Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-59815

moodle/user:delete has incorrect risks attached

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. Go to "Site Administration > Users > Permissions > Define roles"
      2. Select a role and edit it.
      3. Find moodle/user:delete and observe that "Users could destroy large amounts of content or information" risk is shown.
      Show
      Go to "Site Administration > Users > Permissions > Define roles" Select a role and edit it. Find moodle/user:delete and observe that "Users could destroy large amounts of content or information" risk is shown.
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_34_STABLE
    • Fixed Branches:
      MOODLE_32_STABLE, MOODLE_33_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      wip-MDL-59815-master

      Description

      In lib/db/access.php, moodle/user:delete defines risks of:

       

      'riskbitmask' => RISK_PERSONAL, RISK_DATALOSS,
      

       

      I think it should be defined as:

      'riskbitmask' => RISK_PERSONAL | RISK_DATALOSS,
      

      like all the others.

       

      What happens now is that the risk bitmask for user:delete is assigned as RISK_PERSONAL and an unrelated entry of $capabilities['moodle/user:delete'][0] is created with the value of 0x20 which doesn't seem to be checked for, and if any capability should be tagged RISK_DATALOSS, user deletion definitely should be.

       

      It's in 3.4 as per current code - but any version since July 2008 potentially is affected, it was introduced in https://github.com/moodle/moodle/commit/3a0c6cca332fbeced9276422e50efa9abea58d72 when it was introduced in MDL-8521

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                11/Sep/17