Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-42502

Roles: Possible to override your permissions to give you permissions you don't have

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • 2.4.6
    • Roles / Access
    • MOODLE_24_STABLE
    • Hide

      1. Create new role based on the Manager archetype with settings as follows:
      a) Set shortname limitedmanager, full name 'Limited manager'.
      b) Change 'Allow role assignments', 'Allow role overrides', and 'Allow role switches' options to just Student.
      c) Turn off the 'Delete courses' capability (moodle/course:delete) and the 'Create and manage roles' capability (moodle/role:manage).

      In other words, we want this user to be able to set up overrides for students on all courses, and to assign students, but not to be able to delete courses.

      2. Create a new test user account (any settings). This is a new account only to make sure it doesn't have any other roles that could confuse testing.

      3. Assign test user to the 'Limited manager' role using User/Permissions/Assign system roles.

      4. Create a new course with default settings (or use existing course).

      5. Log out as admin and log into the course main page using the test account.

      6. Go to the Users/Permissions screen and search for moodle/course:delete capability.

      EXPECTED: The capability is shown along with the roles who can access it, but you cannot add the capability

      BEFORE FIX: Before fix you can exploit this using the following sequence:

      a) Click the + to add the capability.
      b) Select Student role, OK.
      c) Go to Enrolled users, click 'Enrol users'.
      d) Search for yourself and click 'Enrol' to add Student role.
      e) Go to course main page, then change URL from 'view.php' to 'delete.php'
      f) Continue through - you can delete the course.

      Show
      1. Create new role based on the Manager archetype with settings as follows: a) Set shortname limitedmanager, full name 'Limited manager'. b) Change 'Allow role assignments', 'Allow role overrides', and 'Allow role switches' options to just Student. c) Turn off the 'Delete courses' capability (moodle/course:delete) and the 'Create and manage roles' capability (moodle/role:manage). In other words, we want this user to be able to set up overrides for students on all courses, and to assign students, but not to be able to delete courses. 2. Create a new test user account (any settings). This is a new account only to make sure it doesn't have any other roles that could confuse testing. 3. Assign test user to the 'Limited manager' role using User/Permissions/Assign system roles. 4. Create a new course with default settings (or use existing course). 5. Log out as admin and log into the course main page using the test account. 6. Go to the Users/Permissions screen and search for moodle/course:delete capability. EXPECTED: The capability is shown along with the roles who can access it, but you cannot add the capability BEFORE FIX: Before fix you can exploit this using the following sequence: a) Click the + to add the capability. b) Select Student role, OK. c) Go to Enrolled users, click 'Enrol users'. d) Search for yourself and click 'Enrol' to add Student role. e) Go to course main page, then change URL from 'view.php' to 'delete.php' f) Continue through - you can delete the course.

      All users with permission to override permissions (moodle/role:override) and assign certain roles can grant themselves additional permissions, and there isn't a way to configure the system to stop it.

      Assume that the user is not allowed to override permissions for their own role (via 'Allow role overrides' checkboxes). What they can do instead is override the permissions for a role that they ARE permitted to change (e.g. Student). Then grant themselves the Student role on the course. Then do whatever it is they want to do; then change the permissions back.

      This based on a real incident that happened with our live system.

      We think the best way to solve this problem is to make it so that even if you are allowed to override permissions for a role, you cannot grant a capability for any role (change it from any other status -> Allow) if you do not yourself have that capability.

      Such capabilities should appear on the list when overriding capabilities, but should be read-only.

      There may be an issue with a very few capabilities that are not really capabilities, such as the 'do you appear in completion tracking' capability. I'm not sure what to do about that.

      We think this may be a minor security issue. It is a minor issue because it applies only to people with the moodle/role:override permission (or technically moodle/role:safeoverride permission but with much more limited risk in that case), which is people who should be relatively trusted already. However, the ability to control permissions even for relatively trusted users is fairly important.

      I am proposing to work on a patch for this issue.

            quen Sam Marshall
            quen Sam Marshall
            Votes:
            2 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.