mahara-security team mailing list archive

Thread
Date

[Bug 492009] Re: Ordinary group members can be promoted to be an admin of "controlled" or "course" groups.

To: mahara-security@xxxxxxxxxxxxxxxxxxx
From: Ruslan Kabalin <ruslan.kabalin@xxxxxxxxxxx>
Date: Mon, 07 Dec 2009 09:09:20 -0000
Reply-to: Bug 492009 <492009@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Thanks guys, my pleasure. Just wanted to comment that whatever
permissions and behavior for group admin is desired, it would be more
correct to configure it through corresponding grouptype plugin. So, what
my patch does it makes appropriate checks for group admin nomination
based on grouptype plugins configuration only.

-- 
Ordinary group members can be promoted to be an admin of "controlled" or "course" groups.
https://bugs.launchpad.net/bugs/492009
You received this bug notification because you are a member of Mahara
Security, which is a direct subscriber.

Status in Mahara ePortfolio: Fix Committed

Bug description:
Ordinary group members (those who are not site or institution admins or staff) can be promoted to be admins of "standard.controlled", "course.controlled" and "course.request" groups through Group->Members->"Change Role" interface (/group/changerole.php). This should not be permitted. When the ordinary user is promoted to be such admin, not only the error on group_get_grouptype_options() function call will pop-up (group type drop-down menu), as ordinary user can only be admin of invite/request/open standard groups, but also such user can remove original group admin and institution or site admin will end up having uncontrolled "course group".