Moodle.org: MSA-19-0019: Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course

Security announcements

MSA-19-0019: Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course

◄ MSA-19-0023: Forum subscribe link contained an open redirect if forced subscription mode was enabled
MSA-19-0024: Assigned Role in Cohort did not un-assign on removal ►

MSA-19-0019: Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course

by Michael Hawkins - Monday, September 16, 2019, 4:09 PM

Users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role.

Severity/Risk:	Minor
Versions affected:	3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:	3.7.2, 3.6.6 and 3.5.8
Reported by:	Andrew Nicols
CVE identifier:	CVE-2019-14828
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66181
Tracker issue:	MDL-66181 Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course

Re: MSA-19-0019: Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course

by Michael Hawkins - Monday, November 11, 2019, 12:13 PM

Please note, this issue has been revisited in MDL-66683, as part of the latest minor releases. It appears this was not a bug, and that the original behaviour was the intended functionality. As this change was negatively impacting some course-creation workflows, the functionality has been reverted as of versions 3.7.3, 3.6.7 and 3.5.9.