Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-80124

Admin preset tool doesn't correctly prevent the deletion of core presets

XMLWordPrintable

    • MOODLE_401_STABLE
    • MOODLE_402_STABLE, MOODLE_403_STABLE
    • MDL-80124-403
    • Hide
      1. Log in as admin
      2. Navigate to General > Site admin presets in site administration
      3. Create a new preset
      4. Press Actions > Delete for your new preset
      5. Manually amend the URL parameters, so that they read (change the id to one of the pre-installed presets): 

        ?action=delete&id=2

      6. Confirm you see the following error: 

        Error deleting from database.

      7. Navigate back to Site admin presets
      8. Press Actions > Delete for your new preset
      9. Press Delete in the confirmation step
      10. Confirm your new preset is deleted
      Show
      Log in as admin Navigate to General > Site admin presets in site administration Create a new preset Press Actions > Delete for your new preset Manually amend the URL parameters, so that they read (change the id to one of the pre-installed presets): ?action=delete&id=2 Confirm you see the following error: Error deleting from database. Navigate back to Site admin presets Press Actions > Delete for your new preset Press Delete in the confirmation step Confirm your new preset is deleted

      There is front-end logic (only) to prevent the deletion of the pre-installed admin presets (Starter & Full): https://github.com/moodle/moodle/blob/14414fe253f8cb96c4b1a69c45145e9e2df41f33/admin/tool/admin_presets/classes/output/presets_list.php#L108-L118

      However there is no backend logic of the same, meaning we can amend the URL to delete them

      I've marked this as Could be a security issue although I don't think actually it represents one - we could probably mark as "security_benefit" - michaelh, thoughts?

        1. (1) 10 Passed -- (Main)MDL-80124.png
          (1) 10 Passed -- (Main)MDL-80124.png
          53 kB
        2. (1) 6 Passed -- (Main)MDL-80124.png
          (1) 6 Passed -- (Main)MDL-80124.png
          39 kB

            pholden Paul Holden
            pholden Paul Holden
            Stevani Andolo Stevani Andolo
            Ilya Tregubov Ilya Tregubov
            Kim Jared Lucas Kim Jared Lucas
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 53 minutes
                1h 53m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.