Moodle
  1. Moodle
  2. MDL-29170

Security overview reports 'Critical' for 'Default role for all users' in fresh Moodle install.

    Details

    • Testing Instructions:
      Hide

      Go to Site administration / Reports / Security overview

      The status of "Default role for all users" should be OK.

      Show
      Go to Site administration / Reports / Security overview The status of "Default role for all users" should be OK.
    • Workaround:
      Hide

      Change the permission 'moodle/webservice:createmobiletoken' ("Create a web service token for mobile access") for the 'user' role (the default role for all users) from 'Allow' to 'Not Set'.

      Show
      Change the permission 'moodle/webservice:createmobiletoken' ("Create a web service token for mobile access") for the 'user' role (the default role for all users) from 'Allow' to 'Not Set'.
    • Affected Branches:
      MOODLE_21_STABLE, MOODLE_22_STABLE
    • Fixed Branches:
      MOODLE_21_STABLE
    • Pull Master Branch:
      s13_MDL-29170_risklevel_master
    • Rank:
      18717

      Description

      Steps to reproduce
      ==============

      1. Fresh Moodle 2.1 install
      2. Go to Site administration / Reports / Security overview

      Expected result
      ===========

      No 'Critical' status for any issue.

      Actual result
      =========

      The status of 'Default role for all users' is 'Critical'.

        Activity

        Hide
        Michael de Raadt added a comment -

        Thanks for reporting this.

        The risks for this permission are incorrectly defined and need to be updated.

        Show
        Michael de Raadt added a comment - Thanks for reporting this. The risks for this permission are incorrectly defined and need to be updated.
        Hide
        Dongsheng Cai added a comment -

        Not really a security risk, it's the risk level mask defined in web service, we will reduce the risk level to remove this warning.

        Show
        Dongsheng Cai added a comment - Not really a security risk, it's the risk level mask defined in web service, we will reduce the risk level to remove this warning.
        Hide
        Dongsheng Cai added a comment -

        This capability doesn't exist in 2.0, so no need to back port to MOODLE_20_STABLE

        Show
        Dongsheng Cai added a comment - This capability doesn't exist in 2.0, so no need to back port to MOODLE_20_STABLE
        Hide
        Aparup Banerjee added a comment -

        The code is fine

        Show
        Aparup Banerjee added a comment - The code is fine
        Hide
        Dongsheng Cai added a comment -

        Thanks Aparup, submitting to integration review.

        Show
        Dongsheng Cai added a comment - Thanks Aparup, submitting to integration review.
        Hide
        Markus Kemmerling added a comment -

        Thanks for the quick fix!

        Show
        Markus Kemmerling added a comment - Thanks for the quick fix!
        Hide
        Sam Hemelryk added a comment -

        Thanks guys, this has been integrated now.

        Show
        Sam Hemelryk added a comment - Thanks guys, this has been integrated now.
        Hide
        Rossiani Wijaya added a comment -

        This works great.

        Test passed.

        Show
        Rossiani Wijaya added a comment - This works great. Test passed.
        Hide
        Eloy Lafuente (stronk7) added a comment -

        git & cvs repositories updated with your gorgeous code. Many thanks!

        Closing and ciao

        Show
        Eloy Lafuente (stronk7) added a comment - git & cvs repositories updated with your gorgeous code. Many thanks! Closing and ciao
        Hide
        Markus Kemmerling added a comment -

        The problem seems to be still present in Moodle 2.1.2+ (Build: 20111012), the capability 'moodle/webservice:createmobiletoken' still has a pretty high risk level (RISK_CONFIG | RISK_DATALOSS | RISK_SPAM | RISK_PERSONAL | RISK_XSS).

        Show
        Markus Kemmerling added a comment - The problem seems to be still present in Moodle 2.1.2+ (Build: 20111012), the capability 'moodle/webservice:createmobiletoken' still has a pretty high risk level (RISK_CONFIG | RISK_DATALOSS | RISK_SPAM | RISK_PERSONAL | RISK_XSS).
        Hide
        Aparup Banerjee added a comment -

        Hi Markus, This issue has been successfully closed and won't be reopened.

        I suggest creating a new issue describing the problem and perhaps use the regression link to this issue.
        (with regression links, we can also look back and also improve what went wrong in our process)

        Show
        Aparup Banerjee added a comment - Hi Markus, This issue has been successfully closed and won't be reopened. I suggest creating a new issue describing the problem and perhaps use the regression link to this issue. (with regression links, we can also look back and also improve what went wrong in our process)
        Hide
        Markus Kemmerling added a comment -

        Hi Aparup, thanks for your answer.

        Actually it was my fault. I oversaw that an already defined capability is not modified on upgrading but needs to be changed directly in the database. For a new installation everything is fine.

        Sorry for the confusion.

        Show
        Markus Kemmerling added a comment - Hi Aparup, thanks for your answer. Actually it was my fault. I oversaw that an already defined capability is not modified on upgrading but needs to be changed directly in the database. For a new installation everything is fine. Sorry for the confusion.
        Hide
        Aparup Banerjee added a comment -

        No worries Markus , its all good then.

        ps: yea, i'm guessing its a good thing we don't change existing capabilities during upgrades .

        Show
        Aparup Banerjee added a comment - No worries Markus , its all good then. ps: yea, i'm guessing its a good thing we don't change existing capabilities during upgrades .

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: