search

marxjohnson / moodle-block_messageteacher

Moodle block to display messaging links for teachers on a course
http://moodle.org/mod/data/view.php?d=13&rid=2053
9 stars 9 forks source link

Block allows messages to be sent from guest #19

Closed bret-miller closed 8 years ago

bret-miller commented 9 years ago

When the session times out, this block sends messages from guest. This makes it very hard to tell who the message is from unless the student signs it. Plus guest isn't allowed to send messages at all so it shouldn't be allowed here either. Guest is also not allowed to display the block.

To reproduce: I logged in as a student and displayed a course. All our courses have the Message My Teacher block. Then I waited until my session expired. Then clicked the teacher's name to display the message form. It displayed it and I went ahead and sent my message. The message was accepted, and sure enough, it was from "Guest User". So there are probably two permissions issues here. First, the block shouldn't display the message form if the session is invalid or at least should check whether the current account (guest in this case) is allowed to send a message. And second, the function it uses to send the message should probably check to see if the current account is allowed to send a message. That second issue probably isn't yours, but perhaps the block should also check the permissions before it tries to send the message.

bret-miller commented 9 years ago

OK, to further suggest this is a security issue, I am able to use the URL from the block to send a message from a different computer without ever logging into the site or displaying the course. The URL (without domain name) is: https://xxxx/blocks/messageteacher/message.php?courseid=8&referurl=https%3A%2F%2Fxxxx%2Fcourse%2Fview.php%3Fid%3D8&recipientid=5

marxjohnson commented 8 years ago

I've attempted to reproduce this, but cannot. message.php calls require_login(), so any attempts to access the page (either loading the form via AJAX or directly entering the URL) are redirected to the login form.

bret-miller commented 8 years ago

I hate to post this here, but [redacted] gives me the message page without logging in.

marxjohnson commented 8 years ago

Got it, thanks. I didn't have guest access enabled while I was testing. I'll look into it.

marxjohnson commented 8 years ago

I've just pushed a fix which checks for moodle:site/sendmessage capability. The guest user doesn't have this by default, so this should fix the problem. Please can you test it and confirm for me?

bret-miller commented 8 years ago

Well, it didn't help. I took the time to look at the code and I don't understand why it's not blocking the message form. That should throw an access exception when using guest access, but it's not--at least not visibly.

marxjohnson commented 8 years ago

The only reason I can think that it would allow the page to be viewed by guest is if, for some reason, the Guest role has the moodle:site/sendmessage capability enabled.

bret-miller commented 8 years ago

It doesn't. I checked. It was "not set". I changed it to "prohibit" in case that would help, but it didn't help either.