Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-78522

cohort_get_cohort can bypass context validation if $withcustomfields is true

    XMLWordPrintable

Details

    • 3
    • Team Alpha - Sprint 2 I2-2023

    Description

      A regression caused by MDL-77130

      Patch coming soon

      Reproduce:

      1. Imaging you have cat1 and cat2 that are siblings
      2. You have course1 that is in cat1
      3. You have a cohort and its context is cat2
      4. cohort_get_cohort($cohort->id, \context_course::instance($course1->id), true);

      1.  Above call result supposed to be false, but it returns cohort info

       
      Its not really exploitable by a user via UI. However it is possible to use API in 3rd party plugin for example to get cohort info where it shouldn't be allowed
       
      It might be reclassified as security benefit issue.

      Attachments

        Issue Links

          Activity

            People

              ilyatregubov Ilya Tregubov
              ilyatregubov Ilya Tregubov
              Kevin Percy Kevin Percy
              Sara Arjona (@sarjona) Sara Arjona (@sarjona)
              CiBoT CiBoT
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 hours
                  2h

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.