Best practice forum (Archived)

Security overview - critical status warning

 
? ?
Security overview - critical status warning
by ? ? - Wednesday, 30 November 2011, 11:00 PM
 

Hi,

i'm confused with this error:

Security overview

Data processing may take a long time, please be patient...
IssueStatusDescriptionConfiguration
Default course role (global) Critical Incorrectly defined default course role "Learner" detected! User policies

The default student role for course enrolment specifies the default role for courses. Please make sure no risky capabilities are allowed in this role.

The only supported legacy type for default role is Student.

  • Risky capabilities detected in context.

 

As the defualt settings in User policies for this is Learner.

Is this an actual security concern?

 

-Ira

 

 
Permalink | Reply
Simon Coggins
Re: Security overview - critical status warning
by Simon Coggins - Wednesday, 30 November 2011, 11:50 PM
Group Totara

Hi Ira,

This is just informing you that the default role for courses has changed from what it normally is (the role 'student'). Be aware that any time someone is enrolled in a course (for instance via an enrollment plugin), they will be given this role in the context of the course. That's not necessary a problem, but the fact that is says 'risky capabilities detected in context' suggest that the 'learner' role in your system may have some capabilities that you might not want them to.

I'd suggest clicking the 'context' link and going through the capabilities, giving particularly attention to the 'Risks' column which gives details of what the capability will let a user do.

If you ever want to change the default course role, you can do that via Site Admin > Users > Permission > User Policies > Default role for users in a course.

Let me know if you'd like any more details.

Simon

 
Permalink | Show parent | Reply
? ?
Re: Security overview - critical status warning
by ? ? - Sunday, 4 December 2011, 6:14 PM
 

Hi,

I had a look through the permissions in context for default role and i'm still confused as to what is a critical risk.

The permissions with the most risks all have their capability as "Not Set". Every permission that has the capability "Allow" for this role seems fine.

Which risks are more critical, the red icons?

-Ira

 
Permalink | Show parent | Reply
Simon Coggins
Re: Security overview - critical status warning
by Simon Coggins - Sunday, 4 December 2011, 6:51 PM
Group Totara

Here's what each of the colours mean:

Red (Cross-site scripting):

Certain capabilities enable users to add non-checked files and HTML code containing JavaScript etc. This may be misused for cross-site scripting (XSS) purposes, with the potential to gain full admin access. These capabilities are intended for administrators and teachers only.

Green (Configuration):

Certain capabilities are intended for administrators only, as they enable users to change the site configuration and behaviour.

Blue (Privacy):

Certain capabilities enable users to gain access to private information of other users, for example non-public information in a user's profile. These capabilities are intended for administrators and teachers only.

Yellow (Spam):

Certain capabilities enable users to add content to site, for example forum posts, account creation, and send messages to other users. These capabilities may be misused for spamming purposes.

From: http://docs.moodle.org/19/en/Risks

How much of a concern each of these are depends on how much you trust your users and what you want them to be able to do. If you post some of the capabilities that you have set to allow that come with risks I can give you more details on each case.

Simon

 
Permalink | Show parent | Reply