Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-19748

edit tags capability for authenticated user as default allows spam/vandalism opportunity

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      On freshly installed moodle

      1. as user1 blog something and add a tag to the blog post
      2. As manager view user1's post, click on the tag and make sure you can edit it
      3. As user2 view user1's post, click on the tag and make sure you are not able to edit it
      Show
      On freshly installed moodle as user1 blog something and add a tag to the blog post As manager view user1's post, click on the tag and make sure you can edit it As user2 view user1's post, click on the tag and make sure you are not able to edit it
    • Affected Branches:
      MOODLE_19_STABLE, MOODLE_30_STABLE
    • Fixed Branches:
      MOODLE_30_STABLE
    • Pull Master Branch:
      wip-MDL-19748-master

      Description

      It appears to me as though the edit tags capability is allowed by default for the authenticated user role. I have been doing some testing with a friend, and we were both able to edit the twitter page (generated from twitter interest on profile) at will on moodle.org. http://moodle.org/tag/edit.php?tag=twitter

      Our own instance is set up similarly, so this must be in all versions of 1.9.x

      While this might not have been reported as a security risk (I tend to see it as vandalism/nuisance), it is certainly an opportunity for users to add unwanted content.

      While I believe that users should be able to add interest tags (otherwise, how would you ever create self-organizing groups?), I doubt the wisdom of leaving an open and editable text box out there for anyone on the system (even systems that do not use self-authentication). This is complicated, as the tags are used in quite a few contexts, so I will content myself with alerting you to the spam issue.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                5 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  16/Nov/15