Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-67852

Security overview report shows critical warning for "Default role for all users" with default requestdelete config

XMLWordPrintable

    • MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE
    • MOODLE_401_STABLE, MOODLE_402_STABLE
    • MDL-67852_MOODLE_401_NEW
    • MDL-67852_MASTER_NEW
    • Hide

      Testing instruction:
      1. Login Moodle and purge cache for "Language strings"
      2. Go to site administration/Users/Privacy and policies/Privacy settings (<host>/admin/settings.php?section=privacysettings)
      3. Check "Automatic data deletion request approval" is disabled
      4. Go to site administration/Reports/Security checks (<host>/report/security/index.php)
      5. Check "Default role for all users" is showing "OK"
      6. Click the more info link in that row, check new details text about the "Automatic data deletion request approval" option is there
      7. Go to site administration/Users/Privacy and policies/Privacy settings (<host>/admin/settings.php?section=privacysettings) 
      8. Enable "Automatic data deletion request approval" option and save changes
      9. Go to site administration/Reports/Security checks (<host>/report/security/index.php)
      10. Check "Default role for all users" checking is showing a "Critical" warning

      Show
      Testing instruction: 1. Login Moodle and purge cache for "Language strings" 2. Go to site administration/Users/Privacy and policies/Privacy settings (<host>/admin/settings.php?section=privacysettings) 3. Check "Automatic data deletion request approval" is disabled 4. Go to site administration/Reports/Security checks (<host>/report/security/index.php) 5. Check "Default role for all users" is showing "OK" 6. Click the more info link in that row, check new details text about the "Automatic data deletion request approval" option is there 7. Go to site administration/Users/Privacy and policies/Privacy settings (<host>/admin/settings.php?section=privacysettings)  8. Enable "Automatic data deletion request approval" option and save changes 9. Go to site administration/Reports/Security checks (<host>/report/security/index.php) 10. Check "Default role for all users" checking is showing a "Critical" warning
    • 7

      Permission tool/dataprivacy:requestdelete is marked as RISK_DATALOSS and given to the "Authenticated user" role by default, which leads to a critical warning in the "Default role for all users" item of the "Security overview" page with a message: The default user role "Authenticated user" is incorrectly defined! This has the potential to cover up a real configuration mistake.

      The correct behaviour here should be: if "Automatic data deletion request approval" (tool_dataprivacy | automaticdatadeletionapproval) is disabled in site admin (which it is be deafult), deletion requests must be approved, so then a "critical" status should not be displayed. 

      For the time being if that option is enabled: users can request deletions for either themselves/another user/minors, they do have the direct ability to delete large amounts of data, and that does need to be flagged as "critical" in the report. We can re-evaulate if this needs to be dropped back to "warning" at a later date

       

            aydevworks Alex Yeung
            KevinC Kevin Chen
            Alistair Spark Alistair Spark
            Ilya Tregubov Ilya Tregubov
            Ron Carl Alfon Yu Ron Carl Alfon Yu
            Votes:
            28 Vote for this issue
            Watchers:
            37 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours, 55 minutes
                2h 55m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.