Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-31877

Function get_users function at datalib.php does not remove exceptions

    XMLWordPrintable

    Details

    • Database:
      Any
    • Testing Instructions:
      Hide

      The $exceptions parameter to get_users isn't actually used anywhere in core that I can see.

      To test you'll need to edit an existing page or create a test page to demonstrate the issue. I've attached a page which demonstrates the fix.

      Show
      The $exceptions parameter to get_users isn't actually used anywhere in core that I can see. To test you'll need to edit an existing page or create a test page to demonstrate the issue. I've attached a page which demonstrates the fix.
    • Workaround:
      Hide

      It can be solved changing on datalib.php in the function get_users:

              //$except = " AND id $exceptions";

      for:

              $select .= " AND id $exceptions";

      The $except variable is not used in the function

      Show
      It can be solved changing on datalib.php in the function get_users: //$except = " AND id $exceptions"; for: $select .= " AND id $exceptions"; The $except variable is not used in the function
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_22_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE, MOODLE_21_STABLE, MOODLE_22_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-31877-master-1

      Description

      Exceptions does not modifies the $select variable to remove the users selected from the query.

      It could be a security issue if it ignores some users to be assigned as admins for example.

        Attachments

          Activity

            People

            Assignee:
            dobedobedoh Andrew Nicols
            Reporter:
            pferre22 Pau Ferrer
            Integrator:
            Sam Hemelryk
            Tester:
            Petr Skoda
            Participants:
            Component watchers:
            Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              14/May/12