search

catalyst / moodle-tool_objectfs

Object file storage system for Moodle
https://moodle.org/plugins/tool_objectfs
88 stars 72 forks source link

Amazon Moodle Filedir URLs - Exposed To Public #508

Closed aboarken closed 2 years ago

aboarken commented 2 years ago

Earlier before setting up Moodle Object storage file system plugin, stakeholders used to share Moodle Resources (PDF or any other files) where it required them to login in order to access that resource link.

But after setting up Moodle Object storage file system plugin, I have noticed that all links shared from Amazon are exposed to Public and doesn't require stakeholders to login in order to access those files.

Is this normal from the plugin since this allows any user to access any link shared with our Team.

brendanheywood commented 2 years ago

Each moodle plugin file does the ACL checks and confirms the user can access this specific file, then it redirects to a signed url in s3 or cloudfront. The signature is technically public but it is only valid for a short time and each user will get their own unique signature. If a student shares a signed url then yes that would work, but that is equivalent to the student simply downloading the file and sharing in anyway.