Security and privacy

There are two links in each MSA-... which can possibly be used to get more information:

1. The link to the original MDL-... issue at https://tracker.moodle.org/. This link is unlikely to help, because security issues can only be seen by a limited set of people. In this case, the contents of the tracker issues do not add much to the security advisories.
2. The link to the actual change, e.g. http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47921. From there, you need to click the little 'commitdiff' link to see what really changed. E.g. http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=c844af2569e972195db8bca683c1fdf2ddbc3a59. To interpret that, you need to be able to read PHP code, which is not something everyone can do. In this case it is improving the check that the user is logged in, and checking that they have the permission they should have to access this activity.

My reading of all this is that this changes will not stop you LTI activities from working. They will only stop you if you are trying to hack the system - which is what security fixes are supposed to stop.

So, probably the reason that the advisories were so brief is that there was nothing interesting to say, and no risk to talk about from applying the fixes. Moodle code has various standard techniques to make life harder for malicious hackers. Those checks had been accidentally left out of this code, and not they have been added. No worries.