Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-43009

Non-deleteable enrolment plugins can be deleted with handcrafted URL.

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.5.3
    • Fix Version/s: STABLE backlog
    • Component/s: Enrolments
    • Labels:
    • Affected Branches:
      MOODLE_25_STABLE

      Description

      New enrolment plugins can be made non-deleteable by overwriting the function
      public function instance_deleteable($instance)
      in
      abstract class enrol_plugin

      in lib/enrollib.php

      The script
      enrol/instances.php
      does call the function in order to decide whether to display the deletion icon.
      However, the actual deletion action does not call the function anymore.
      Therefore, with a handcrafted URL like
      enrol/instances.php?sesskey=4tCFnRVFyR&id=6&action=delete&instance=18

      one can still delete the enrolment instance given the capability
      moodle/course:enrolconfig

      FIX: instances.php should also call the function instance_deleteable() before deleting an instance and before asking for confirmation.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jzimmer Juergen Zimmer
              Participants:
              Component watchers:
              Amaia Anabitarte, Bas Brands, Carlos Escobedo, Sara Arjona (@sarjona), Víctor Déniz Falcón
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: