David Mudrak's blog

Latest stable version 1.9.7+

There were 7 commits into the stable branch. Helen Foster fixed the confusing wording of Course creator role description as suggested by Ray Lawrence (MDL-21016). Petr Škoda fixed buggy displaying decimals in s() function, spotted by Tim Hunt (MDL-21789). Dan Poltawski has fixed a bug that was causing block disappear after moving it. The issue is still not completed, an upgrade step will be necessary to fix all eventual broken block instances. Andrew Nicols provided SQL statement to detect such problems (MDL-21805). Dan Marsden committed two fixes in SCORM/AICC module, credit goes to Matteo Scaramuccia. Gordon Bateson fixed a malicious regexp issue in Hotpot module (MDL-21817).

Unstable development version 2.0dev

There were 32 commits into the main development branch last week. Everybody is working hard on this future release. Among other contributors, Helen Foster continues on her crusade to beat obsolete help files and Dongsheng Cai committed a set of various patches in repositories, JavaScript and other places.

Moodle 2.0 beta release has been re-scheduled to April 2010, production release still planned for July 2010.

Quotes of the week

“I would rather wait another whole 12 months for Moodle 2.0 than have gone for [another LMS] and regret it…”
– Mary Cooch

“Moodle installs should phone home and compare version numbers and whine bitterly on notifications page ‘I AM OUT OF DATE AND SAD, PLEASE UPDATE ME ‘, getting increasingly sad and red and large, with tears, and animated gifs … ok, that’s going too far”
– Penny Leach

You shall not pass!^*

There are several Moodle core functions that every developer should know, even when they were woken up in the middle of the night after a long party (actually that does not make sense as “middle of the night” is not compatible with “after a long party”, anyway…). These include require_login() and require_course_login(), both defined in lib/moodlelib.php. They are part of the Moodle security scheme and it is important to understand what they do and how they differ.

If you are not sure, use require_login(). This function checks that the current user is logged in. You should call it very early in your scripts, typically immediately after you get course and course module objects. Once you load these objects, you should pass them to require_login() so that it not only checks the current user is logged in but also makes sure they are allowed to be in a particular course and view a particular course module instance. It checks against hidden activity restrictions and proceeds groupmembersonly access control and conditional activity access control. If the user is a guest then the function treats them according to the course policy about guests and/or asks them whether they want to enrol into the course (yes, that “do you want to enrol into this course” screen).

Regardless the function name, require_login() sets up and checks a lot more things behind the scene. If available, it tells the global $PAGE object what course and course module it displays and sets the page layout. It checks whether the user should change the password, that the user account is properly set up (do you remember those redirects to your user profile to fill-in missing fields?), that the user has agreed to a site policy (if there is one) or that the site is not in maintenance mode.

Uff, quite a lot of stuff in one function! And what about require_course_login() then? Well, it is good to know that this one was primarily intended for the Resource module. When a resource is published on the Moodle front page, no login is required to view it. But if the resource is created inside the course, normal access control checks should be done. And that is exactly what require_course_login() does. It requires user being logged in only if we are inside the course. If we are on the front page, just a basic checks are done (hidden activity? forced login? etc). It is important to realise that this is allowed only in those scripts where no input is expected from the user. Once the script handles creating some content (submitting a post in Forum, responding in Choice or taking an attempt in Quiz, for example), full require_login() must be used. It is a general rule in Moodle that only authenticated users are allowed to produce a content.

Post scriptum

I decided to release these Moodle development traffic (MDT) posts on Tuesdays instead of Mondays. Tuesday is our code review day before we release weekly build on Wednesday so it makes sense to synchronize it.