Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-49301

privacy: tag/index.php, tag/seach.php should be restrictable to logged in users

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Won't Do
    • Icon: Major Major
    • None
    • 2.6.6, 2.7.5, 2.8.3
    • Tags
    • MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
    • MDL-49301-master
    • Hide

      In a server with guest login enabled, try to access the following pages through URL:

      • tag/edit.php
      • tag/index.php
      • tag/manage.php
      • tag/search.php
      • tag/tag_autocomplete.php

      Make sure you get an error message: No guests here in all the cases.

      Show
      In a server with guest login enabled, try to access the following pages through URL: tag/edit.php tag/index.php tag/manage.php tag/search.php tag/tag_autocomplete.php Make sure you get an error message: No guests here in all the cases.

      The pages tag/index.php, tag/seach.php can be reached by anyone if guest access is on.

      On these pages, anyone can access to users list with pictures, full names with associated interests.

      In my opinion (and in the opinion of a large school I work with), this should be restricted to logged in users as a default. A "site policies" option could be added to allow non-logged in users to access the page.

      In the file tag/tag_autocomplete.php, we found :
      require_login(0, false);
      if (isguestuser())

      { // Guests should not be using this. die(); }

      Why guests should not be using this but can list the tags otherwise ?

            Unassigned Unassigned
            pmaury pmaury
            Frédéric Massart Frédéric Massart
            Votes:
            14 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.