Security and privacy

 
 
Picture of Greg Rodenhiser
front page can be edited
 

I tripped upon what I think is a pretty big security hole in the front page. If any user on the latest Moodle 2.4.3+ is in edit mode on any page in Moodle (say they are a course teacher and are making changes to a course, or even any user doing an edit on their public profile page), they can simply click Home (or navigate to the front page, without turning off edit mode in something they have edit rights to) and have rights to edit and add content to the front page. 

 

We're running the newest 2.4.3+ code and using LDAP for authentication. 

 
Average of ratings: -
Mary Cooch
Re: front page can be edited
Group Documentation writersGroup Moodle Course Creator Certificate holdersGroup Moodle HQGroup Particularly helpful MoodlersGroup TestersGroup Translators

Are you absolutely sure? I just updated to the latest 2.4.3+ to test this and my teacher in a course with editing on, when he goes to the front page he doesn't see the edit icons or have ability to edit the front page- which is how it should be. I wonder either - do your teachers have site wide privileges or is there an issue with global privileges with your LDAP set up? 

 
Average of ratings: -
Picture of Greg Rodenhiser
Re: front page can be edited
 

D'oh, hanging my head in shame.....  My account (non admin) was in a custom role that somehow slips into having publish rights on the front page if navigated via the means I explained above.  Sorry my bad!!!!  Nothing to see here sad

 
Average of ratings: -