Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-29170

Security overview reports 'Critical' for 'Default role for all users' in fresh Moodle install.

    Details

    • Testing Instructions:
      Hide

      Go to Site administration / Reports / Security overview

      The status of "Default role for all users" should be OK.

      Show
      Go to Site administration / Reports / Security overview The status of "Default role for all users" should be OK.
    • Workaround:
      Hide

      Change the permission 'moodle/webservice:createmobiletoken' ("Create a web service token for mobile access") for the 'user' role (the default role for all users) from 'Allow' to 'Not Set'.

      Show
      Change the permission 'moodle/webservice:createmobiletoken' ("Create a web service token for mobile access") for the 'user' role (the default role for all users) from 'Allow' to 'Not Set'.
    • Affected Branches:
      MOODLE_21_STABLE, MOODLE_22_STABLE
    • Fixed Branches:
      MOODLE_21_STABLE
    • Pull Master Branch:
      s13_MDL-29170_risklevel_master

      Description

      Steps to reproduce
      ==============

      1. Fresh Moodle 2.1 install
      2. Go to Site administration / Reports / Security overview

      Expected result
      ===========

      No 'Critical' status for any issue.

      Actual result
      =========

      The status of 'Default role for all users' is 'Critical'.

        Gliffy Diagrams

          Activity

          Hide
          salvetore Michael de Raadt added a comment -

          Thanks for reporting this.

          The risks for this permission are incorrectly defined and need to be updated.

          Show
          salvetore Michael de Raadt added a comment - Thanks for reporting this. The risks for this permission are incorrectly defined and need to be updated.
          Hide
          dongsheng Dongsheng Cai added a comment -

          Not really a security risk, it's the risk level mask defined in web service, we will reduce the risk level to remove this warning.

          Show
          dongsheng Dongsheng Cai added a comment - Not really a security risk, it's the risk level mask defined in web service, we will reduce the risk level to remove this warning.
          Hide
          dongsheng Dongsheng Cai added a comment -

          This capability doesn't exist in 2.0, so no need to back port to MOODLE_20_STABLE

          Show
          dongsheng Dongsheng Cai added a comment - This capability doesn't exist in 2.0, so no need to back port to MOODLE_20_STABLE
          Hide
          nebgor Aparup Banerjee added a comment -

          The code is fine

          Show
          nebgor Aparup Banerjee added a comment - The code is fine
          Hide
          dongsheng Dongsheng Cai added a comment -

          Thanks Aparup, submitting to integration review.

          Show
          dongsheng Dongsheng Cai added a comment - Thanks Aparup, submitting to integration review.
          Hide
          mkemmerling Markus Kemmerling added a comment -

          Thanks for the quick fix!

          Show
          mkemmerling Markus Kemmerling added a comment - Thanks for the quick fix!
          Hide
          samhemelryk Sam Hemelryk added a comment -

          Thanks guys, this has been integrated now.

          Show
          samhemelryk Sam Hemelryk added a comment - Thanks guys, this has been integrated now.
          Hide
          rwijaya Rossiani Wijaya added a comment -

          This works great.

          Test passed.

          Show
          rwijaya Rossiani Wijaya added a comment - This works great. Test passed.
          Hide
          stronk7 Eloy Lafuente (stronk7) added a comment -

          git & cvs repositories updated with your gorgeous code. Many thanks!

          Closing and ciao

          Show
          stronk7 Eloy Lafuente (stronk7) added a comment - git & cvs repositories updated with your gorgeous code. Many thanks! Closing and ciao
          Hide
          mkemmerling Markus Kemmerling added a comment -

          The problem seems to be still present in Moodle 2.1.2+ (Build: 20111012), the capability 'moodle/webservice:createmobiletoken' still has a pretty high risk level (RISK_CONFIG | RISK_DATALOSS | RISK_SPAM | RISK_PERSONAL | RISK_XSS).

          Show
          mkemmerling Markus Kemmerling added a comment - The problem seems to be still present in Moodle 2.1.2+ (Build: 20111012), the capability 'moodle/webservice:createmobiletoken' still has a pretty high risk level (RISK_CONFIG | RISK_DATALOSS | RISK_SPAM | RISK_PERSONAL | RISK_XSS).
          Hide
          nebgor Aparup Banerjee added a comment -

          Hi Markus, This issue has been successfully closed and won't be reopened.

          I suggest creating a new issue describing the problem and perhaps use the regression link to this issue.
          (with regression links, we can also look back and also improve what went wrong in our process)

          Show
          nebgor Aparup Banerjee added a comment - Hi Markus, This issue has been successfully closed and won't be reopened. I suggest creating a new issue describing the problem and perhaps use the regression link to this issue. (with regression links, we can also look back and also improve what went wrong in our process)
          Hide
          mkemmerling Markus Kemmerling added a comment -

          Hi Aparup, thanks for your answer.

          Actually it was my fault. I oversaw that an already defined capability is not modified on upgrading but needs to be changed directly in the database. For a new installation everything is fine.

          Sorry for the confusion.

          Show
          mkemmerling Markus Kemmerling added a comment - Hi Aparup, thanks for your answer. Actually it was my fault. I oversaw that an already defined capability is not modified on upgrading but needs to be changed directly in the database. For a new installation everything is fine. Sorry for the confusion.
          Hide
          nebgor Aparup Banerjee added a comment -

          No worries Markus , its all good then.

          ps: yea, i'm guessing its a good thing we don't change existing capabilities during upgrades .

          Show
          nebgor Aparup Banerjee added a comment - No worries Markus , its all good then. ps: yea, i'm guessing its a good thing we don't change existing capabilities during upgrades .

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                10/Oct/11