Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-59815

moodle/user:delete has incorrect risks attached

    XMLWordPrintable

Details

    • MOODLE_34_STABLE
    • MOODLE_32_STABLE, MOODLE_33_STABLE
    • wip-MDL-59815-master
    • Easy
    • Hide
      1. Go to "Site Administration > Users > Permissions > Define roles"
      2. Select a role and edit it.
      3. Find moodle/user:delete and observe that "Users could destroy large amounts of content or information" risk is shown.
      Show
      Go to "Site Administration > Users > Permissions > Define roles" Select a role and edit it. Find moodle/user:delete and observe that "Users could destroy large amounts of content or information" risk is shown.

    Description

      In lib/db/access.php, moodle/user:delete defines risks of:

       

      'riskbitmask' => RISK_PERSONAL, RISK_DATALOSS,
      

       

      I think it should be defined as:

      'riskbitmask' => RISK_PERSONAL | RISK_DATALOSS,
      

      like all the others.

       

      What happens now is that the risk bitmask for user:delete is assigned as RISK_PERSONAL and an unrelated entry of $capabilities['moodle/user:delete'][0] is created with the value of 0x20 which doesn't seem to be checked for, and if any capability should be tagged RISK_DATALOSS, user deletion definitely should be.

       

      It's in 3.4 as per current code - but any version since July 2008 potentially is affected, it was introduced in https://github.com/moodle/moodle/commit/3a0c6cca332fbeced9276422e50efa9abea58d72 when it was introduced in MDL-8521

      Attachments

        Activity

          People

            Unassigned Unassigned
            peter.spicer Peter Spicer
            Adrian Greeve Adrian Greeve
            David Monllaó David Monllaó
            Andrew Lyons Andrew Lyons
            David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              11/Sep/17