MSA-19-0019: Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course

MSA-19-0019: Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course

by Michael Hawkins -
Number of replies: 1

Users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role.


Severity/Risk: Minor
Versions affected: 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed: 3.7.2, 3.6.6 and 3.5.8
Reported by: Andrew Nicols
CVE identifier: CVE-2019-14828
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66181
Tracker issue: MDL-66181 Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course
In reply to Michael Hawkins

Re: MSA-19-0019: Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course

by Michael Hawkins -
Please note, this issue has been revisited in MDL-66683, as part of the latest minor releases. It appears this was not a bug, and that the original behaviour was the intended functionality. As this change was negatively impacting some course-creation workflows, the functionality has been reverted as of versions 3.7.3, 3.6.7 and 3.5.9.