Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-63184

is_site_dpo() doesn't check for any capability and it seems it should

XMLWordPrintable

    • MOODLE_33_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • MOODLE_33_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE
    • MDL-63184-master-2
    • Hide
      Setup
      1. Log in as an admin.
      2. Create 3 Privacy officer roles, PO1, PO2, PO3.
      3. Go to "Site administration / Users / Permissions / Assign system roles"
      4. Assign the following users to the following PO roles:
        m1 PO1
        m2 PO2
        m3 PO3
      5. Go to "Site administration / Users / Privacy and policies / Privacy settings"
      6. Tick PO1 and PO2 for the "Privacy officer role mapping" setting. Save the changes.
      As admin
      1. Go to "Site administration / Users / Privacy and policies / Data requests"
      2. Confirm that you can create data requests.
      3. Confirm that you can view the data requests list.
      As m1
      1. Log in as m1.
      2. Go to "Site administration / Users / Privacy and policies / Data requests"
      3. Confirm that you can create data requests.
      4. Confirm that you can view the data requests list.
      As m3
      1. Log in as m3.
      2. On your browser, manually enter the URL to the data requests page "[YOUR_MOODLE_URL]/admin/tool/dataprivacy/datarequests.php"
      3. Confirm that you get an error that says that only users with the privacy officer role can access the page.
      4. Confirm that on the error message, you see PO1 and PO2 listed.
      As m2
      1. Log in as m2.
      2. Go to "Site administration / Users / Privacy and policies / Data requests"
      3. Confirm that you can create data requests.
      4. Confirm that you can view the data requests list.
      5. On a different browser sesion (e.g. incognito mode), log in as an admin again.
      6. Go to "Site administration / Users / Permissions / Define roles"
      7. Edit the PO2 role and remove the capability "tool/dataprivacy:managedatarequests".
      8. Save the changes.
      9. Back on m2's browser window, refresh the data requests page.
      10. Confirm that you see an error that you don't have the required capability to access the page.
      As m3 again after PO2's capability has been revoked
      1. Log in as m3.
      2. On your browser, manually enter the URL to the data requests page "[YOUR_MOODLE_URL]/admin/tool/dataprivacy/datarequests.php"
      3. Confirm that you get an error that says that only users with the privacy officer role can access the page.
      4. Confirm that on the error message, you only now see PO1 listed.
      Show
      Setup Log in as an admin. Create 3 Privacy officer roles, PO1, PO2, PO3. Go to " Site administration / Users / Permissions / Assign system roles " Assign the following users to the following PO roles: m1 PO1 m2 PO2 m3 PO3 Go to " Site administration / Users / Privacy and policies / Privacy settings " Tick PO1 and PO2 for the " Privacy officer role mapping " setting. Save the changes. As admin Go to " Site administration / Users / Privacy and policies / Data requests " Confirm that you can create data requests. Confirm that you can view the data requests list. As m1 Log in as m1. Go to " Site administration / Users / Privacy and policies / Data requests " Confirm that you can create data requests. Confirm that you can view the data requests list. As m3 Log in as m3. On your browser, manually enter the URL to the data requests page " [YOUR_MOODLE_URL] /admin/tool/dataprivacy/datarequests.php " Confirm that you get an error that says that only users with the privacy officer role can access the page. Confirm that on the error message, you see PO1 and PO2 listed. As m2 Log in as m2. Go to " Site administration / Users / Privacy and policies / Data requests " Confirm that you can create data requests. Confirm that you can view the data requests list. On a different browser sesion (e.g. incognito mode), log in as an admin again. Go to " Site administration / Users / Permissions / Define roles " Edit the PO2 role and remove the capability " tool/dataprivacy:managedatarequests ". Save the changes. Back on m2's browser window, refresh the data requests page. Confirm that you see an error that you don't have the required capability to access the page. As m3 again after PO2's capability has been revoked Log in as m3. On your browser, manually enter the URL to the data requests page " [YOUR_MOODLE_URL] /admin/tool/dataprivacy/datarequests.php " Confirm that you get an error that says that only users with the privacy officer role can access the page. Confirm that on the error message, you only now see PO1 listed.
    • GDPR Followup Sprint 1

      1) Was looking for some changes when I realized that is_site_dpo(), used widely to decide about which operations are allowed for a dpo is simply calling to get_site_dpos(), that doesn't perform any capability check, just looks for roles based in config value.

      IMO, some capability should be checked, not sure if one, multiple, or maybe passed by param, but for sure we cannot decide permissions based solely on roles, capabilities are for that.

      2) Tangentially related to that, it's also the fact that, for 1st time in 15 years (since admins and caps were invented), we are specifically/exceptionally denying the access to something to admins, based in some exceptional logic, say "admins can do everything but not tasks associated to POs". I personally find this exception (any in general) bad for the system.

      I could agree that they could be warned about proper POs existing and preventing them about that but, still, they should continue doing everything. Of course, IMO. I know it was a decision but really it's killing the previous behavior for nothing. Should we start prohibiting them also to edit the gradebook or creating courses or enroling people or editing profiles? We don't do, why this case is so, so exceptional ?

      That is, surely only 1) is a real bug, but the 2) reflexion really makes me not happy. Cannot find a logic justification.

      Ciao :.)

        1. MDL-63184.PNG
          114 kB
          Anna Carissa Sadia

            jpataleta Jun Pataleta
            stronk7 Eloy Lafuente (stronk7)
            Michael Hawkins Michael Hawkins
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Anna Carissa Sadia Anna Carissa Sadia
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours, 30 minutes
                2h 30m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.