Affects Version/s: 2.6.6, 2.7.5, 2.8.3
Fix Version/s: None
In a server with guest login enabled, try to access the following pages through URL:
Make sure you get an error message: No guests here in all the cases.
Affected Branches:MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
Pull from Repository:
Pull Master Branch:MDL-49301-master
Pull Master Diff URL:
The pages tag/index.php, tag/seach.php can be reached by anyone if guest access is on.
On these pages, anyone can access to users list with pictures, full names with associated interests.
In my opinion (and in the opinion of a large school I work with), this should be restricted to logged in users as a default. A "site policies" option could be added to allow non-logged in users to access the page.
In the file tag/tag_autocomplete.php, we found :
Why guests should not be using this but can list the tags otherwise ?