Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-64971

get_with_capability_join, get_users_by_capability, assign/unassign_capability do not check the cap exists

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      This is tested via CI

      Show
      This is tested via CI
    • Affected Branches:
      MOODLE_31_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE
    • Fixed Branches:
      MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE

      Description

      None of these functions actually check that a capability exists.
      As a result it is possible to assign a fake capability and have that exist in some situations.

      Similarly a typo in a call to get_users_by_capability, could lead to a negated check, which could cause access where it should be denied.

      For example:

      $userswithcap = get_users_by_capability($context, 'modle/site:dosomething');
      foreach ($enrolledusers as $user) {
          if (!isset$userswithcap[$user->id])) {
              // Do something which we would not recommend.
          }
      }
      

      For the most part this issue is relatively trivial but mis-use of capabilities could allow for greater problems which make this potentially more serious.

        Attachments

        1. MDL-64971-34.mdk.patch
          17 kB
          Andrew Nicols
        2. MDL-64971-35.mdk.patch
          17 kB
          Andrew Nicols
        3. MDL-64971-36.mdk.patch
          17 kB
          Andrew Nicols
        4. MDL-64971-master.mdk.patch
          17 kB
          Andrew Nicols

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                11/Mar/19

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 hours, 10 minutes
                3h 10m