mahara-security team mailing list archive

Thread
Date

[Bug 492009] Re: Ordinary group members can be promoted to be an admin of "controlled" or "course" groups.

To: mahara-security@xxxxxxxxxxxxxxxxxxx
From: François Marier <francois@xxxxxxxxxx>
Date: Mon, 07 Dec 2009 04:33:45 -0000
Reply-to: Bug 492009 <492009@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Committed on master and 1.2_STABLE with only minor whitespace changes.

Thanks again Ruslan!

** Visibility changed to: Public

** This bug is no longer flagged as a security vulnerability

** Changed in: mahara
       Status: New => Fix Committed

-- 
Ordinary group members can be promoted to be an admin of "controlled" or "course" groups.
https://bugs.launchpad.net/bugs/492009
You received this bug notification because you are a member of Mahara
Security, which is a direct subscriber.

Status in Mahara ePortfolio: Fix Committed

Bug description:
Ordinary group members (those who are not site or institution admins or staff) can be promoted to be admins of "standard.controlled", "course.controlled" and "course.request" groups through Group->Members->"Change Role" interface (/group/changerole.php). This should not be permitted. When the ordinary user is promoted to be such admin, not only the error on group_get_grouptype_options() function call will pop-up (group type drop-down menu), as ordinary user can only be admin of invite/request/open standard groups, but also such user can remove original group admin and institution or site admin will end up having uncontrolled "course group".