Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-50613

Enabling mobile web services results in 'Critical' status in security overview report

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. Do a clean Moodle installation
      2. Enable Mobile services in Plugins -> Web Services -> Mobile
      3. Go to the site Report -> Security Overview
      4. Ensure that the Default role for all users reports shows a OK
      5. Do an upgrade of an existing Moodle installation with Mobile Services Enabled
      6. Go to the site Report -> Security Overview and ensure that the Default role for all users reports shows a OK
      Show
      Do a clean Moodle installation Enable Mobile services in Plugins -> Web Services -> Mobile Go to the site Report -> Security Overview Ensure that the Default role for all users reports shows a OK Do an upgrade of an existing Moodle installation with Mobile Services Enabled Go to the site Report -> Security Overview and ensure that the Default role for all users reports shows a OK
    • Affected Branches:
      MOODLE_28_STABLE, MOODLE_29_STABLE
    • Fixed Branches:
      MOODLE_28_STABLE, MOODLE_29_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-50613-master

      Description

      When mobile web services are enabled on a site (for Moodle Mobile app users), the security overview report shows the default role for all users with status 'Critical' due to the webservice capabilities being allowed for the authenticated user role.

      The Security report on default user role documentation explains this 'Critical' status and accompanying message 'The default user role "Authenticated user" is incorrectly defined!', however it remains a concern for admins, as mentioned in a recent forum post Re: Critical security issue with default role for all users.

      • Should the security report on default user role status be changed from 'Critical'?
      • Should the message be changed?
      • Should the documentation provide further explanation?

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jleyva Juan Leyva
              Reporter:
              tsala Helen Foster
              Peer reviewer:
              Dani Palou
              Integrator:
              David Monllaó
              Tester:
              Frédéric Massart
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Juan Leyva, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona)
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                9/Nov/15