Skip to content

Commit

Permalink
MDL-18258 fixed legacy type and improved risky default course role hi…
Browse files Browse the repository at this point in the history 
…nts; backported from HEAD
  • Loading branch information
skodak committed Feb 15, 2009
1 parent 0ea8ab7 commit e613a1a
Show file tree
Hide file tree
Showing 2 changed files with 48 additions and 35 deletions.
79 changes: 46 additions & 33 deletions admin/report/security/lib.php
View file
Expand Up @@ -647,6 +647,16 @@ function report_security_check_courserole($detailed=false) {


$roleids = array_keys($student_roles); $roleids = array_keys($student_roles);


$sql = "SELECT DISTINCT rc.roleid
FROM {$CFG->prefix}role_capabilities rc
WHERE (rc.capability = 'moodle/legacy:coursecreator' OR rc.capability = 'moodle/legacy:admin'
OR rc.capability = 'moodle/legacy:teacher' OR rc.capability = 'moodle/legacy:editingteacher')
AND rc.permission = ".CAP_ALLOW."";

$riskyroleids = get_records_sql($sql);
$riskyroleids = array_keys($riskyroleids);


// first test if do anything enabled - that would be really crazy!!!!!! // first test if do anything enabled - that would be really crazy!!!!!!
$inroles = implode(',', $roleids); $inroles = implode(',', $roleids);
$sql = "SELECT rc.roleid, rc.contextid $sql = "SELECT rc.roleid, rc.contextid
Expand All @@ -670,41 +680,44 @@ function report_security_check_courserole($detailed=false) {
} }
rs_close($rs); rs_close($rs);


// risky caps in any level - usually very dangerous!! // any XSS legacy cap does not make any sense here!
$inroles = implode(',', $roleids); $inroles = implode(',', $riskyroleids);
$sql = "SELECT rc.roleid, rc.contextid $sql = "SELECT DISTINCT c.id, c.shortname
FROM {$CFG->prefix}role_capabilities rc FROM {$CFG->prefix}course c
JOIN {$CFG->prefix}capabilities cap ON cap.name = rc.capability WHERE c.defaultrole IN ($inroles)
WHERE ".sql_bitand('cap.riskbitmask', (RISK_XSS | RISK_CONFIG))." <> 0 ORDER BY c.sortorder";
AND rc.permission = ".CAP_ALLOW." if ($courses = get_records_sql($sql)) {
AND rc.roleid IN ($inroles) foreach ($courses as $course) {
GROUP BY rc.roleid, rc.contextid $a = (object)array('url'=>"$CFG->wwwroot/course/edit.php?id=$course->id", 'shortname'=>$course->shortname);
ORDER BY rc.roleid, rc.contextid"; $problems[] = get_string('check_courserole_riskylegacy', 'report_security', $a);
$rs = get_recordset_sql($sql);
while ($res = rs_fetch_next_record($rs)) {
$roleid = $res->roleid;
$contextid = $res->contextid;
if ($contextid == SYSCONTEXTID) {
$a = "$CFG->wwwroot/$CFG->admin/roles/manage.php?action=view&amp;roleid=$roleid";
} else {
$a = "$CFG->wwwroot/$CFG->admin/roles/override.php?contextid=$contextid&amp;roleid=$roleid";
} }
$problems[] = get_string('check_courserole_risky', 'report_security', $a); } else {
} $course = array();
rs_close($rs); }


