Moodle
  1. Moodle
  2. MDL-16549

Should not be able to remove moodle/site:doanything from the Administrator Role, or add it to other roles

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 1.9.2, 2.0
    • Fix Version/s: 2.0
    • Component/s: Roles / Access, Usability
    • Labels:
      None
    • Affected Branches:
      MOODLE_19_STABLE, MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE
    • Rank:
      34880

      Description

      It's crazy that you can edit the Administrator role. It's extremely dangerous and can lead the primary administrator to being locked out of their site. I can't think of a situation where (if you wanted a different administrator-like role) that you wouldn't create a new role or a copy of the administrator role. Additionally it should not be possible to unenrol the "primary" administrator from the administrator role.

        Issue Links

          Activity

          Howard Miller created issue -
          Hide
          Eloy Lafuente (stronk7) added a comment -

          My + 100 for this.

          Addressing for Moodle 2.0, assigning to Martin, for his consideration and adding some watchers.

          Show
          Eloy Lafuente (stronk7) added a comment - My + 100 for this. Addressing for Moodle 2.0, assigning to Martin, for his consideration and adding some watchers.
          Eloy Lafuente (stronk7) made changes -
          Field Original Value New Value
          Fix Version/s 2.0 [ 10122 ]
          Hide
          Eloy Lafuente (stronk7) added a comment -

          missed to assign it to Martin, doing it now.

          Show
          Eloy Lafuente (stronk7) added a comment - missed to assign it to Martin, doing it now.
          Eloy Lafuente (stronk7) made changes -
          Assignee Eloy Lafuente (stronk7) [ stronk7 ] Martin Dougiamas [ dougiamas ]
          Hide
          Howard Miller added a comment -

          If I was going to be even more outspoken about this, I think a little work is called for to establish what the options are for these "I locked myself out as administrator" and then some logic should be applied to the admin settings to actively stop you doing it. There are way too many reports in the forums along these lines.

          I actually don't think that any of the "standard" roles should have been editable, but I guess it's too late for that now.

          Show
          Howard Miller added a comment - If I was going to be even more outspoken about this, I think a little work is called for to establish what the options are for these "I locked myself out as administrator" and then some logic should be applied to the admin settings to actively stop you doing it. There are way too many reports in the forums along these lines. I actually don't think that any of the "standard" roles should have been editable, but I guess it's too late for that now.
          Hide
          Martín Langhoff added a comment -

          Maybe a fixup cli script could help?

          > I actually don't think that any of the "standard" roles should have been editable

          that'd be extreme - but admin's "doanything" should be untouchable.

          Show
          Martín Langhoff added a comment - Maybe a fixup cli script could help? > I actually don't think that any of the "standard" roles should have been editable that'd be extreme - but admin's "doanything" should be untouchable.
          Hide
          Petr Škoda added a comment -

          standard roles should be editable imo

          Show
          Petr Škoda added a comment - standard roles should be editable imo
          Hide
          Howard Miller added a comment -

          I'd concede the other roles, but no way should the Admin role be editable. If you want a variation create a copy and edit that. It's just too dangerous.

          I've been working on a script that seems to be helping people - http://cvs.moodle.org/contrib/tools/adminfix/

          Adding to this (see http://moodle.org/mod/forum/discuss.php?d=107139), the admin should not be able to change their own assignment rights either.

          There used to be a rule that you could play around with Moodle and always be able to undo what you did without any damage. I'd really like to see no more admin lock-outs reported in 2.0!

          Show
          Howard Miller added a comment - I'd concede the other roles, but no way should the Admin role be editable. If you want a variation create a copy and edit that. It's just too dangerous. I've been working on a script that seems to be helping people - http://cvs.moodle.org/contrib/tools/adminfix/ Adding to this (see http://moodle.org/mod/forum/discuss.php?d=107139 ), the admin should not be able to change their own assignment rights either. There used to be a rule that you could play around with Moodle and always be able to undo what you did without any damage. I'd really like to see no more admin lock-outs reported in 2.0!
          Hide
          Ron Meske added a comment -

          It would be much appreciated if a patch for previous versions was also made. Is that in the works?

          Show
          Ron Meske added a comment - It would be much appreciated if a patch for previous versions was also made. Is that in the works?
          Hide
          Howard Miller added a comment -

          Ron,

          I think it's still in the works what this might look like.

