mahara-security team mailing list archive

Thread
Date

[Bug 492009] Re: Ordinary group members can be promoted to be an admin of "controlled" or "course" groups.

To: mahara-security@xxxxxxxxxxxxxxxxxxx
From: Richard Mansfield <richard.mansfield@xxxxxxxxxxxxxxx>
Date: Sun, 06 Dec 2009 20:34:25 -0000
Reply-to: Bug 492009 <492009@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I don't think this should be treated as a security vulnerability.  It
could even be argued to be desired behaviour, if for example a group
admin wants to delegate the maintenance of a particular controlled group
to a normal user, but doesn't want that normal user to be able to create
their own controlled groups.

I think we should probably apply this patch anyway (without the changes
to whitespace); I haven't investigated it yet but suspect it's the
easiest way to fix the bug in the drop-down.

-- 
Ordinary group members can be promoted to be an admin of "controlled" or "course" groups.
https://bugs.launchpad.net/bugs/492009
You received this bug notification because you are a member of Mahara
Security, which is a direct subscriber.

Status in Mahara ePortfolio: New

Bug description:
Ordinary group members (those who are not site or institution admins or staff) can be promoted to be admins of "standard.controlled", "course.controlled" and "course.request" groups through Group->Members->"Change Role" interface (/group/changerole.php). This should not be permitted. When the ordinary user is promoted to be such admin, not only the error on group_get_grouptype_options() function call will pop-up (group type drop-down menu), as ordinary user can only be admin of invite/request/open standard groups, but also such user can remove original group admin and institution or site admin will end up having uncontrolled "course group".