Moodle
  1. Moodle
  2. MDL-28951

Profiles of deleted users shows bad email address and deletion should be clearer

    Details

    • Affected Branches:
      MOODLE_20_STABLE
    • Rank:
      18499

      Description

      Prerequisite: Moodle Account A has the capability moodle/user:viewdetails on system level. I can think of moodle installations where this capability is set for all authenticated users for some reason. Moodle Account B was a moodle user, but his account was deleted by an admin several weeks ago.

      Now, with Moodle Account A logged in, I visit
      http://MYMOODLEDOMAIN/user/profile.php?id=USERID-OF-ACCOUNT-B
      (I don't need to know necessarily the user ID of Account B, I can simply iterate the id parameter from 1 to n)

      The profile of the deleted user shows with no details, but with full name - although the user account no longer exists!
      When viewing the same page as admin, I get the message "This user account has been deleted".

      I know that moodle saves some data from deleted user accounts. But I don't think that it is intended that this data is visible to non-admins, especially without any remark that this account no longer exists.

      Furthermore, is that data from deleted users fully deleted by cron job some time or is it saved forever?

        Activity

        Alexander Bias created issue -
        Alexander Bias made changes -
        Field Original Value New Value
        Description Prerequisite: Moodle Account A has the capability moodle/user:viewdetails on system level. I can think of moodle installations where this capability is set for all authenticated users for some reason. Moodle Account B was a moodle user, but his account was deleted by an admin several weeks ago.

        Now, with Moodle Account A logged in, I visit
        https://moodle.uni-ulm.de/user/profile.php?id=USERID-OF-ACCOUNT-B
        (I don't need to know necessarily the user ID of Account B, I can simply iterate the id parameter from 1 to n)

        The profile of the deleted user shows with no details, but with full name - although the user account no longer exists!
        When viewing the same page as admin, I get the message "This user account has been deleted".


        I know that moodle saves some data from deleted user accounts. But I don't think that it is intended that this data is visible to non-admins, especially without any remark that this account no longer exists.

        Furthermore, is that data from deleted users fully deleted by cron job some time or is it saved forever?
        Prerequisite: Moodle Account A has the capability moodle/user:viewdetails on system level. I can think of moodle installations where this capability is set for all authenticated users for some reason. Moodle Account B was a moodle user, but his account was deleted by an admin several weeks ago.

        Now, with Moodle Account A logged in, I visit
        http://MYMOODLEDOMAIN/user/profile.php?id=USERID-OF-ACCOUNT-B
        (I don't need to know necessarily the user ID of Account B, I can simply iterate the id parameter from 1 to n)

        The profile of the deleted user shows with no details, but with full name - although the user account no longer exists!
        When viewing the same page as admin, I get the message "This user account has been deleted".


        I know that moodle saves some data from deleted user accounts. But I don't think that it is intended that this data is visible to non-admins, especially without any remark that this account no longer exists.

        Furthermore, is that data from deleted users fully deleted by cron job some time or is it saved forever?
        Michael de Raadt made changes -
        Summary Full name of deleted user is visible to Non-Admins Profiles of deleted users shows bad email address and deletion should be clearer
        Security Could be a security issue [ 10030 ]
        Fix Version/s STABLE backlog [ 10463 ]
        Labels triaged
        Michael de Raadt made changes -
        Attachment profileOfDeletedUser.jpg [ 24929 ]
        Rajesh Taneja made changes -
        Status Open [ 1 ] Closed [ 6 ]
        Resolution Not a bug [ 7 ]

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: