-
Bug
-
Resolution: Fixed
-
Minor
-
3.4
-
MOODLE_34_STABLE
-
MOODLE_32_STABLE, MOODLE_33_STABLE
-
wip-
MDL-59815-master -
Easy
-
In lib/db/access.php, moodle/user:delete defines risks of:
'riskbitmask' => RISK_PERSONAL, RISK_DATALOSS, |
I think it should be defined as:
'riskbitmask' => RISK_PERSONAL | RISK_DATALOSS, |
like all the others.
What happens now is that the risk bitmask for user:delete is assigned as RISK_PERSONAL and an unrelated entry of $capabilities['moodle/user:delete'][0] is created with the value of 0x20 which doesn't seem to be checked for, and if any capability should be tagged RISK_DATALOSS, user deletion definitely should be.
It's in 3.4 as per current code - but any version since July 2008 potentially is affected, it was introduced in https://github.com/moodle/moodle/commit/3a0c6cca332fbeced9276422e50efa9abea58d72 when it was introduced in MDL-8521