Content processing and User trust

This epic is to evaluate and collate tracker issues that relate to how Moodle LMS processes, stores and displays content submitted from users; such as course content created by teachers and evaluate this against current functionality. Also to evaluate and collate tracker issues that relate to how users are trusted in Moodle as it relates to content content creation and delivery.

Moodle LMS, like most web based applications, exists in a world where security threats are constantly evolving, as are the toolsets and mitigations that are used to combat these threats. As such we need to constantly evaluate our security practices and decisions that were made in the past against the current climate. 

An important note is security in an application is very linked to the context that is applied. Scenarios that are desirable in some situations are unacceptable in others. Moodle LMS aims to provide functionality that allows organisations with different security and functionality needs to be catered for. This is done using a combination of configuration (like user capabilities and admin settings) as well as functional tools (like authentication plugins).

For example: In some parts of the world it is very common (and desirable) for students in a course to be able to see details of their peers, such as name and email addresses. In other parts of the world this is strictly forbidden. Moodle makes both of these cases achievable by a combination of user capabilities and configuration.

Not all issues linked to the tracker will be accessible to everyone as security issues are not public. If you wish to create an issue that relates to this tracker that you believe is a security issue the correct reporting procedure needs to be followed. The related documentation for this is here: https://moodledev.io/general/development/process/security. 

All reported security issues are reviewed and triaged with priority.