Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-20683

security issue when enabling CFG->profilesforenrolledusersonly

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.9.6
    • Fix Version/s: 1.9.8
    • Component/s: General
    • Labels:
      None
    • Environment:
      any
    • Affected Branches:
      MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_19_STABLE

      Description

      Hello,

      in user/edit_form?php in function definition_after_data() I noticed a strange code inversion :

      // remove description
      if (empty($user->description) && !empty($CFG->profilesforenrolledusersonly) && !record_exists('role_assignments', 'userid', $userid))

      { $mform->removeElement('description'); }

      if ($user = get_record('user', 'id', $userid)) {

      // print picture

      Should'nt the test empty($user->description) be after reading the user record ?

      Cheers

        Gliffy Diagrams

          Attachments

            Activity

            Hide
            poltawski Dan Poltawski added a comment -

            Thanks, I have fixed this in CVS.

            Its not a security issue as it just stops a user from editting their profile when not enrolled on a course (the admin can still do it)

            Show
            poltawski Dan Poltawski added a comment - Thanks, I have fixed this in CVS. Its not a security issue as it just stops a user from editting their profile when not enrolled on a course (the admin can still do it)

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  25/Mar/10