Critical Security Warning - Guest role

Critical Security Warning - Guest role

by Michael Ko -
Number of replies: 2

We are seeing some critical security warnings on the security report (".../report/security/index.php"):

In relation to the Guest role, there is a strange message - The guest role "" is incorrectly defined! The guest role is used for guests, not logged in users and temporary guest course access. Please make sure no risky capabilities are allowed in this role. The only supported legacy type for guest role is Guest.

However in the user policies page, the "Role for visitors "and "Role for guest" fields are set to Guest (the single option in the select):

 


We just want to be on the safe side, and ensure that we have the correct configuration here. We're also using a "Custom Student Role", but we have clearly aware of the role's permissions.

Thanks for any assistance.

Average of ratings: -
In reply to Michael Ko

Re: Critical Security Warning - Guest role

by Michael Ko -

Any ideas?

Average of ratings: -
In reply to Michael Ko

Re: Critical Security Warning - Guest role

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

The warning are regarding the permissions for each role, not where the role is applied.  It means that someone has customized the roles in question and that those roles might have permissions that cause security risks.  Go to site admin/users/define roles and look at the permissions for each role.

Average of ratings: -