          I think some of the role configuration settings may also contribute to locking you out, so I need to do some further experimenting to get a definite proposal.

          Show
          Howard Miller added a comment - Ron, I think it's still in the works what this might look like. I think some of the role configuration settings may also contribute to locking you out, so I need to do some further experimenting to get a definite proposal.
          Ray Lawrence made changes -
          Link This issue will help resolve MDL-9879 [ MDL-9879 ]
          Hide
          Tim Hunt added a comment -

          Actually, perhaps a good solution would be to make it so that it is not possible to edit the permission associated with moodle/site:doanything. That way, admins would always have it, and you would not be able to give it to other roles.

          That seems like a sufficient solution to this issues, and a good idea in general. If people think that is a good idea, feel free to assign this bug to me.

          Show
          Tim Hunt added a comment - Actually, perhaps a good solution would be to make it so that it is not possible to edit the permission associated with moodle/site:doanything. That way, admins would always have it, and you would not be able to give it to other roles. That seems like a sufficient solution to this issues, and a good idea in general. If people think that is a good idea, feel free to assign this bug to me.
          Tim Hunt made changes -
          Assignee Martin Dougiamas [ dougiamas ] Tim Hunt [ timhunt ]
          Tim Hunt made changes -
          Summary Should not be able to edit the Administrator Role Should not be able to remove moodle/site:doanything from the Administrator Role, or add it to other roles
          Howard Miller made changes -
          Link This issue has a non-specific relationship to MDL-17061 [ MDL-17061 ]
          Tim Hunt made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Hide
          Tim Hunt added a comment -

          Actually, before this can be considered finished, we need a database upgrade that:

          1. Deleted any overrides relating to doanything
          2. Ensures that in the role definitions, we have doanything if and only if the role has legacy/admin.

          Show
          Tim Hunt added a comment - Actually, before this can be considered finished, we need a database upgrade that: 1. Deleted any overrides relating to doanything 2. Ensures that in the role definitions, we have doanything if and only if the role has legacy/admin.
          Tim Hunt made changes -
          Resolution Fixed [ 1 ]
          Status Resolved [ 5 ] Reopened [ 4 ]
          Hide
          Petr Škoda added a comment -

          1/ doanything was not overridable in 1.8.x, it was always tested first before any other cap test - I suppose it was not overridable - my +1 for removing override support for doanything from 2.0 if there
          2/ I do not like this idea - legacy admin should mean nothing, I always thought that the real admin should only have doanything and nothing else which eliminates the legacy admin completely

          Show
          Petr Škoda added a comment - 1/ doanything was not overridable in 1.8.x, it was always tested first before any other cap test - I suppose it was not overridable - my +1 for removing override support for doanything from 2.0 if there 2/ I do not like this idea - legacy admin should mean nothing, I always thought that the real admin should only have doanything and nothing else which eliminates the legacy admin completely
          Hide
          Petr Škoda added a comment -

          I suppose the main reason why people are so "creative" with doanything capability is that they try to workaround the problems with course:view - there is no easy way to let ppl enter and/or administer course in stealth mode (not being members of that course, visible by students) - so again, long standing entrolment trouble

          Show
          Petr Škoda added a comment - I suppose the main reason why people are so "creative" with doanything capability is that they try to workaround the problems with course:view - there is no easy way to let ppl enter and/or administer course in stealth mode (not being members of that course, visible by students) - so again, long standing entrolment trouble
          Hide
          Tim Hunt added a comment -

          Well, I agree that the whole legacy role type thing, as currently presented in the UI, does not make any sense. However, if you think of it just as a mechanism for initialising roles to sensible defaults, then it is not so bad. I guess that is how I think about it, which is why I think 2. is the best thing to do.

          Show
          Tim Hunt added a comment - Well, I agree that the whole legacy role type thing, as currently presented in the UI, does not make any sense. However, if you think of it just as a mechanism for initialising roles to sensible defaults, then it is not so bad. I guess that is how I think about it, which is why I think 2. is the best thing to do.
          Tim Hunt made changes -
          Status Reopened [ 4 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Martin Dougiamas made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Martin Dougiamas made changes -
          Workflow jira [ 28502 ] MDL Workflow [ 60912 ]
          Martin Dougiamas made changes -
          Workflow MDL Workflow [ 60912 ] MDL Full Workflow [ 90092 ]

            People

            • Votes:
              6 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: