Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Critical
Fix Version/s: 2.8.9, 2.9.3
Affects Version/s: 2.8.6, 2.9
Component/s: Reports, Roles / Access, Web Services
Labels:
- ci
- triaged

Affected Branches:
MOODLE_28_STABLE, MOODLE_29_STABLE
Fixed Branches:
MOODLE_28_STABLE, MOODLE_29_STABLE
Pull from Repository:
git://github.com/jleyva/moodle.git
Pull Main Branch:
~~MDL-50613~~-master
Pull Main Diff URL:
https://github.com/jleyva/moodle/compare/fd57d68...MDL-50613-master
Documentation link:
https://docs.moodle.org/dev/Webservice_protocols
Testing Instructions:
Hide

Do a clean Moodle installation

Enable Mobile services in Plugins -> Web Services -> Mobile

Go to the site Report -> Security Overview

Ensure that the Default role for all users reports shows a OK

Do an upgrade of an existing Moodle installation with Mobile Services Enabled

Go to the site Report -> Security Overview and ensure that the Default role for all users reports shows a OK
Show
Do a clean Moodle installation Enable Mobile services in Plugins -> Web Services -> Mobile Go to the site Report -> Security Overview Ensure that the Default role for all users reports shows a OK Do an upgrade of an existing Moodle installation with Mobile Services Enabled Go to the site Report -> Security Overview and ensure that the Default role for all users reports shows a OK

When mobile web services are enabled on a site (for Moodle Mobile app users), the security overview report shows the default role for all users with status 'Critical' due to the webservice capabilities being allowed for the authenticated user role.

The Security report on default user role documentation explains this 'Critical' status and accompanying message 'The default user role "Authenticated user" is incorrectly defined!', however it remains a concern for admins, as mentioned in a recent forum post Re: Critical security issue with default role for all users.

Should the security report on default user role status be changed from 'Critical'?
Should the message be changed?
Should the documentation provide further explanation?

blocks

MDL-51478 Enable the Mobile service by default in Moodle 3.0

Closed

has been marked as being related by

MDL-67852 Security overview report shows critical warning for "Default role for all users" with default requestdelete config

Closed

MDL-69025 Authenticated User permission "tool/dataprivacy:requestdelete" results in critical warning

Closed

Assignee:: Juan Leyva

Reporter:: Helen Foster

Peer reviewer:: Dani Palou

Integrator:: David Monllaó

Tester:: Frédéric Massart

Participants:: CiBoT, Dani Palou, Dan Poltawski, David Monllaó, Eloy Lafuente (stronk7), Frédéric Massart, Helen Foster, Jon Bolton, Juan Leyva, Marina Glancy, Michael Hawkins

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Created:: 17/Jun/15 6:24 AM

Updated:: 12/Jun/20 4:38 AM

Resolved:: 09/Oct/15 6:21 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates

Clockify