Moodle
  1. Moodle
  2. MDL-20683

security issue when enabling CFG->profilesforenrolledusersonly

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.9.6
    • Fix Version/s: 1.9.8
    • Component/s: General
    • Labels:
      None
    • Environment:
      any
    • Affected Branches:
      MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_19_STABLE

      Description

      Hello,

      in user/edit_form?php in function definition_after_data() I noticed a strange code inversion :

      // remove description
      if (empty($user->description) && !empty($CFG->profilesforenrolledusersonly) && !record_exists('role_assignments', 'userid', $userid))

      { $mform->removeElement('description'); }

      if ($user = get_record('user', 'id', $userid)) {

      // print picture

      Should'nt the test empty($user->description) be after reading the user record ?

      Cheers

        Gliffy Diagrams

          Activity

          Hide
          Dan Poltawski added a comment -

          Thanks, I have fixed this in CVS.

          Its not a security issue as it just stops a user from editting their profile when not enrolled on a course (the admin can still do it)

          Show
          Dan Poltawski added a comment - Thanks, I have fixed this in CVS. Its not a security issue as it just stops a user from editting their profile when not enrolled on a course (the admin can still do it)

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: