Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-59815

moodle/user:delete has incorrect risks attached

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. Go to "Site Administration > Users > Permissions > Define roles"
      2. Select a role and edit it.
      3. Find moodle/user:delete and observe that "Users could destroy large amounts of content or information" risk is shown.
      Show
      Go to "Site Administration > Users > Permissions > Define roles" Select a role and edit it. Find moodle/user:delete and observe that "Users could destroy large amounts of content or information" risk is shown.
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_34_STABLE
    • Fixed Branches:
      MOODLE_32_STABLE, MOODLE_33_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      wip-MDL-59815-master

      Description

      In lib/db/access.php, moodle/user:delete defines risks of:

       

      'riskbitmask' => RISK_PERSONAL, RISK_DATALOSS,
      

       

      I think it should be defined as:

      'riskbitmask' => RISK_PERSONAL | RISK_DATALOSS,
      

      like all the others.

       

      What happens now is that the risk bitmask for user:delete is assigned as RISK_PERSONAL and an unrelated entry of $capabilities['moodle/user:delete'][0] is created with the value of 0x20 which doesn't seem to be checked for, and if any capability should be tagged RISK_DATALOSS, user deletion definitely should be.

       

      It's in 3.4 as per current code - but any version since July 2008 potentially is affected, it was introduced in https://github.com/moodle/moodle/commit/3a0c6cca332fbeced9276422e50efa9abea58d72 when it was introduced in MDL-8521

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            peter.spicer Peter Spicer
            Peer reviewer:
            Adrian Greeve
            Integrator:
            David Monllaó
            Tester:
            Andrew Nicols
            Participants:
            Component watchers:
            Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              11/Sep/17