Anonymous can access H5P regardless of CMS settings


Hello all,

I just wanted to get a sanity check: it appears that the h5p embed url is not affected by any CMS-level permissions.

I'm using Drupal. I have a content type called h5p, which has the h5p field. I can set the permissions for the h5p page to be viewable by only authenticated members.

However, this setting does not prevent someone from viewing the h5p by visiting the h5p embed path:[id]/embed

This means that the h5p is viewable if you know the ID or if you enumerate through IDs.

Am I missing something here? Is this the expected behaviour? Is this how it works on WP or Moodle as well?

Thanks for your time.

otacke's picture

Hi Yasin!

I think this is handled differently across integrations. On WordPress, you can disable the `embed` button separately. If you do, then the embed link has no power anymore. The H5P plugin for moodle doesn't have that option and inherits the settings for the course that the content is used in IIRC. And it may even be different in moodle's custom H5P integration. I guess it's possible that the Drupal doesn't handle this case yet.


Hey Oliver,

Thanks for the quick reply! After some time thinking about this, it is clear that this is the intended behaviour.

However, disabling the 'Embed' option in Drupal doesn't seem to have the same affect as in WP. With Embed disabled, the URL to the embed still works. It just seems to hide the embed link+modal.

I plan to take a more indepth look into this functionality some time, as I feel there are many use cases for sharing h5p only with logged in users or users of a given role, and so on.

Thanks again for your insight,


otacke's picture

I guess a pull request won't hurt :-)