Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-51067

Remove the ability for users to add blocks to their profile page

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Reopened
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.8.7, 2.9.1, 2.9.4, 3.0.2
    • Fix Version/s: None
    • Component/s: Blocks
    • Testing Instructions:
      Hide
      Note

      All profile pages should be accessed via user/profile.php, not user/view.php. (always site profile not course profile)

      Test 1
      1. Log in as an administrator.
      2. Visit your profile page and check that you can add blocks to it.
      3. Visit another user’s profile page and check that you can add blocks to it.
      Test 2
      1. Log in as an administrator and visit ‘Security’ > ‘Site policies’ and uncheck (if it isn’t already) ‘Force users to log in for profiles’ and save.
      2. Log in as a user with no system wide roles.
      3. Visit your profile page and check that you can NOT add blocks to it.
      4. Visit another user’s profile page and check that you can NOT add blocks to it.
      Test 3
      1. Log in as an administrator and edit the ‘Authenticated user’ role and set the capability and ‘moodle/user:manageblocks’ to ‘Prohibit’ and save.
      2. Log in as a user.
      3. Visit your profile page and check that you can NOT add blocks to it.
      4. Visit another user’s profile page and check that you can NOT add blocks to it.
      5. As the admin set the capability ‘moodle/user:manageblocks’ to 'Allow' for the 'Authenticated user' role and save.
      6. As the user visit your profile page and check that you can add blocks to it.
      7. As the user visit another user’s profile page and check that you can add blocks to it.
      Show
      Note All profile pages should be accessed via user/profile.php, not user/view.php. (always site profile not course profile) Test 1 Log in as an administrator. Visit your profile page and check that you can add blocks to it. Visit another user’s profile page and check that you can add blocks to it. Test 2 Log in as an administrator and visit ‘Security’ > ‘Site policies’ and uncheck (if it isn’t already) ‘Force users to log in for profiles’ and save. Log in as a user with no system wide roles. Visit your profile page and check that you can NOT add blocks to it. Visit another user’s profile page and check that you can NOT add blocks to it. Test 3 Log in as an administrator and edit the ‘Authenticated user’ role and set the capability and ‘moodle/user:manageblocks’ to ‘Prohibit’ and save. Log in as a user. Visit your profile page and check that you can NOT add blocks to it. Visit another user’s profile page and check that you can NOT add blocks to it. As the admin set the capability ‘moodle/user:manageblocks’ to 'Allow' for the 'Authenticated user' role and save. As the user visit your profile page and check that you can add blocks to it. As the user visit another user’s profile page and check that you can add blocks to it.
    • Affected Branches:
      MOODLE_28_STABLE, MOODLE_29_STABLE, MOODLE_30_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-51067-master
    • Sprint:
      Team Beards Sprint 10
    • Issue size:
      Medium

      Description

      This is a follow on from MDL-37736 where the ability to add blocks, or move them via ajax has been broken for a long time already and we don't know the use case for being able to do this. There are security concerns about adding javascript to blocks on your home page and then tempting an admin to view your profile.

      We need to decide what to do with existing blocks on this page...
      We could delete them on upgrade
      We could make them not-editable and only give the option to delete

      One (safeish) option is to only remove the ability to add.

      Course profile and site profile.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              moodle.com moodle.com
              Peer reviewer:
              Jun Pataleta
              Integrator:
              David Monllaó
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Dates

                Created:
                Updated: