Oh dear - forum security issue??

Oh dear - forum security issue??

Gavin Stokes發表於
Number of replies: 9
Hi all,
I have just noticed that students may view the forum posts of teachers, even posts that a teacher has made to courses and forums that the student does not have access to simply by clicking the Forum posts tab in the teacher's profile page.
Have I missed some setting somewhere to keep teachers (and admins!) posts private or is this a security hole with potentially embarrassing consequences?
Any help greatly appreciated!
Gav
評比平均分數: -
In reply to Gavin Stokes

Re: Oh dear - forum security issue??

Martin Dougiamas發表於
Core developers的相片 Documentation writers的相片 Moodle HQ的相片 Particularly helpful Moodlers的相片 Plugin developers的相片 Testers的相片
This sort of thing was fixed some time ago ... you may be using an old version of Moodle or perhaps you've found a new bug.

if the latter please file it in the Moodle Tracker with details.
評比平均分數: -
In reply to Martin Dougiamas

Re: Oh dear - forum security issue??

Gavin Stokes發表於
We're using version 1.7 surprise. I'll try to add this to the tracker today. Cheers!
評比平均分數: -
In reply to Gavin Stokes

Re: Oh dear - forum security issue??

Jerome Decuq發表於
That's a HUGE problem, my students found out that if you clicked on the name of someone in a forum post on the frontpage you could then access all his posts in all the site's forums, regardless of whether you were registered on not in the courses. And for two days they've read messages they were REALLY not supposed to read , till I found out. I had to delete completely (after a backup) the "teachers only" courses because it was such an emergency I didn't know what else to do. I'm running 1.7.1+.
I had a look in the bug tracker but couldn't find anything? Gavin, did you report it, or shall I do it?
評比平均分數: -
In reply to Jerome Decuq

Re: Oh dear - forum security issue??

Gavin Stokes發表於
Reported 4 Feb here:
http://tracker.moodle.org/browse/MDL-8420

Looks like Vy-Shane Sin Fat has it sorted. big grin

I'll try updating ours and report back. 微笑
cheers!

評比平均分數: -
In reply to Gavin Stokes

Re: Oh dear - forum security issue??

Jerome Decuq發表於
AFAK, I've updated accesslib, and I still have the same problem when a user accesses another user data through a forum post made at site level (they can read all the posts from all courses)
At course level, it seems to be OK.
Thanks for letting me know how it's working for you, Gavin.
評比平均分數: -
In reply to Jerome Decuq

Re: Oh dear - forum security issue??

Vy-Shane Sin Fat發表於
For the courses where you don't want guests to be able to read forum posts, ensure that the default guest role has the capability mod/forum:viewdiscussions set to "prevent".
評比平均分數: -
In reply to Gavin Stokes

Re: Oh dear - forum security issue??

luca marcovati發表於
gavin writes
noticed that students may view the forum posts of teachers, even posts that a teacher has made to courses and forums that the student does not have access to simply by clicking the Forum posts tab in the teacher's profile page.

Hi gavin, we have the same problem. We've downloaded 1.7 the last saturday.
Wow that's a big deal surprise


Luca


評比平均分數: -