Security and the Annotate plugin for Moodle
Content viewed with A.nnotate is accessed directly from the A.nnotate server. Therefore, it is important to ensure that users can only see a particular resource in A.nnotate if they are also able to access it in Moodle. Furthermore, since plugins have access to user data within Moodle they should clearly state what data is accessed and how it is used.
The Annotate plugin for Moodle is Open Source . Moodle administrators and others interested in security are encouraged to read the source code and comments therein. Comments and suggestions for changes are most welcome: please contact support @ nnotate.com.
A note on names: the server product name is "A.nnotate" to agree with the a.nnotate.com domain that hosts the free and subscription service. But the plugin name is just "Annotate" without the "." for file naming convenience.
In the following it is assumed that the organization hosting the Moodle server is also hosting their own A.nnotate server. In this configuration, copyright permissions allowing electronic documents to be distributed to students that allow the use of Moodle should also apply to A.nnotate. Indeed whereas Moodle generally requires the student to have access to a full electronic copy of the document for local viewing (which they could then redistribute or post on the web) it is possible to configure the A.nnotate server not to allow access to the original and only display images of the pages. Thus it is possible to distribute content via A.nnotate in compliance with rather more stringent copyright regimes than is possible with Moodle.
Transferring files to A.nnotate
There are two security barriers in the connection between Moodle and A.nnotate: first to decide whether a particular document should be transferred out to A.nnotate; and second to decide whether a particular user should be allowed to see it on A.nnotate.
Once a document is in a user's account on A.nnotate they can either follow the link from Moodle to see it, or they can log into A.nnotate directly and see it from there without going via Moodle.
The process of checking permissions and transferring files implemented by the Annotate plugin is as follows:
- The user logs in to Moodle and views a page with the Annotate plugin enabled.
- The Annotate plugin adds a button next to each resource link in the page.
- The user clicks on an Annotate button.
- The Annotate plugin checks that the user is allowed to access the resource (using the same logic as applies if they click on the normal resource link).
- If the user is allowed access to the file, then the Annotate plugin creates a temporary file in the Moodle temp directory with a random key such as "4b52fc82f33ba" (generated by the PHP uniqid() function) for its name and containing details for accessing the resource.
- The plugin then opens a new window on the A.nnotate server passing it the address of the Moodle server, the resource details, the email address of the user on Moodle and the key it has just created.
- Depending on the plugin configuration, it may also pass in the email address for the A.nnotate server master user and the corresponding API key. These are used to automatically create accounts for new users if they do not already have A.nnotate accounts.
- If the A.nnotate server does not yet have the resource, then it calls back to the plugin on the Moodle server sending it the key and asking for the resource.
- The Annotate plugin checks whether the key matches one it just sent in the last 60 seconds, and if so, it serves the file to A.nnotate.
- The A.nnotate server receives and processes the file and redirects to the display page.
- If the file does not need transferring, A.nnotate grants access to the file to the current session and either prompts the user to log in, or, if the API details are supplied, logs them in automatically, creating an account if necessary. A.nnotate uses the email address supplied from Moodle as the user id, and generates a new random password that is sent to the user by email.
User details sent from Moodle to A.nnotate
The only user information the plugin sends to A.nnotate is the email address of the user and the location of the file they wish to view. It also sends the information entered on the Annotate plugin settings page.
The plugin settings page links to a diagnostics page which is also part of the plugin. This checks the connection to the A.nnotate server and reports any problems that are found. It has a text area and button at the bottom to allow this information to be sent to A.nnotate support (support @ nnotate.com) if further assistance is needed. In this case, the information that is sent is exactly what is on the page (the currently displayed text is encoded and sent via HTTP POST).
Removing access to files
The plugin can operate in two modes according to the setting of the "Deduplicate" checkbox setting:
- With "Deduplicate" unchecked, each user gets an independent copy of the resource. This remains in their A.nnotate account irrespective of what happens on Moodle. Only the users themselves or the A.nnotate administrator can remove these files.
- With "Deduplicate" checked, each resource is only transferred once. It goes into the account of the A.nnotate master user (as configured on the A.nnotate server and in the plugin configuration). Each user gets a folder for storing notes on the resource, but only has a soft link to the resource itself. If the master user deletes the resource on A.nnotate, then other users loose access to the original document. They still have their own notes that they made on it however.
In either case, removing the resource from Moodle does not change its status on A.notate. Students will not be able to access it from Moodle, but they will be able to log into their A.nnotate accounts and use it from there unless it is also removed on A.nnotate.