// course creator or administrator does not make any sense here! // risky caps in any level for roles not marked as risky yet - usually very dangerous!!
$inroles = implode(',', $roleids); if ($checkroles = array_diff($roleids, $riskyroleids)) {
$sql = "SELECT DISTINCT rc.roleid $inroles = implode(',', $checkroles);
FROM {$CFG->prefix}role_capabilities rc $sql = "SELECT rc.roleid, rc.contextid
WHERE (rc.capability = 'moodle/legacy:coursecreator' OR rc.capability = 'moodle/legacy:admin') FROM {$CFG->prefix}role_capabilities rc
AND rc.permission = ".CAP_ALLOW." JOIN {$CFG->prefix}capabilities cap ON cap.name = rc.capability
AND rc.roleid IN ($inroles)"; WHERE ".sql_bitand('cap.riskbitmask', (RISK_XSS | RISK_CONFIG))." <> 0
if ($legacys = get_records_sql($sql)) { AND rc.permission = ".CAP_ALLOW."
foreach ($legacys as $roleid=>$unused) { AND rc.roleid IN ($inroles)
$a = "$CFG->wwwroot/$CFG->admin/roles/manage.php?action=view&amp;roleid=$roleid"; GROUP BY rc.roleid, rc.contextid
$problems[] = get_string('check_defaultcourserole_legacy', 'report_security', $a); ORDER BY rc.roleid, rc.contextid";
$rs = get_recordset_sql($sql);
while ($res = rs_fetch_next_record($rs)) {
$roleid = $res->roleid;
$contextid = $res->contextid;
if ($contextid == SYSCONTEXTID) {
$a = "$CFG->wwwroot/$CFG->admin/roles/manage.php?action=view&amp;roleid=$roleid";
} else {
$a = "$CFG->wwwroot/$CFG->admin/roles/override.php?contextid=$contextid&amp;roleid=$roleid";
}
$problems[] = get_string('check_courserole_risky', 'report_security', $a);
} }
rs_close($rs);
} }




Expand Down
4 changes: 2 additions & 2 deletions lang/en_utf8/report_security.php
View file
Expand Up @@ -32,7 +32,7 @@
$string['check_courserole_details'] = '<p>Each course has one default enrolment role specified. Please make sure no risky capabilities are allowed for this role.</p> $string['check_courserole_details'] = '<p>Each course has one default enrolment role specified. Please make sure no risky capabilities are allowed for this role.</p>
<p>The only supported legacy type for the default course role is <em>Student</em>.</p>'; <p>The only supported legacy type for the default course role is <em>Student</em>.</p>';
$string['check_courserole_error'] = 'Incorrectly defined default course roles detected!'; $string['check_courserole_error'] = 'Incorrectly defined default course roles detected!';
$string['check_courserole_legacy'] = 'Unsupported legacy type detected in the <a href=\"$a\">role</a>.'; $string['check_courserole_riskylegacy'] = 'Risky legacy type detected in <a href=\"$a->url\">$a->shortname</a>.';
$string['check_courserole_name'] = 'Default roles (courses)'; $string['check_courserole_name'] = 'Default roles (courses)';
$string['check_courserole_notyet'] = 'Used only default course role.'; $string['check_courserole_notyet'] = 'Used only default course role.';
$string['check_courserole_ok'] = 'Default course role definitions is OK.'; $string['check_courserole_ok'] = 'Default course role definitions is OK.';
Expand All @@ -42,7 +42,7 @@
$string['check_defaultcourserole_details'] = '<p>The default student role for course enrolment specifies the default role for courses. Please make sure no risky capabilities are allowed in this role.</p> $string['check_defaultcourserole_details'] = '<p>The default student role for course enrolment specifies the default role for courses. Please make sure no risky capabilities are allowed in this role.</p>
<p>The only supported legacy type for default role is <em>Student</em>.</p>'; <p>The only supported legacy type for default role is <em>Student</em>.</p>';
$string['check_defaultcourserole_error'] = 'Incorrectly defined default course role \"$a\" detected!'; $string['check_defaultcourserole_error'] = 'Incorrectly defined default course role \"$a\" detected!';
$string['check_defaultcourserole_legacy'] = 'Unsupported legacy type detected.'; $string['check_defaultcourserole_legacy'] = 'Risky legacy type detected.';
$string['check_defaultcourserole_name'] = 'Default course role (global)'; $string['check_defaultcourserole_name'] = 'Default course role (global)';
$string['check_defaultcourserole_notset'] = 'Default role is not set.'; $string['check_defaultcourserole_notset'] = 'Default role is not set.';
$string['check_defaultcourserole_ok'] = 'Site default role definition is OK.'; $string['check_defaultcourserole_ok'] = 'Site default role definition is OK.';
Expand Down

0 comments on commit e613a1a

Please sign in to comment.