-
Bug
-
Resolution: Fixed
-
Major
-
3.1.16, 3.4.7, 3.5.3, 3.6.2, 3.7
-
MOODLE_31_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE
-
MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
-
None of these functions actually check that a capability exists.
As a result it is possible to assign a fake capability and have that exist in some situations.
Similarly a typo in a call to get_users_by_capability, could lead to a negated check, which could cause access where it should be denied.
For example:
$userswithcap = get_users_by_capability($context, 'modle/site:dosomething');
|
foreach ($enrolledusers as $user) {
|
if (!isset$userswithcap[$user->id])) {
|
// Do something which we would not recommend.
|
}
|
}
|
For the most part this issue is relatively trivial but mis-use of capabilities could allow for greater problems which make this potentially more serious.