Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-19748

edit tags capability for authenticated user as default allows spam/vandalism opportunity

    XMLWordPrintable

Details

    • MOODLE_19_STABLE, MOODLE_30_STABLE
    • MOODLE_30_STABLE
    • wip-MDL-19748-master
    • Hide

      On freshly installed moodle

      1. as user1 blog something and add a tag to the blog post
      2. As manager view user1's post, click on the tag and make sure you can edit it
      3. As user2 view user1's post, click on the tag and make sure you are not able to edit it
      Show
      On freshly installed moodle as user1 blog something and add a tag to the blog post As manager view user1's post, click on the tag and make sure you can edit it As user2 view user1's post, click on the tag and make sure you are not able to edit it

    Description

      It appears to me as though the edit tags capability is allowed by default for the authenticated user role. I have been doing some testing with a friend, and we were both able to edit the twitter page (generated from twitter interest on profile) at will on moodle.org. http://moodle.org/tag/edit.php?tag=twitter

      Our own instance is set up similarly, so this must be in all versions of 1.9.x

      While this might not have been reported as a security risk (I tend to see it as vandalism/nuisance), it is certainly an opportunity for users to add unwanted content.

      While I believe that users should be able to add interest tags (otherwise, how would you ever create self-organizing groups?), I doubt the wisdom of leaving an open and editable text box out there for anyone on the system (even systems that do not use self-authentication). This is complicated, as the tags are used in quite a few contexts, so I will content myself with alerting you to the spam issue.

      Attachments

        Issue Links

          has a non-specific relationship to

          Task - A task that needs to be completed. Tasks usually refer to work that must be done outside the product. MDLSITE-3801 Any authenticated user can edit tags

          • Low - Cosmetic problems, nice-to-have features
          • Resolved
          has been marked as being related by

          Improvement - An enhancement to an existing Moodle feature. MDL-14150 Split edit tag and manage tag capabilities better

          • Minor - Minor loss of function where workaround is possible
          • Closed
          will be (partly) resolved by

          Sub-task - Issues are sometimes broken into multiple sub-tasks. MDL-15471 Course tags improvements

          • Major - Major loss of function, incorrect output
          • Closed

          Activity

            People

              marina Marina Glancy
              awyatt A. T. Wyatt
              Simey Lameze Simey Lameze
              Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
              Frédéric Massart Frédéric Massart
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              5 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                16/Nov/15