Ordinary group members can be promoted to be an admin of "controlled" or "course" groups.
Bug #492009 reported by
Ruslan Kabalin
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Richard Mansfield |
Bug Description
Ordinary group members (those who are not site or institution admins or staff) can be promoted to be admins of "standard.
security vulnerability: | no → yes |
visibility: | public → private |
Changed in mahara: | |
assignee: | nobody → François Marier (fmarier) |
Changed in mahara: | |
milestone: | none → 1.2.1 |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
Changed in mahara: | |
importance: | Undecided → High |
assignee: | François Marier (fmarier) → Richard Mansfield (richard-mansfield) |
To post a comment you must log in.
I don't think this should be treated as a security vulnerability. It could even be argued to be desired behaviour, if for example a group admin wants to delegate the maintenance of a particular controlled group to a normal user, but doesn't want that normal user to be able to create their own controlled groups.
I think we should probably apply this patch anyway (without the changes to whitespace); I haven't investigated it yet but suspect it's the easiest way to fix the bug in the drop-down.