Moodle

security issue when enabling CFG->profilesforenrolledusersonly

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 1.9.6
  • Fix Version/s: 1.9.8
  • Component/s: General
  • Labels:
    None
  • Environment:
    any
  • Affected Branches:
    MOODLE_19_STABLE
  • Fixed Branches:
    MOODLE_19_STABLE

Description

Hello,

in user/edit_form?php in function definition_after_data() I noticed a strange code inversion :

// remove description
if (empty($user->description) && !empty($CFG->profilesforenrolledusersonly) && !record_exists('role_assignments', 'userid', $userid)) { $mform->removeElement('description'); }

if ($user = get_record('user', 'id', $userid)) {

// print picture

Should'nt the test empty($user->description) be after reading the user record ?

Cheers

Activity

Hide
Permalink
Dan Poltawski added a comment -

Thanks, I have fixed this in CVS.

Its not a security issue as it just stops a user from editting their profile when not enrolled on a course (the admin can still do it)

Show
Dan Poltawski added a comment - Thanks, I have fixed this in CVS. Its not a security issue as it just stops a user from editting their profile when not enrolled on a course (the admin can still do it)

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.