API tools faq
paste
sarjona

Security course feedback

sarjona
Apr 28th, 2022 (edited)
94
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.96 KB | None | 0 0
raw download clone embed print report
  1. The Moppies team have scheduled this course to be finished by today. A few of us have completed it at our own pace and then today we've been discussing our findings in the course.
  2. This is a summary of them.
  3.  
  4. First of all, congrats for the course: it's a good idea to have small courses with concrete topics (instead of big courses with more content). We loved the format!
  5.  
  6. Some generic comments about the course:
  7. - It's too basic (at least for any Moodle developer). Based on the title, we were probably expecting to have more information related to Security.
  8. - There are some acronyms used that are not explained at all (maybe it would be good having a glossary and link them there, to help participants to understand them better).
  9. - We missed some space in the activities to think about the best solution (instead of directly giving it).
  10. - Instead of giving a .zip with the code, wouldn't be better to share a GitHub repository? Some of us were expecting to have this repository with the empty code and also with the solutions :-) (in different branches).
  11. - In some cases, like the first section, we missed some references to devdoc pages giving more information about PARAM_xxx and FORMAT_xxxx.
  12. - Apart from that, maybe it would be nice having a security course (unrelated to Moodle), to learn a little bit more about security basics.
  13. - Related to the quiz:
  14. - It was hard to understand some of the questions of the last quiz (at least for non-native English speakers).
  15. - Maybe adding some options like "None of the above" or "All of the above" to make them trickier/difficult.
  16.  
  17. Apart from that, we have a few comments about the tasks:
  18.  
  19. Task: Login and user input sanity check
  20.  
  21. - The Greetings plugin is not displayed in 4.0 (before that, the screenshots show it's displayed in the drawer): https://moodle.academy/mod/book/view.php?id=936&chapterid=746
  22. - It would be good to give some examples of text to test to compare behaviour with different PARAM_xxx and FORMAT_xxx.
  23. - Codechecker should be added as a requirement for the course.
  24. - When running codechecker in "5. Check your code", as the require_login has been added, the warning ""Expected login check..." is not displayed.
  25.  
  26. Task: Control access using capabilities
  27. - The given version of the Greetings plugin doesn't implement the feature for removing messages.
  28.  
  29.  
  30. Task: Add sesskey protection.
  31.  
  32. - How this task can be done: "Before adding the sesskey protection, try to simulate the CSRF attack. Using a student account on the site, try to find a way how a student could easily make the Hello world wall populated with malicious content submitted from a teacher or admin accounts"?
  33.  
  34.  
  35. Task: Add administration setting for your plugin
  36.  
  37. - Version needs to be bumped to add the default value to the database.
  38. - For Moodle 4.0 onwards, the example should be reviewed because it's not working (navigation has changed). You'll find more information about that in https://docs.moodle.org/dev/Moodle_4.0_developer_update#Navigation_changes
  39.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!