MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course

MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course

by Marina Glancy -
Number of replies: 0
Description: Event monitor tool checked access to the course or activity only when subscription was created but did not re-evaluate it when sending notifications. This can result in unenrolled user receiving notifications with information they no longer can access.
Issue summary: Event monitor notifications do not check user access to the course/activity (for example after teacher has been unenrolled)
Severity/Risk: Minor
Versions affected: 3.1, 3.0 to 3.0.4, 2.9 to 2.9.6, 2.8 to 2.8.12
Versions fixed: 3.1.1, 3.0.5 and 2.9.7
Reported by: Stuart R Mealor
Issue no.: MDL-53431
CVE identifier: CVE-2016-5014
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53431