Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Major
Fix Version/s: 3.4.8, 3.5.5, 3.6.3
Affects Version/s: 3.1.16, 3.4.7, 3.5.3, 3.6.2, 3.7
Component/s: Roles / Access
Labels:
- release_notes
- triaged

Affected Branches:
MOODLE_31_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE
Fixed Branches:
MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
Testing Instructions:

Hide

This is tested via CI

Show
This is tested via CI

Description

None of these functions actually check that a capability exists.
As a result it is possible to assign a fake capability and have that exist in some situations.

Similarly a typo in a call to get_users_by_capability, could lead to a negated check, which could cause access where it should be denied.

For example:

$userswithcap = get_users_by_capability($context, 'modle/site:dosomething');

foreach ($enrolledusers as $user) {

    if (!isset$userswithcap[$user->id])) {

        // Do something which we would not recommend.

For the most part this issue is relatively trivial but mis-use of capabilities could allow for greater problems which make this potentially more serious.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

MDL-64971-34.mdk.patch
17 kB
06/Mar/19 10:30 AM
MDL-64971-35.mdk.patch
17 kB
06/Mar/19 10:30 AM
MDL-64971-36.mdk.patch
17 kB
06/Mar/19 10:30 AM
MDL-64971-master.mdk.patch
17 kB
06/Mar/19 10:30 AM

Activity

People

Assignee:: Andrew Lyons

Reporter:: Andrew Lyons

Peer reviewer:: Shamim Rezaie

Integrator:: Eloy Lafuente (stronk7)

Tester:: CiBoT

Participants:: Andrew Lyons, CiBoT, Eloy Lafuente (stronk7), Jun Pataleta, Michael Hawkins, Shamim Rezaie

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 28/Feb/19 9:37 AM

Updated:: 08/Mar/19 12:54 AM

Resolved:: 08/Mar/19 12:54 AM

Fix Release Date:: 11/Mar/19

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

3h 10m