Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66713

Bad implementation in security fix MSA-19-0019 / MDL-66181

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 3.5.8, 3.6.6, 3.7.2
    • Fix Version/s: None
    • Component/s: Course, Roles / Access
    • Labels:
      None
    • Affected Branches:
      MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE

      Description

      Hello,

      It seems that

      https://tracker.moodle.org/browse/MDL-66181
      https://moodle.org/mod/forum/discuss.php?d=391031

      is badly implemented since I didn't find any documentation concerning this change in moodle documentation.

      Suddenly making this scope of a change should be better documented in Moodle documentation and also you should inform moodle administratos if this scope of a change is going to happen (one forum post doesn't really cut it).

      To get it working again you now have to give coursecreator moodle/role:assign before they can get teacher role on the courses they create.

      Also moodle/role:assign is concerned as a XSS-risk, risk of gaining other users information and users can spam other useers.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                urpokarhu Jari Vilkman
                Participants:
                Component watchers:
                Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: