Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.1.16, 3.4.7, 3.5.3, 3.6.2, 3.7
-
Component/s: Roles / Access
-
Labels:
-
Testing Instructions:
-
Affected Branches:MOODLE_31_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE
-
Fixed Branches:MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
Description
None of these functions actually check that a capability exists.
As a result it is possible to assign a fake capability and have that exist in some situations.
Similarly a typo in a call to get_users_by_capability, could lead to a negated check, which could cause access where it should be denied.
For example:
$userswithcap = get_users_by_capability($context, 'modle/site:dosomething');
|
foreach ($enrolledusers as $user) {
|
if (!isset$userswithcap[$user->id])) {
|
// Do something which we would not recommend.
|
}
|
}
|
For the most part this issue is relatively trivial but mis-use of capabilities could allow for greater problems which make this potentially more serious.
