Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-74341

Report builder audience form missing validation checks

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • 4.0
    • 4.0
    • Report builder
    • MOODLE_400_STABLE
    • MOODLE_400_STABLE
    • Hide
      1. Log in as admin
      2. Select Reports from user menu
      3. Create a new report
      4. Note the ID of the report, taken from the URL: 

        /reportbuilder/edit.php?id=<REPORTID>

      5. In report editor, press Audiences tab
      6. Add Assigned system role audience type
      7. Set Select a role to Course creator
      8. Press Save changes
      9. Press Edit audience 'Assigned system role'
      10. Confirm the form loads showing previously filled in fields
      11. Press Save changes
      12. Use browser tools to inspect the DOM for the audience Delete audience 'Assigned system role' button
      13. Locate the parent [data-region="audience-card"] node and note the ID of the audience: 

        data-instanceid="<AUDIENCEID>"

      14. Close report editor
      15. Create a new user
      16. Navigate to Users > Permissions > Assign system roles in site administration
      17. Add new user to Manager role
      18. Log out
      19. Log in as new user
      20. Open browser developer console to retrieve sesskey and cookie (examples below): 

        >> M.cfg.sesskey
        		 
        "yxTl2TEYw4"
        		 
        >> document.cookie.match(/MoodleSession=([^;]*)/)[1]
        		 
        "81cf4f10031c229bc3b1aad4488517d2"

      21. Execute the following commands from a terminal, noting the following that should be replaced by appropriate values:
        • <WWWROOT>
        • <SESSKEY>
        • <MOODLESESSION>
        • <REPORTID>
        • <AUDIENCEID> 

          $ # View audience form.
          		 
          $ curl -s '<WWWROOT>/lib/ajax/service.php?sesskey=<SESSKEY>&info=core_form_dynamic_form' --compressed -H 'Cookie: MoodleSession=<MOODLESESSION>' --data-raw '[{"index":0,"methodname":"core_form_dynamic_form","args":{"formdata":"reportid=<REPORTID>&id=<AUDIENCEID>&classname=core_reportbuilder%5Creportbuilder%5Caudience%5Csystemrole","form":"\\core_reportbuilder\\form\\audience"}}]' | python -m json.tool
          		 
          $
          		 
          $ # Edit audience form.
          		 
          $ curl -s '<WWWROOT>/lib/ajax/service.php?sesskey=<SESSKEY>&info=core_form_dynamic_form' --compressed -H 'Cookie: MoodleSession=<MOODLESESSION>' --data-raw '[{"index":0,"methodname":"core_form_dynamic_form","args":{"formdata":"id=<AUDIENCEID>&reportid=<REPORTID>&classname=core_reportbuilder%5Creportbuilder%5Caudience%5Csystemrole&sesskey=<SESSKEY>&_qf__core_reportbuilder_form_audience=1&roles=_qf__force_multiselect_submission&roles%5B%5D=2","form":"\\core_reportbuilder\\form\\audience"}}]' | python -m json.tool

      22. Confirm after each one you see an exception returned with the message 

        "You cannot edit this report"

      Show
      Log in as admin Select Reports from user menu Create a new report Note the ID of the report, taken from the URL: /reportbuilder/edit.php?id=<REPORTID> In report editor, press Audiences tab Add Assigned system role audience type Set Select a role to Course creator Press Save changes Press Edit audience 'Assigned system role' Confirm the form loads showing previously filled in fields Press Save changes Use browser tools to inspect the DOM for the audience Delete audience 'Assigned system role' button Locate the parent [data-region="audience-card"] node and note the ID of the audience: data-instanceid="<AUDIENCEID>" Close report editor Create a new user Navigate to Users > Permissions > Assign system roles in site administration Add new user to Manager role Log out Log in as new user Open browser developer console to retrieve sesskey and cookie (examples below): >> M.cfg.sesskey "yxTl2TEYw4" >> document.cookie.match(/MoodleSession=([^;]*)/)[1] "81cf4f10031c229bc3b1aad4488517d2" Execute the following commands from a terminal, noting the following that should be replaced by appropriate values: <WWWROOT> <SESSKEY> <MOODLESESSION> <REPORTID> <AUDIENCEID> $ # View audience form. $ curl -s '<WWWROOT>/lib/ajax/service.php?sesskey=<SESSKEY>&info=core_form_dynamic_form' --compressed -H 'Cookie: MoodleSession=<MOODLESESSION>' --data-raw '[{"index":0,"methodname":"core_form_dynamic_form","args":{"formdata":"reportid=<REPORTID>&id=<AUDIENCEID>&classname=core_reportbuilder%5Creportbuilder%5Caudience%5Csystemrole","form":"\\core_reportbuilder\\form\\audience"}}]' | python -m json.tool $ $ # Edit audience form. $ curl -s '<WWWROOT>/lib/ajax/service.php?sesskey=<SESSKEY>&info=core_form_dynamic_form' --compressed -H 'Cookie: MoodleSession=<MOODLESESSION>' --data-raw '[{"index":0,"methodname":"core_form_dynamic_form","args":{"formdata":"id=<AUDIENCEID>&reportid=<REPORTID>&classname=core_reportbuilder%5Creportbuilder%5Caudience%5Csystemrole&sesskey=<SESSKEY>&_qf__core_reportbuilder_form_audience=1&roles=_qf__force_multiselect_submission&roles%5B%5D=2","form":"\\core_reportbuilder\\form\\audience"}}]' | python -m json.tool Confirm after each one you see an exception returned with the message "You cannot edit this report"

      Small one, the permission checks for editing reports when manipulating report audiences are in the wrong place: https://github.com/moodle/moodle/blob/efda17d3b025228da28b7d62366eb11a09fd668e/reportbuilder/classes/form/audience.php#L122-L124 (should be in check_access_for_dynamic_submission())

      This means they are only checked when the dynamic form is submitted, which means the current form configuration can be requested if a user is able to guess and/or enumerate report/audience IDs leading to disclosure of information a user shouldn't have access to

        1. MDL-74341_1.png
          44 kB
          Angelia Dela Cruz
        2. MDL-74341_2.png
          197 kB
          Angelia Dela Cruz

            pholden Paul Holden
            pholden Paul Holden
            Michael Hawkins Michael Hawkins
            Jake Dallimore Jake Dallimore
            Angelia Dela Cruz Angelia Dela Cruz
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours, 30 minutes
                2h 30m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.