Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-49301

privacy: tag/index.php, tag/seach.php should be restrictable to logged in users

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.6.6, 2.7.5, 2.8.3
    • Fix Version/s: None
    • Component/s: Tags
    • Testing Instructions:
      Hide

      In a server with guest login enabled, try to access the following pages through URL:

      • tag/edit.php
      • tag/index.php
      • tag/manage.php
      • tag/search.php
      • tag/tag_autocomplete.php

      Make sure you get an error message: No guests here in all the cases.

      Show
      In a server with guest login enabled, try to access the following pages through URL: tag/edit.php tag/index.php tag/manage.php tag/search.php tag/tag_autocomplete.php Make sure you get an error message: No guests here in all the cases.
    • Affected Branches:
      MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-49301-master

      Description

      The pages tag/index.php, tag/seach.php can be reached by anyone if guest access is on.

      On these pages, anyone can access to users list with pictures, full names with associated interests.

      In my opinion (and in the opinion of a large school I work with), this should be restricted to logged in users as a default. A "site policies" option could be added to allow non-logged in users to access the page.

      In the file tag/tag_autocomplete.php, we found :
      require_login(0, false);
      if (isguestuser())

      { // Guests should not be using this. die(); }

      Why guests should not be using this but can list the tags otherwise ?

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                14 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated: