Moodle
  1. Moodle
  2. MDL-20683

security issue when enabling CFG->profilesforenrolledusersonly

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.9.6
    • Fix Version/s: 1.9.8
    • Component/s: General
    • Labels:
      None
    • Environment:
      any
    • Affected Branches:
      MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_19_STABLE
    • Rank:
      31894

      Description

      Hello,

      in user/edit_form?php in function definition_after_data() I noticed a strange code inversion :

      // remove description
      if (empty($user->description) && !empty($CFG->profilesforenrolledusersonly) && !record_exists('role_assignments', 'userid', $userid))

      { $mform->removeElement('description'); }

      if ($user = get_record('user', 'id', $userid)) {

      // print picture

      Should'nt the test empty($user->description) be after reading the user record ?

      Cheers

        Activity

        Hide
        Dan Poltawski added a comment -

        Thanks, I have fixed this in CVS.

        Its not a security issue as it just stops a user from editting their profile when not enrolled on a course (the admin can still do it)

        Show
        Dan Poltawski added a comment - Thanks, I have fixed this in CVS. Its not a security issue as it just stops a user from editting their profile when not enrolled on a course (the admin can still do it)

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: