Security and privacy

XSS Trusted Users list longer than it should be given our settings

 
Typing...
XSS Trusted Users list longer than it should be given our settings
 

Disclaimer: This is an old issue I first noticed years ago. At the time, I did all the reading I could but didn't have the understanding or time to go further with it. Last year I finally tried to get assistance from our hosting provider, but they didn't seem to understand it as a real problem. sad So now I'm bringing it up where people seem to understand these things better in the hopes that there might still be a solution for it.

The Security Overview Report on our 3.4.3 Moodle site has a warning for XSS Trusted Users that it's found 1003 users that have to be trusted. We have 1969 users, so that's about half of them. I remember very clearly that in former days, the number displayed here was much smaller--only two digits, and probably less than 40. I've read as much documentation as I can, and I've confirmed that only 4 roles on our site have the "trustcontent" permission allowed: Manager, Course Design Specialist (a role created off of Manager), Teacher, and Teaching Assistant (all other roles have it not set).

This post from back in 2015 https://moodle.org/mod/forum/discuss.php?d=279780 suggests to me that this error might very well have happened during an upgrade... which would fit my perception of how/when I first noticed the change... but if that's true then I'm hooped because there's no way we can roll back through all those versions and redo.

I'd like to try unticking the box for Enable Trusted content and then reticking it just to see if that makes any difference... but I'm wondering if doing that will trigger the site to clean all of our existing, previously-entered content. Does anybody know? Or have any advice for this situation?

 
Average of ratings: -
Typing...
Re: XSS Trusted Users list longer than it should be given our settings
 

I didn't change any settings, but it's now down to 984 users that have to be trusted. The change probably occurred because of a software update. That figure is better, but still not desirable.

I'm still interested in hearing if anyone else has any info or experience that might inform this scenario.

 
Average of ratings: -
Picture of Paul Nijbakker
Re: XSS Trusted Users list longer than it should be given our settings
 

I have recently become aware of the same issue. We want teachers to add trusted content, but according to the security report everybody (at a given moment), even fake student accounts, was regarded as trusted and prohibiting the capability in student role and authenticated user does not bring down the number of trusted users. I thought this was set exclusively through the role?

I guess your numbe rof trusted users dropped when those users were removed?

Rgrds,
Paul.

 
Average of ratings: -
Typing...
Re: XSS Trusted Users list longer than it should be given our settings
 

Thanks for your comments, Paul. It's nice to hear I'm not alone! ;)

The number suggested by the discrepancy between my two spot-checks is 19, so I guess it's possible we removed 19 students or other persons/roles from courses during that time frame (1003-984=19). Thanks for bringing that to my attention--it makes more sense to me than my former speculation that the site upgrade somehow impacted the count.

The number of trusted users on my site is apparently now at 1018.

As of this moment, I have 2004 users in total on my sight. Users have the following roles in a course or courses:

Norton Trial Access role 0
Guest 0
Course View Only 3
Touring Guest 3
Participant 644
Student 374
Student Services 1
Non-editing Teacher 2
TA 16
Teacher 47
Course Creator 0
Course Design Specialist 1
Manager 2

If I add up all of these numbers I get 1093. If I try to remove some of the redundancy from people with multiple roles, I get about 1060. So basically it seems as if anyone with any role anywhere on the site is on the XXS Trusted Users warning list. Not a happy scenario if it's a true and accurate warning... but perhaps only unnecessarily annoying if it's somehow just a faulty report (?).

I wish I knew what I could do to fix it. If you learn anything more about this, Paul, I'd love to hear about it.
 
Average of ratings: -