Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-59815

moodle/user:delete has incorrect risks attached

XMLWordPrintable

    • MOODLE_34_STABLE
    • MOODLE_32_STABLE, MOODLE_33_STABLE
    • wip-MDL-59815-master
    • Easy
    • Hide
      1. Go to "Site Administration > Users > Permissions > Define roles"
      2. Select a role and edit it.
      3. Find moodle/user:delete and observe that "Users could destroy large amounts of content or information" risk is shown.
      Show
      Go to "Site Administration > Users > Permissions > Define roles" Select a role and edit it. Find moodle/user:delete and observe that "Users could destroy large amounts of content or information" risk is shown.

      In lib/db/access.php, moodle/user:delete defines risks of:

       

      'riskbitmask' => RISK_PERSONAL, RISK_DATALOSS,
      

       

      I think it should be defined as:

      'riskbitmask' => RISK_PERSONAL | RISK_DATALOSS,
      

      like all the others.

       

      What happens now is that the risk bitmask for user:delete is assigned as RISK_PERSONAL and an unrelated entry of $capabilities['moodle/user:delete'][0] is created with the value of 0x20 which doesn't seem to be checked for, and if any capability should be tagged RISK_DATALOSS, user deletion definitely should be.

       

      It's in 3.4 as per current code - but any version since July 2008 potentially is affected, it was introduced in https://github.com/moodle/moodle/commit/3a0c6cca332fbeced9276422e50efa9abea58d72 when it was introduced in MDL-8521

            Unassigned Unassigned
            peter.spicer Peter Spicer
            Adrian Greeve Adrian Greeve
            David Monllaó David Monllaó
            Andrew Lyons Andrew Lyons
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.