Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-64984

Can create global glossary without being Admin

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.1.14, 3.4.5, 3.5.2, 3.5.4, 3.6.2
    • Fix Version/s: None
    • Component/s: Filters, Glossary
    • Labels:
    • Affected Branches:
      MOODLE_31_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE

      Description

      A glossary can only be defined as a global glossary by site admins. As glossary terms of a global glossary are shown to everybody it has to be trusted content. If it contains malicious code this is a security risk.

      Nevertheless a user on my moodle instance was able to break that rule without doing it with purpose. In our case this broke the site functionality as users were presented links to those glossaries without having access to it. If moodle modal of the glossary filter works it is just annoying, but in the cases that the browser followed the links the users only got an error that they can not access the resource.

      This may also be a security issue if the glossary embeds malicious code.

      The problem is as follows:

      If a course on an external moodle site is archived the setting globalglossary is stored. This is necessary to recover this setting when the course is restored within the same site.

      If the very same course-archive is restored on another moodle-site this setting is also restored and it is not checked if the user that imports the archive has the permissions to configure a glossary as global glossary. That way every user that has the privilege to restore courses (normally Trainers and above) can create global glossaries and could as a consequence present malicious code to all users of a site.

      Therefore there exist two approaches to fix that problem:

      1. When a glossary is restored the setting "globalglossary" is only restored if the user is a site admin
      2. (the better option) Before the glossary filter links the words it checks if the user has access to the underlying glossary. That way a globalglossary could also be used for sub-areas (e.g. specific course categories for subjects)

      Approach #2 would allow the option "globalglossary" to be opened to other people than site admins as the access to the glossary is a requirement for it to work, although the setting should than be renamed.

       

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            rschrenk Robert Schrenk
            Participants:
            Component watchers:
            Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: