-
Bug
-
Resolution: Fixed
-
Minor
-
3.7.4, 3.8.1, 3.9, 3.9.22, 3.10.10, 3.11.6, 4.0
-
7
Permission tool/dataprivacy:requestdelete is marked as RISK_DATALOSS and given to the "Authenticated user" role by default, which leads to a critical warning in the "Default role for all users" item of the "Security overview" page with a message: The default user role "Authenticated user" is incorrectly defined! This has the potential to cover up a real configuration mistake.
The correct behaviour here should be: if "Automatic data deletion request approval" (tool_dataprivacy | automaticdatadeletionapproval) is disabled in site admin (which it is be deafult), deletion requests must be approved, so then a "critical" status should not be displayed.
For the time being if that option is enabled: users can request deletions for either themselves/another user/minors, they do have the direct ability to delete large amounts of data, and that does need to be flagged as "critical" in the report. We can re-evaulate if this needs to be dropped back to "warning" at a later date
- caused a regression
-
MDL-78811 Security overview report shows duplicate column 'contextid' warning in default role user check
- Closed
- has a non-specific relationship to
-
MDL-50613 Enabling mobile web services results in 'Critical' status in security overview report
- Closed
- is duplicated by
-
MDL-69025 Authenticated User permission "tool/dataprivacy:requestdelete" results in critical warning
- Closed