Moodle

Increasing the security level, as another forum with restricted access is found to be affected.

Changed from an MDLSITE issue to an MDL issue, as I've reproduced the problem locally.

Users without appropriate rights become subscribed to restricted access forums by using the "Subscribe to all forums" link.

Yu, confirmed!

Yesterday I was reviewing the Spanish Teachers forum and I saw more than 20 users (non teachers) subscribed. And the forum is hidden since ages. So something is failing there.

Ciao

DongSheng can you examine this?

Raising this to critical and addressing for 1.9.2.

excuse me, why is this marked as critical+serious security issue? Those users do not get any email notifications, right?

Eloy, can you tell me how to reproduce this bug? I cannot access that page.

Hi Dongsheng,

Here are some steps to reproduce the bug:

1. Create a hidden forum in a course
2. Login as a student and enrol in the course
3. Follow the "Subscribe to all forums" link at the top right of the forums index page
4. Login as an admin or teacher and check the list of subscribers to the hidden forum

Expected result:

Students cannot subscribe to hidden forums.

Actual result:

The student is subscribed to the hidden forum.

PS Petr, sorry I've no idea whether users receive emails of forum posts. Please feel free to reduce the security level of this issue if not.

the access control is implemented separately in forum cron, if user can no see the forum, nothing gets mailed - that was part of the change that fixed the mailing to users that were not enrolled. I did not test it, I just reviewed the code and it seems ok.

Going to work more on this after the File API Milestone3...

Thanks Petr, reducing the priority and security level based on your comments...

Helen, did you override the capability of mod/forum:viewdiscussion to hide the forum?
If so, the attached patch can fix this bug...

There were no overrides set - it was just set to hide in the common module settings.

Helen, is the setting in "Updating: Forum" page? I cannot find it.

Yes, that's right, it's in the updating forum page. You can also hide the forum (or any other activity) from the course page when editing is turned on by clicking the eye icon.

It should be OK now, when forum is invisible, only users with 'mod/forum:managesubscriptions' capability can subscrib forum, please review, thanks

Thanks Dongsheng, things seem to be working fine now

Well, the bug has been fixed but in latest version 1.9.2 just downloaded today (with debug mode ON) when student clicks on Subscribe to all forums and there exists in the course a forum which student cannot subscribe to, this triggers the following error messages:
Notice : Undefined property: object::$path i C:\Program Files\xampp\htdocs\moodle19dev\moodle\lib\accesslib.php on line 381
Notice : Undefined property: object::$contextlevel C:\Program Files\xampp\htdocs\moodle19dev\moodle\lib\accesslib.php on line 452
Notice : Undefined property: object::$path i C:\Program Files\xampp\htdocs\moodle19dev\moodle\lib\accesslib.php on line 381
Notice : Undefined property: object::$contextlevel C:\Program Files\xampp\htdocs\moodle19dev\moodle\lib\accesslib.php on line 452

All forums in CF101 are subscribed.
( Continue )
Joseph

Hi, I'm afraid this fix was broken and introduced a regression, see: MDL-17961

has_capability was not being called on a valid context..