Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-29170

Security overview reports 'Critical' for 'Default role for all users' in fresh Moodle install.

    Details

    • Testing Instructions:
      Hide

      Go to Site administration / Reports / Security overview

      The status of "Default role for all users" should be OK.

      Show
      Go to Site administration / Reports / Security overview The status of "Default role for all users" should be OK.
    • Workaround:
      Hide

      Change the permission 'moodle/webservice:createmobiletoken' ("Create a web service token for mobile access") for the 'user' role (the default role for all users) from 'Allow' to 'Not Set'.

      Show
      Change the permission 'moodle/webservice:createmobiletoken' ("Create a web service token for mobile access") for the 'user' role (the default role for all users) from 'Allow' to 'Not Set'.
    • Affected Branches:
      MOODLE_21_STABLE, MOODLE_22_STABLE
    • Fixed Branches:
      MOODLE_21_STABLE
    • Pull Master Branch:
      s13_MDL-29170_risklevel_master

      Description

      Steps to reproduce
      ==============

      1. Fresh Moodle 2.1 install
      2. Go to Site administration / Reports / Security overview

      Expected result
      ===========

      No 'Critical' status for any issue.

      Actual result
      =========

      The status of 'Default role for all users' is 'Critical'.

        Gliffy Diagrams

          Attachments

            Activity

            Hide
            salvetore Michael de Raadt added a comment -

            Thanks for reporting this.

            The risks for this permission are incorrectly defined and need to be updated.

            Show
            salvetore Michael de Raadt added a comment - Thanks for reporting this. The risks for this permission are incorrectly defined and need to be updated.
            Hide
            dongsheng Dongsheng Cai added a comment -

            Not really a security risk, it's the risk level mask defined in web service, we will reduce the risk level to remove this warning.

            Show
            dongsheng Dongsheng Cai added a comment - Not really a security risk, it's the risk level mask defined in web service, we will reduce the risk level to remove this warning.
            Hide
            dongsheng Dongsheng Cai added a comment -

            This capability doesn't exist in 2.0, so no need to back port to MOODLE_20_STABLE

            Show
            dongsheng Dongsheng Cai added a comment - This capability doesn't exist in 2.0, so no need to back port to MOODLE_20_STABLE
            Hide
            nebgor Aparup Banerjee added a comment -

            The code is fine

            Show
            nebgor Aparup Banerjee added a comment - The code is fine
            Hide
            dongsheng Dongsheng Cai added a comment -

            Thanks Aparup, submitting to integration review.

            Show
            dongsheng Dongsheng Cai added a comment - Thanks Aparup, submitting to integration review.
            Hide
            mkemmerling Markus Kemmerling added a comment -

            Thanks for the quick fix!

            Show
            mkemmerling Markus Kemmerling added a comment - Thanks for the quick fix!
            Hide
            samhemelryk Sam Hemelryk added a comment -

            Thanks guys, this has been integrated now.

            Show
            samhemelryk Sam Hemelryk added a comment - Thanks guys, this has been integrated now.
            Hide
            rwijaya Rossiani Wijaya added a comment -

            This works great.

            Test passed.

            Show
            rwijaya Rossiani Wijaya added a comment - This works great. Test passed.
            Hide
            stronk7 Eloy Lafuente (stronk7) added a comment -

            git & cvs repositories updated with your gorgeous code. Many thanks!

            Closing and ciao

            Show
            stronk7 Eloy Lafuente (stronk7) added a comment - git & cvs repositories updated with your gorgeous code. Many thanks! Closing and ciao
            Hide
            mkemmerling Markus Kemmerling added a comment -

            The problem seems to be still present in Moodle 2.1.2+ (Build: 20111012), the capability 'moodle/webservice:createmobiletoken' still has a pretty high risk level (RISK_CONFIG | RISK_DATALOSS | RISK_SPAM | RISK_PERSONAL | RISK_XSS).

            Show
            mkemmerling Markus Kemmerling added a comment - The problem seems to be still present in Moodle 2.1.2+ (Build: 20111012), the capability 'moodle/webservice:createmobiletoken' still has a pretty high risk level (RISK_CONFIG | RISK_DATALOSS | RISK_SPAM | RISK_PERSONAL | RISK_XSS).
            Hide
            nebgor Aparup Banerjee added a comment -

            Hi Markus, This issue has been successfully closed and won't be reopened.

            I suggest creating a new issue describing the problem and perhaps use the regression link to this issue.
            (with regression links, we can also look back and also improve what went wrong in our process)

            Show
            nebgor Aparup Banerjee added a comment - Hi Markus, This issue has been successfully closed and won't be reopened. I suggest creating a new issue describing the problem and perhaps use the regression link to this issue. (with regression links, we can also look back and also improve what went wrong in our process)
            Hide
            mkemmerling Markus Kemmerling added a comment -

            Hi Aparup, thanks for your answer.

            Actually it was my fault. I oversaw that an already defined capability is not modified on upgrading but needs to be changed directly in the database. For a new installation everything is fine.

            Sorry for the confusion.

            Show
            mkemmerling Markus Kemmerling added a comment - Hi Aparup, thanks for your answer. Actually it was my fault. I oversaw that an already defined capability is not modified on upgrading but needs to be changed directly in the database. For a new installation everything is fine. Sorry for the confusion.
            Hide
            nebgor Aparup Banerjee added a comment -

            No worries Markus , its all good then.

            ps: yea, i'm guessing its a good thing we don't change existing capabilities during upgrades .

            Show
            nebgor Aparup Banerjee added a comment - No worries Markus , its all good then. ps: yea, i'm guessing its a good thing we don't change existing capabilities during upgrades .

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  10/Oct/11