Feature Wiki
Tabs
Check permissions when sending mails to course or group members
1 Requirements
Currently (in ILIAS v4.3) it is possible as a common user with no special rights to send mails to a course or group member list, even if the user is not a member of the course/group.
This can cause abuse up to sending spam when a user guesses the course/group addressee name via the id (e.g. #il_crs_member_12345) or the name (e.g. #member@Examplecourse) or when (s)he knows it by an old mail when (s)he has left the course/group for some reasons.
Conditions, which should be checked, when a user wants to send a mail to the members of a course:
The user has to be a member, tutor or admin of the course.
If the user is only a member of the course (not a tutor and not an admin),
the course should be setted "online" and
the setting "Show Members" should be setted for the course.
Conditions, which should be checked, when a user wants to send a mail to the members of a group:
The user has to be a member or admin of the group.
If these conditions do not fit the mail should be blocked with a meaningful error message.
This feature request is related to the Mantis Problem Report #0009959.
2 Additional Information
- Idea / concept: Mirco Hilbert / Mirco.Hilbert@HRZ.Uni-Giessen.de
- Funding: Required
- Maintainer: Michael Jansen (Mail), Stefan Meyer (Permission System and Course/Groups)
- Development: Feature is to be developed by tbd
- Test cases by:
3 Discussion
JF 2 Sep 2013: We would currently prefer to add an additional permission "Send Mails to Local Roles". If a user has this permission for a given object, s/he can write mails to all roles defined locally for this object.
This would be a simple approach that would work the same in groups, courses and categories.
The only question is, if the user additionally needs one of the permissions read/write/edit_permission. This would solve the online/offline issue.
The new permission should be introduced for all object types that commonly use local roles: Category, Group, Course, Folder, Forum, Blog, Organizational Units, Chat.
We schedule the topic for ILIAS 4.5.
Mirco Hilbert, 14.05.2014:
The new feature in ILIAS 4.4 to Deactivate Mail to Members in Course Settings and Group Settings goes in the right direction.
Nevertheless it is still possible for any course/group member to send a mail to all course/group members - independent whether the above mentioned option is set or not - when using the ILIAS mail function, knowing the name or id of the course/group.
Is this now a bug or still a missing feature?
Even for users that are no members of a course/group sending a mail to all course/group members is still possible.
Following the new situation in ILIAS 4.4 I will adapt our requirement specification:
Conditions, which should be checked, when a user wants to send a mail to the members of a course:
The user has to be a member, tutor or admin of the course.
If the user is only a member of the course (not a tutor and not an admin),
the course should be setted "online" and
the setting "Mail to Members" should be setted to "For all Participants". (changed)
Conditions, which should be checked, when a user wants to send a mail to the members of a group:
The user has to be a member or admin of the group.
If the user is only a member of the group (not an admin),
the setting "Mail to Members" should be setted to "For all Participants". (added)
If these conditions do not fit the mail should be blocked with a meaningful error message.
If the suggested role-based implementation fits these requirements, it's okay.
A problem might be that in courses/groups you have a special constellation of different roles (admin, tutor and member) which depend on each other and act together.
JF 26 May 2014:
- To be able to send a mail to any local role of an object the user needs "Read" and "Send mails to local roles".
- The setting "Mail to Members" in groups/courses is set to "All Participants", if the member role has the "Send mails to local roles" permission. This means the setting reflects and sets the permission for members directly.
Feature has not been implemented in 5.0 but postponed.
Kunkel, Matthias [mkunkel], September 28, 2015: We set this feature request on the 5.2 suggestion list. Please see also Mantis bug reports: http://www.ilias.de/mantis/view.php?id=15380 and http://www.ilias.de/mantis/view.php?id=9959.
Zenzen, Enrico [ezenzen], 04 AUG 2022: This request no longer fulfills the requirements of the Feature Wiki. In consultation with the maintainer I change the status of the feature request to "Redundant / outdated". If the request is still relevant, please update template and mockups.
4 Implementation
...
Last edited: 4. Aug 2022, 09:03, Zenzen, Enrico [ezenzen]