Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-81072

MFA callback to add bulk user action does not check capability

XMLWordPrintable

    • MOODLE_403_STABLE
    • MOODLE_403_STABLE
    • MDL-81072-403
    • Hide

      Testing instructions:

      • Create a Moodle 4.3 instance
      • Login as a user with 'Manager' role
      • Go to Site administration > Users > Bulk user actions
      • Verify that you don't see "Reset user authentication factor" menu in "With selected users..."
      Show
      Testing instructions: Create a Moodle 4.3 instance Login as a user with 'Manager' role Go to Site administration > Users > Bulk user actions Verify that you don't see "Reset user authentication factor" menu in "With selected users..."
    • 6
    • Team Hedgehog 2024 Sprint 1.3

      First of all, it is not a security issue, since the capability is checked in the backend.

      Jun noticed a bug fix I was trying to sneak as part of MDL-80548 and asked me to create a bug report for it.

      Reproduction instructions:

      • Login as a user with 'Manager' role
      • Go to Site administration>Users>Bulk user actions
      • You will see in the bulk action menu the action to reset MFA but if you try to select it it will throw an exception

            stevani.andolo@moodle.com Stevani Andolo
            marina Marina Glancy
            David Woloszyn David Woloszyn
            Safat Shahin Safat Shahin
            Kim Jared Lucas Kim Jared Lucas
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 hours, 55 minutes
                4h 55m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.