-
Improvement
-
Resolution: Fixed
-
Minor
-
1.9.4, 3.0
-
all
-
MOODLE_19_STABLE, MOODLE_30_STABLE
-
MOODLE_30_STABLE
-
wip-
MDL-19748-master -
It appears to me as though the edit tags capability is allowed by default for the authenticated user role. I have been doing some testing with a friend, and we were both able to edit the twitter page (generated from twitter interest on profile) at will on moodle.org. http://moodle.org/tag/edit.php?tag=twitter
Our own instance is set up similarly, so this must be in all versions of 1.9.x
While this might not have been reported as a security risk (I tend to see it as vandalism/nuisance), it is certainly an opportunity for users to add unwanted content.
While I believe that users should be able to add interest tags (otherwise, how would you ever create self-organizing groups?), I doubt the wisdom of leaving an open and editable text box out there for anyone on the system (even systems that do not use self-authentication). This is complicated, as the tags are used in quite a few contexts, so I will content myself with alerting you to the spam issue.
- has a non-specific relationship to
-
MDLSITE-3801 Any authenticated user can edit tags
- Resolved
- has been marked as being related by
-
MDL-14150 Split edit tag and manage tag capabilities better
- Closed
- will be (partly) resolved by
-
MDL-15471 Course tags improvements
- Closed