[MDL-59815] moodle/user:delete has incorrect risks attached - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.4
Fix Version/s: 3.2.5, 3.3.2
Component/s: Roles / Access
Labels:
- ci
- patch
- triaged

Affected Branches:
MOODLE_34_STABLE
Fixed Branches:
MOODLE_32_STABLE, MOODLE_33_STABLE
Pull from Repository:
git://github.com/abgreeve/moodle.git
Pull Master Branch:
wip-~~MDL-59815~~-master
Pull Master Diff URL:
https://github.com/abgreeve/moodle/compare/9eb3c173ae...wip-MDL-59815-master
Difficulty:
Easy
Testing Instructions:
Hide

Go to "Site Administration > Users > Permissions > Define roles"

Select a role and edit it.

Find moodle/user:delete and observe that "Users could destroy large amounts of content or information" risk is shown.
Show
Go to "Site Administration > Users > Permissions > Define roles" Select a role and edit it. Find moodle/user:delete and observe that "Users could destroy large amounts of content or information" risk is shown.

Description

In lib/db/access.php, moodle/user:delete defines risks of:

'riskbitmask' => RISK_PERSONAL, RISK_DATALOSS,

I think it should be defined as:

'riskbitmask' => RISK_PERSONAL | RISK_DATALOSS,

like all the others.

What happens now is that the risk bitmask for user:delete is assigned as RISK_PERSONAL and an unrelated entry of $capabilities['moodle/user:delete'][0] is created with the value of 0x20 which doesn't seem to be checked for, and if any capability should be tagged RISK_DATALOSS, user deletion definitely should be.

It's in 3.4 as per current code - but any version since July 2008 potentially is affected, it was introduced in https://github.com/moodle/moodle/commit/3a0c6cca332fbeced9276422e50efa9abea58d72 when it was introduced in ~~MDL-8521~~

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

MDL-59815.patch
0.7 kB
18/Aug/17 1:27 AM

Activity

People

Assignee:: Unassigned

Reporter:: Peter Spicer

Peer reviewer:: Adrian Greeve

Integrator:: David Monllaó

Tester:: Andrew Lyons

Participants:: Adrian Greeve, Andrew Lyons, CiBoT, David Monllaó, Jun Pataleta, Marina Glancy, Peter Spicer

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 16/Aug/17 6:23 AM

Updated:: 08/Sep/17 6:20 AM

Resolved:: 08/Sep/17 6:20 AM

Fix Release Date:: 11/Sep/17