Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-63184

is_site_dpo() doesn't check for any capability and it seems it should

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      Setup
      1. Log in as an admin.
      2. Create 3 Privacy officer roles, PO1, PO2, PO3.
      3. Go to "Site administration / Users / Permissions / Assign system roles"
      4. Assign the following users to the following PO roles:
        m1 PO1
        m2 PO2
        m3 PO3
      5. Go to "Site administration / Users / Privacy and policies / Privacy settings"
      6. Tick PO1 and PO2 for the "Privacy officer role mapping" setting. Save the changes.
      As admin
      1. Go to "Site administration / Users / Privacy and policies / Data requests"
      2. Confirm that you can create data requests.
      3. Confirm that you can view the data requests list.
      As m1
      1. Log in as m1.
      2. Go to "Site administration / Users / Privacy and policies / Data requests"
      3. Confirm that you can create data requests.
      4. Confirm that you can view the data requests list.
      As m3
      1. Log in as m3.
      2. On your browser, manually enter the URL to the data requests page "[YOUR_MOODLE_URL]/admin/tool/dataprivacy/datarequests.php"
      3. Confirm that you get an error that says that only users with the privacy officer role can access the page.
      4. Confirm that on the error message, you see PO1 and PO2 listed.
      As m2
      1. Log in as m2.
      2. Go to "Site administration / Users / Privacy and policies / Data requests"
      3. Confirm that you can create data requests.
      4. Confirm that you can view the data requests list.
      5. On a different browser sesion (e.g. incognito mode), log in as an admin again.
      6. Go to "Site administration / Users / Permissions / Define roles"
      7. Edit the PO2 role and remove the capability "tool/dataprivacy:managedatarequests".
      8. Save the changes.
      9. Back on m2's browser window, refresh the data requests page.
      10. Confirm that you see an error that you don't have the required capability to access the page.
      As m3 again after PO2's capability has been revoked
      1. Log in as m3.
      2. On your browser, manually enter the URL to the data requests page "[YOUR_MOODLE_URL]/admin/tool/dataprivacy/datarequests.php"
      3. Confirm that you get an error that says that only users with the privacy officer role can access the page.
      4. Confirm that on the error message, you only now see PO1 listed.
      Show
      Setup Log in as an admin. Create 3 Privacy officer roles, PO1, PO2, PO3. Go to " Site administration / Users / Permissions / Assign system roles " Assign the following users to the following PO roles: m1 PO1 m2 PO2 m3 PO3 Go to " Site administration / Users / Privacy and policies / Privacy settings " Tick PO1 and PO2 for the " Privacy officer role mapping " setting. Save the changes. As admin Go to " Site administration / Users / Privacy and policies / Data requests " Confirm that you can create data requests. Confirm that you can view the data requests list. As m1 Log in as m1. Go to " Site administration / Users / Privacy and policies / Data requests " Confirm that you can create data requests. Confirm that you can view the data requests list. As m3 Log in as m3. On your browser, manually enter the URL to the data requests page " [YOUR_MOODLE_URL] /admin/tool/dataprivacy/datarequests.php " Confirm that you get an error that says that only users with the privacy officer role can access the page. Confirm that on the error message, you see PO1 and PO2 listed. As m2 Log in as m2. Go to " Site administration / Users / Privacy and policies / Data requests " Confirm that you can create data requests. Confirm that you can view the data requests list. On a different browser sesion (e.g. incognito mode), log in as an admin again. Go to " Site administration / Users / Permissions / Define roles " Edit the PO2 role and remove the capability " tool/dataprivacy:managedatarequests ". Save the changes. Back on m2's browser window, refresh the data requests page. Confirm that you see an error that you don't have the required capability to access the page. As m3 again after PO2's capability has been revoked Log in as m3. On your browser, manually enter the URL to the data requests page " [YOUR_MOODLE_URL] /admin/tool/dataprivacy/datarequests.php " Confirm that you get an error that says that only users with the privacy officer role can access the page. Confirm that on the error message, you only now see PO1 listed.
    • Affected Branches:
      MOODLE_33_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • Fixed Branches:
      MOODLE_33_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE
    • Epic Link:
    • Pull 3.5 Branch:
      MDL-63184-35-2
    • Pull Master Branch:
      MDL-63184-master-2
    • Sprint:
      GDPR Followup Sprint 1

      Description

      1) Was looking for some changes when I realized that is_site_dpo(), used widely to decide about which operations are allowed for a dpo is simply calling to get_site_dpos(), that doesn't perform any capability check, just looks for roles based in config value.

      IMO, some capability should be checked, not sure if one, multiple, or maybe passed by param, but for sure we cannot decide permissions based solely on roles, capabilities are for that.

      2) Tangentially related to that, it's also the fact that, for 1st time in 15 years (since admins and caps were invented), we are specifically/exceptionally denying the access to something to admins, based in some exceptional logic, say "admins can do everything but not tasks associated to POs". I personally find this exception (any in general) bad for the system.

      I could agree that they could be warned about proper POs existing and preventing them about that but, still, they should continue doing everything. Of course, IMO. I know it was a decision but really it's killing the previous behavior for nothing. Should we start prohibiting them also to edit the gradebook or creating courses or enroling people or editing profiles? We don't do, why this case is so, so exceptional ?

      That is, surely only 1) is a real bug, but the 2) reflexion really makes me not happy. Cannot find a logic justification.

      Ciao :.)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jpataleta Jun Pataleta
              Reporter:
              stronk7 Eloy Lafuente (stronk7)
              Peer reviewer:
              Michael Hawkins
              Integrator:
              Eloy Lafuente (stronk7)
              Tester:
              Anna Carissa Sadia
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                12/Nov/18

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 hours, 30 minutes
                  2h 30m