Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-61656

Site security report message is incomplete

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.4, 3.4.1, 3.5
    • Fix Version/s: 3.3.6, 3.4.3
    • Component/s: Reports
    • Labels:
    • Testing Instructions:
      Hide
      Prepare the frontpage role to be risky.
      1. Go to Admin -> Users -> Permissions -> Define roles.
      2. Edit the frontpage role ("Authenticated user on frontpage").
      3. Allow to the role the "moodle/course:changeshortname" capability (it has the XSS risk).
      4. Save changes.
      Verify the security report
      1. Go to Admin - > Reports -> Security overview
      2. Check you get:
        1. Frontpage role
        2. Critical
        3. Incorrectly defined frontpage role "Authenticated user on frontpage" detected!
      3. Switch language to any other (Spanish for example).
      4. Again, Go to Admin - > Reports -> Security overview
      5. Check you get the same information but completely localised to the new language. Including the name of the role also translated.

      That's all!

      Show
      Prepare the frontpage role to be risky. Go to Admin -> Users -> Permissions -> Define roles. Edit the frontpage role ("Authenticated user on frontpage"). Allow to the role the "moodle/course:changeshortname" capability (it has the XSS risk). Save changes. Verify the security report Go to Admin - > Reports -> Security overview Check you get: Frontpage role Critical Incorrectly defined frontpage role "Authenticated user on frontpage" detected! Switch language to any other (Spanish for example). Again, Go to Admin - > Reports -> Security overview Check you get the same information but completely localised to the new language. Including the name of the role also translated. That's all!
    • Affected Branches:
      MOODLE_34_STABLE, MOODLE_35_STABLE
    • Fixed Branches:
      MOODLE_33_STABLE, MOODLE_34_STABLE
    • Pull from Repository:
    • Pull Master Branch:

      Description

      During the 'report_security_check_frontpagerole' of the site level "Security overview" report, if an issue comes out, the report writes: get_string('check_frontpagerole_error', 'report_security', format_string($frontpage_role->name));
      but
      $frontpage_role->name holds role->name that is generally an empty string
      so the output becomes: 'Incorrectly defined frontpage role "" detected!'.
      Maybe the original developer had in mind to write capabilities->name(s) instead of role->name(s).

        Attachments

          Activity

            People

            Assignee:
            stronk7 Eloy Lafuente (stronk7)
            Reporter:
            daniss Daniele Cordella
            Peer reviewer:
            Carlos Escobedo
            Integrator:
            Jun Pataleta
            Tester:
            Janelle Barcega
            Participants:
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              17/May/18