Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-19748

edit tags capability for authenticated user as default allows spam/vandalism opportunity

XMLWordPrintable

    • MOODLE_19_STABLE, MOODLE_30_STABLE
    • MOODLE_30_STABLE
    • wip-MDL-19748-master
    • Hide

      On freshly installed moodle

      1. as user1 blog something and add a tag to the blog post
      2. As manager view user1's post, click on the tag and make sure you can edit it
      3. As user2 view user1's post, click on the tag and make sure you are not able to edit it
      Show
      On freshly installed moodle as user1 blog something and add a tag to the blog post As manager view user1's post, click on the tag and make sure you can edit it As user2 view user1's post, click on the tag and make sure you are not able to edit it

      It appears to me as though the edit tags capability is allowed by default for the authenticated user role. I have been doing some testing with a friend, and we were both able to edit the twitter page (generated from twitter interest on profile) at will on moodle.org. http://moodle.org/tag/edit.php?tag=twitter

      Our own instance is set up similarly, so this must be in all versions of 1.9.x

      While this might not have been reported as a security risk (I tend to see it as vandalism/nuisance), it is certainly an opportunity for users to add unwanted content.

      While I believe that users should be able to add interest tags (otherwise, how would you ever create self-organizing groups?), I doubt the wisdom of leaving an open and editable text box out there for anyone on the system (even systems that do not use self-authentication). This is complicated, as the tags are used in quite a few contexts, so I will content myself with alerting you to the spam issue.

            marina Marina Glancy
            awyatt A. T. Wyatt
            Simey Lameze Simey Lameze
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Frédéric Massart Frédéric Massart
            Votes:
            5 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.