Ordinary group members can be promoted to be an admin of "controlled" or "course" groups.

Bug #492009 reported by Ruslan Kabalin on 2009-12-03
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Richard Mansfield

Bug Description

Ordinary group members (those who are not site or institution admins or staff) can be promoted to be admins of "standard.controlled", "course.controlled" and "course.request" groups through Group->Members->"Change Role" interface (/group/changerole.php). This should not be permitted. When the ordinary user is promoted to be such admin, not only the error on group_get_grouptype_options() function call will pop-up (group type drop-down menu), as ordinary user can only be admin of invite/request/open standard groups, but also such user can remove original group admin and institution or site admin will end up having uncontrolled "course group".

security vulnerability: no → yes
visibility: public → private

I don't think this should be treated as a security vulnerability. It could even be argued to be desired behaviour, if for example a group admin wants to delegate the maintenance of a particular controlled group to a normal user, but doesn't want that normal user to be able to create their own controlled groups.

I think we should probably apply this patch anyway (without the changes to whitespace); I haven't investigated it yet but suspect it's the easiest way to fix the bug in the drop-down.

Changed in mahara:
assignee: nobody → François Marier (fmarier)
Changed in mahara:
milestone: none → 1.2.1
François Marier (fmarier) wrote :

Committed on master and 1.2_STABLE with only minor whitespace changes.

Thanks again Ruslan!

security vulnerability: yes → no
visibility: private → public
Changed in mahara:
status: New → Fix Committed
Ruslan Kabalin (rkabalin) wrote :

Thanks guys, my pleasure. Just wanted to comment that whatever permissions and behavior for group admin is desired, it would be more correct to configure it through corresponding grouptype plugin. So, what my patch does it makes appropriate checks for group admin nomination based on grouptype plugins configuration only.

Changed in mahara:
status: Fix Committed → Fix Released

See https://bugs.launchpad.net/mahara/+bug/603044

Permissions for this are now loose again, but I have hopefully fixed the drop-down error by forcing the join type to stay the same if you're editing a group with a jointype you don't have permission to create.

Reviewed: https://reviews.mahara.org/623
Committed: http://gitorious.org/mahara/mahara/commit/396ba897dbe1e5a1acf4fe6ed80f16220b4a357c
Submitter: Richard Mansfield (<email address hidden>)
Branch: master

commit 396ba897dbe1e5a1acf4fe6ed80f16220b4a357c
Author: Richard Mansfield <email address hidden>
Date: Wed Aug 17 16:48:32 2011 +1200

    Remove can_become_admin check when changing group roles

    This function always returns true, and can be removed. It's just a
    leftover from the attempt to prevent non-staff becoming controlled
    group admins (see bug #492009, bug #603044).

    Change-Id: Ib58aa4966f2cd94465dd657c081b51a12464f153
    Signed-off-by: Richard Mansfield <email address hidden>

Changed in mahara:
importance: Undecided → High
assignee: François Marier (fmarier) → Richard Mansfield (richard-mansfield)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers