.
Updated by Christian Alberto Fasanando Flores almost 10 years ago
- Status changed from New to Feature implemented
- % Done changed from 0 to 100