front page can be edited

front page can be edited

by Greg Rodenhiser -
Number of replies: 2

I tripped upon what I think is a pretty big security hole in the front page. If any user on the latest Moodle 2.4.3+ is in edit mode on any page in Moodle (say they are a course teacher and are making changes to a course, or even any user doing an edit on their public profile page), they can simply click Home (or navigate to the front page, without turning off edit mode in something they have edit rights to) and have rights to edit and add content to the front page. 

 

We're running the newest 2.4.3+ code and using LDAP for authentication. 

Average of ratings: -
In reply to Greg Rodenhiser

Re: front page can be edited

by Mary Cooch -
Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Testers Picture of Translators

Are you absolutely sure? I just updated to the latest 2.4.3+ to test this and my teacher in a course with editing on, when he goes to the front page he doesn't see the edit icons or have ability to edit the front page- which is how it should be. I wonder either - do your teachers have site wide privileges or is there an issue with global privileges with your LDAP set up? 

Average of ratings: -
In reply to Mary Cooch

Re: front page can be edited

by Greg Rodenhiser -

D'oh, hanging my head in shame.....  My account (non admin) was in a custom role that somehow slips into having publish rights on the front page if navigated via the means I explained above.  Sorry my bad!!!!  Nothing to see here sad

Average of ratings: -