In 1.9.4, Moodle introduces a new security report tool which compares your Moodle roles against different security risks. My colleagues and I just spent the afternoon puzzling through the flags that 1.9.4+ raised in our test Moodle install. Unfortunately, “puzzling” is the optimum word here: we spent a big chunk of time just trying to understand what the report was trying to tell us. Here’s what I learned.
Guest – only capabilities without any risks are allowed
Student – certain capabilities with spam risks are allowed
Teacher – certain capabilities with XSS and privacy risks are allowed
Administrator – all capabilities are allowed
This is important because any custom roles you’ve created are evaluated based on the legacy role that spawned them. So if you start with a student role, and give it some more advanced teacher-like options that allow XSS capabilities, then Moodle will set a critical warning flag because its exceeded the capabilities normally associated with a student.
I need to doublecheck this, but I think that if you change the legacy role associated with the custom role in question to “teacher”, then your custom capabilities will remain the same, but the report will run against the more permissive teacher role. That said, you may not want to get rid of the warnings (since it is helpful to know what a “super student” role could get themselves into) but at least this write-up should help you understand them.
I’d love to see Moodle create a more user-friendly report that says something like:
“Your role ‘Teacher Assistant’ is based on the legacy role ‘Student’. By default, students are not allowed to have capabilities that permit Cross Site Scripting (XSS), but your custom role allows the following XSS capabilities” — I’d then include a list of the problem capabilities.
You can contribute to improving the Security Report by reading/commenting on this tracker item:
Here’s my test of audio/video screen capture using ScreenFlow, in which I use Google to find Waldo. It was recorded on a Mac OS X 10.5 machine with a Logitech Desktop Microphone.
The final Quicktime video is 960×600 pixels (about 50% of the original screen size) It is 1.04 minutes long, and 7.7 MB in size. I used the “Web – High” setting (H.264 video encoding at 850 kbits/sec. AAC sterio audio at 96 kbits/sec). The original video was full-screen; I didn’t attempt to do a full-size export.
Observations: ScreenFlow offers a lot more options than Silverback. For example, when doing the capture I could choose which of my Mac’s iSight cameras I wanted to use (the MacBook Pro’s built in iSight or the one on my external monitor) as well as which monitor to use (the MacBook’s or the external one). It includes 11 export options, and a number of video tweaking options within the program, including the ability to move/resize the picture-in-picture video and the ability to add on-screen text. I like Silverback for its fire-and-forget nature, but I think ScreenFlow offers us more long-term flexibility.
Here’s my test of audio/video screen capture using Silverback, in which I use Google to find Waldo. It was recorded on a Mac OS X 10.5 machine with a Logitech Desktop Microphone.
The final Quicktime video is 468×300 pixels (about 25% of the original screen size) It is 1.01 minutes long, and 19.22 MB in size. The original video was full-screen, and far larger in size: about 120 mb, but there are export settings that can reduce that size considerably.
Observations: Silverback was very easy to configure and use. I assume the large file sizes are because it’s capturing both the on-screen video and video of the user, coupled with a high screen resolution my Mac. It records as Quicktime, which PowerPress was able to play back in Firefox and Internet Explorer without any problems.
Here’s my test of audio/video screen capture using Camstudio, in which I use Google to find Waldo.
This was done on a Windows XP machine running Camstudio 2.0. The audio was recorded using a Logitech Desktop Microphone. The final video uses the Intel Indeo Video 4.5 codec.
The AVI video full-screen, 1.05 minutes long and 7.46 MB in size.
Observations: The video recorded well and plays back fine in Windows Media Player. Embedding it on a webpage using PowerPress (the video below) was more problematic. IE 6 will play the video because it recognizes the AVI file type. Firefox 3 will not.
The video looks good and the sound quality is fine. I don’t think the inability to play AVI files in Firefox is a show stopper, and we can always convert AVIs to some other format later on if we need to.
I’m gearing up for a major round of usability testing this semester. I’ve found two good video screen capture apps for the Mac in the form of Silverback and Screenflow but finding equivelent programs on the Windows side is proving to be more of a challenge.
Jing is very close to what I want — it allows you to easily capture screen shots or video accompanied by audio commentary and the pro version allows you to save that video as Flash or mp4 videos. Unfortunately even the pro version has a 5 minute time limit, which kills it for my purposes — our usability tests typically run about 30 minutes.
Windows Media Encoder will record audio and video, but it only does Windows media files, and the quality isn’t great. A better option is Camstudio (the open source version); it records video in AVI format using several different codecs.
Another pricier alternative is Camtasia, which has a comparable feature set to ScreenFlow on the Mac.
After talking with a faculty member and brainstorming how classes might use WordPress MU, one of the must-have tools we’ve decided we need is an author list. While we anticipate that we’ll have a number of one-person blogs if/when WordPress Mu is in production, there will also be goodly amount of multi-author blogs for classes, student organizations, etc.
We identified two needs:
Hyperlink an author’s name to a page with all of their posts on the site.
Include a widget listing all of the authors (with links to their individual posts)
After doing some research this morning, I’ve come up with a few solutions.
Linking to author names & listing authors through WP functions: The “Author Templates” page of the WordPress Codex lists a number of useful functions that can be used as part of the Loop to link to individual author pages as well as displaying post counts and author lists.
The specific function is “the_author_posts_link()”, and it inserts the author’s name with a hyperlink to his/her “author” page, which lists everything they’ve written.
You can also use “wp_list_authors()” to list all the authors associated with the blog.
These options require you to modify the theme’s template file(s).
Listing Authors with the Authors Widget: “Authors Widget” allows you to add a sidebar widget that lists all of the authors associated with the blog with links to their individual author pages (there’s also an optional link for their RSS feeds).
We got a heads up from our Apple rep today that there are a few hundred students headed our way this fall with spiffy new Apple computers … and the free iPod Touches that came with them. Now this is very cool for them (and far cooler than the last-gen nano that came with my MacBook Pro last year) but the sudden arrival of a bunch of new wireless handheld devices has us scrambling a bit. Will the wireless network accommodate them (short answer: yes, with plenty of room to spare). Will our web applications work with them? (probably).
Fortunately, we got an iPod Touch in the office for testing purposes, and I’ll be firing that puppy up ASAP to make sure everything’s working the way it should.
A great video explaining the difference between Web 1.0 and Web 2.0. I’d love to see something like this submitted for Leopard Shorts. I’d also like to find more instructional videos like this; if anyone has some, please post a comment.
Finally, this post really serves as a test of using WordPress Mu’s built-in YouTube support; I click the “YouTube” button, it asked for the clip ID (6gmP4nk0EOE) and then it did the rest.
Ajax is becoming omnipresent on the web, but should developers assume that JavaScript is available when developing web-based applications? This blog post by Roger Johansson argues that for basic web apps, you can never assume that JS is there. It spawned a huge (and surprisingly civil) comment thread with a slight consensus agreeing with him.
I’m inclined to agree with those who say the only time that you can assume JavaScript is available is in an intranet environment, and even then someone will inevitably turn off JS so make sure things fail gracefully. For external users, your web page shouldn’t simply stop working because a user doesn’t have JavaScript enabled.
