Moodle
  1. Moodle
  2. MDL-32529

Non-admin users can see Admin bookmarks block

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Not a bug
    • Affects Version/s: 2.2.1
    • Fix Version/s: None
    • Component/s: Blocks
    • Labels:
      None
    • Affected Branches:
      MOODLE_22_STABLE
    • Rank:
      39422

      Description

      Non-admin users can see the Admin bookmarks block, but not the contents.

      When the Admin bookmarks block is added to Site Home with 'Display throughout the entire site', both teacher and student roles can see the block when they Turn editing on on an appropriate page (e.g. my Home, or a course homepage).

      They can also modify the configuration of the block on that page.

      Presumably other non-admin roles can also see the block; we haven't tested for that.

        Issue Links

          Activity

          Hide
          Michael de Raadt added a comment -

          I don't think the block should be used on the site home and should not be displayed throughout the site. The intent of the block is to act as a bookmark on particular pages so that an administrator can find them easily.

          According to the (poorly worded) documentation for this block (http://docs.moodle.org/20/en/Admin_bookmarks_block) the default is to show this block to users when editing is turned on. They should also be able to be added by users who can edit course pages.

          The block is not as useful as it used to be, but I believe you are experiencing the expected behaviour and I don't think there is any security concern here.

          Show
          Michael de Raadt added a comment - I don't think the block should be used on the site home and should not be displayed throughout the site. The intent of the block is to act as a bookmark on particular pages so that an administrator can find them easily. According to the (poorly worded) documentation for this block ( http://docs.moodle.org/20/en/Admin_bookmarks_block ) the default is to show this block to users when editing is turned on. They should also be able to be added by users who can edit course pages. The block is not as useful as it used to be, but I believe you are experiencing the expected behaviour and I don't think there is any security concern here.
          Hide
          Donna Hrynkiw added a comment -

          More recent documentation: http://docs.moodle.org/22/en/Admin_bookmarks_block
          But I did the most recent editing on it, so my interpretation of the purpose of the block may be skewing it.

          Show
          Donna Hrynkiw added a comment - More recent documentation: http://docs.moodle.org/22/en/Admin_bookmarks_block But I did the most recent editing on it, so my interpretation of the purpose of the block may be skewing it.
          Hide
          Helen Foster added a comment -

          Just noting that I have updated the documentation http://docs.moodle.org/en/Admin_bookmarks_block to hopefully clarify how the block works and have mentioned about it not being a good idea to add the block to the front page and make it display throughout the entire site.

          Show
          Helen Foster added a comment - Just noting that I have updated the documentation http://docs.moodle.org/en/Admin_bookmarks_block to hopefully clarify how the block works and have mentioned about it not being a good idea to add the block to the front page and make it display throughout the entire site.

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: