added capabilty risks into access.php and GUI for define role and override; minor fixes for capability types in forum

2025-04-14 13:02:07 +02:00 · 2006-09-18 21:32:49 +00:00 · 2006-09-18 21:32:49 +00:00 · 21b6db6eff
commit 21b6db6eff
parent 31f267963a
19 changed files with 148 additions and 13 deletions
--- a/admin/roles/manage.html
+++ b/admin/roles/manage.html
@ -18,6 +18,7 @@ Role short name (ASCII): <input type="text" name="shortname" value="<?php echo $
 <td><?php print_string('allow','role') ?></td>
 <td><?php print_string('prevent','role') ?></td>
 <td><?php print_string('prohibit','role') ?></td>
+<td><?php print_string('risks','role') ?></td>
 </tr>

 <?php 
@ -50,6 +51,23 @@ foreach ($capabilities as $capability) {
        <td><INPUT TYPE=radio NAME="<?php echo $capability->name; ?>" VALUE="1" <?php if (isset($localoverride->permission) && $localoverride->permission==1){ echo 'checked="checked"'; }?>></td>
        <td ><INPUT TYPE=radio NAME="<?php echo $capability->name; ?>" VALUE="-1" <?php if (isset($localoverride->permission) && $localoverride->permission==-1){ echo 'checked="checked"'; }?>></td>
        <td ><INPUT TYPE=radio NAME="<?php echo $capability->name; ?>" VALUE="-1000" <?php if (isset($localoverride->permission) && $localoverride->permission==-1000){ echo 'checked="checked"'; }?>></td>
+        <td><?php
+            if (RISK_MANAGETRUST & (int)$capability->riskbitmask) {
+                echo "T";
+            }
+            if (RISK_ADMIN & (int)$capability->riskbitmask) {
+                echo "A";
+            }
+            if (RISK_XSS & (int)$capability->riskbitmask) {
+                echo "X";
+            }
+            if (RISK_PERSONAL & (int)$capability->riskbitmask) {
+                echo "P";
+            }
+            if (RISK_SPAM & (int)$capability->riskbitmask) {
+                echo "S";
+            }
+        ?></td>
        </tr>

        <?php } ?>    
--- a/admin/roles/override.html
+++ b/admin/roles/override.html
@ -15,6 +15,7 @@ if ($courseid) {
                <td><?php print_string('allow','role') ?></td>
                <td><?php print_string('prevent','role') ?></td>
                <td><?php print_string('prohibit','role') ?></td>
+                <td><?php print_string('risks','role') ?></td>
            </tr>
            <?php 
            
@ -83,6 +84,23 @@ if ($courseid) {
                       if ($localpermission == CAP_PROHIBIT) {echo ' checked="checked"';} 
                       if ($isdisabled)                      {echo ' disabled="disabled"';}?>>
                 </td>
+                 <td><?php
+                    if (RISK_MANAGETRUST & (int)$capability->riskbitmask) {
+                        echo "T";
+                    }
+                    if (RISK_ADMIN & (int)$capability->riskbitmask) {
+                        echo "A";
+                    }
+                    if (RISK_XSS & (int)$capability->riskbitmask) {
+                        echo "X";
+                    }
+                    if (RISK_PERSONAL & (int)$capability->riskbitmask) {
+                        echo "P";
+                    }
+                    if (RISK_SPAM & (int)$capability->riskbitmask) {
+                        echo "S";
+                    }
+                 ?></td>
            </tr>
            
            <?php } ?>    
--- a/lib/accesslib.php
+++ b/lib/accesslib.php
@ -30,6 +30,14 @@ define('CONTEXT_GROUP', 60);
 define('CONTEXT_MODULE', 70);
 define('CONTEXT_BLOCK', 80);

+// capability risks - see http://docs.moodle.org/en/Hardening_new_Roles_system
+define('RISK_MANAGETRUST', 0x0001);
+define('RISK_ADMIN',       0x0002);
+define('RISK_XSS',         0x0004);
+define('RISK_PERSONAL',    0x0008);
+define('RISK_SPAM',        0x0010);
+
+
 $context_cache    = array();    // Cache of all used context objects for performance (by level and instance)
 $context_cache_id = array();    // Index to above cache by id

--- a/lib/db/access.php
+++ b/lib/db/access.php
@ -34,6 +34,7 @@
 $moodle_capabilities = array(
    
    'moodle/site:doanything' => array(
+        'riskbitmask' => RISK_SPAM | RISK_PERSONAL | RISK_XSS | RISK_ADMIN,
        'captype' => 'admin',
        'contextlevel' => CONTEXT_SYSTEM
    ),
@ -45,30 +46,35 @@ $moodle_capabilities = array(
    
    
    'moodle/legacy:student' => array(
+        'riskbitmask' => RISK_SPAM,
        'captype' => 'legacy',
        'contextlevel' => CONTEXT_SYSTEM
    ),
    
    
    'moodle/legacy:teacher' => array(
+        'riskbitmask' => RISK_SPAM | RISK_PERSONAL,
        'captype' => 'legacy',
        'contextlevel' => CONTEXT_SYSTEM
    ),
    
    
    'moodle/legacy:editingteacher' => array(
+        'riskbitmask' => RISK_SPAM | RISK_PERSONAL | RISK_XSS,
        'captype' => 'legacy',
        'contextlevel' => CONTEXT_SYSTEM
    ),
    
    
    'moodle/legacy:coursecreator' => array(
+        'riskbitmask' => RISK_SPAM | RISK_PERSONAL | RISK_XSS,
        'captype' => 'legacy',
        'contextlevel' => CONTEXT_SYSTEM
    ),
    
    
    'moodle/legacy:admin' => array(
+        'riskbitmask' => RISK_SPAM | RISK_PERSONAL | RISK_XSS | RISK_ADMIN,
        'captype' => 'legacy',
        'contextlevel' => CONTEXT_SYSTEM
    ),
@ -76,6 +82,8 @@ $moodle_capabilities = array(
    
    'moodle/site:config' => array(
    
+        'riskbitmask' => RISK_SPAM | RISK_PERSONAL | RISK_XSS | RISK_ADMIN,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_SYSTEM,
        'legacy' => array(
@ -118,6 +126,8 @@ $moodle_capabilities = array(
    
    'moodle/site:import' => array(
    
+        'riskbitmask' => RISK_SPAM | RISK_PERSONAL | RISK_XSS,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_SYSTEM,
        'legacy' => array(
@ -132,6 +142,8 @@ $moodle_capabilities = array(
    
    'moodle/site:backup' => array(
    
+        'riskbitmask' => RISK_SPAM | RISK_PERSONAL | RISK_XSS,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_SYSTEM,
        'legacy' => array(
@ -146,6 +158,8 @@ $moodle_capabilities = array(
    
    'moodle/site:restore' => array(
    
+        'riskbitmask' => RISK_SPAM | RISK_PERSONAL | RISK_XSS,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_SYSTEM,
        'legacy' => array(
@ -160,6 +174,8 @@ $moodle_capabilities = array(
    
    'moodle/site:manageblocks' => array(
    
+        'riskbitmask' => RISK_SPAM | RISK_XSS,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_SYSTEM,
        'legacy' => array(
@ -216,6 +232,8 @@ $moodle_capabilities = array(
    
    'moodle/site:viewreports' => array(
    
+        'riskbitmask' => RISK_PERSONAL,
+
        'captype' => 'read',
        'contextlevel' => CONTEXT_SYSTEM,
        'legacy' => array(
@ -230,6 +248,8 @@ $moodle_capabilities = array(
    
    'moodle/site:trustcontent' => array(
    
+        'riskbitmask' => RISK_XSS,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_SYSTEM,
        'legacy' => array(
@ -244,6 +264,8 @@ $moodle_capabilities = array(
    
    'moodle/user:create' => array(
    
+        'riskbitmask' => RISK_SPAM | RISK_PERSONAL,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_SYSTEM,
        'legacy' => array(
@ -272,6 +294,8 @@ $moodle_capabilities = array(
    
    'moodle/user:update' => array(
    
+        'riskbitmask' => RISK_SPAM,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_SYSTEM,
        'legacy' => array(
@ -300,6 +324,8 @@ $moodle_capabilities = array(

    'moodle/user:viewhiddendetails' => array(
    
+        'riskbitmask' => RISK_PERSONAL,
+
        'captype' => 'read',
        'contextlevel' => CONTEXT_SYSTEM,
        'legacy' => array(
@ -438,6 +464,8 @@ $moodle_capabilities = array(
    
    'moodle/course:create' => array(
    
+        'riskbitmask' => RISK_XSS,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_COURSE,
        'legacy' => array(
@ -466,6 +494,8 @@ $moodle_capabilities = array(
    
    'moodle/course:update' => array(
    
+        'riskbitmask' => RISK_XSS,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_COURSE,
        'legacy' => array(
@ -494,6 +524,8 @@ $moodle_capabilities = array(
    
    'moodle/course:viewhiddenuserfields' => array(
    
+        'riskbitmask' => RISK_PERSONAL,
+
        'captype' => 'read',
        'contextlevel' => CONTEXT_COURSE,
        'legacy' => array(
@ -536,6 +568,8 @@ $moodle_capabilities = array(
    
    'moodle/course:managefiles' => array(
    
+        'riskbitmask' => RISK_XSS,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_COURSE,
        'legacy' => array(
@ -550,6 +584,8 @@ $moodle_capabilities = array(
    
    'moodle/course:managequestions' => array(
    
+        'riskbitmask' => RISK_XSS,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_COURSE,
        'legacy' => array(
@ -564,6 +600,8 @@ $moodle_capabilities = array(
    
    'moodle/course:manageactivities' => array(
    
+        'riskbitmask' => RISK_XSS,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_COURSE,
        'legacy' => array(
@ -704,6 +742,8 @@ $moodle_capabilities = array(
    
    'moodle/blog:create' => array(

+        'riskbitmask' => RISK_SPAM,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_SYSTEM,
        'legacy' => array(
@ -718,6 +758,8 @@ $moodle_capabilities = array(
    
    'moodle/blog:manageofficialtags' => array(

+        'riskbitmask' => RISK_SPAM,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_SYSTEM,
        'legacy' => array(
@ -732,6 +774,8 @@ $moodle_capabilities = array(
    
    'moodle/blog:managepersonaltags' => array(

+        'riskbitmask' => RISK_SPAM,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_SYSTEM,
        'legacy' => array(
@ -746,6 +790,8 @@ $moodle_capabilities = array(
    
    'moodle/blog:manageentries' => array(

+        'riskbitmask' => RISK_SPAM,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_SYSTEM,
        'legacy' => array(
@ -760,6 +806,8 @@ $moodle_capabilities = array(
    
    'moodle/calendar:manageownentries' => array(

+        'riskbitmask' => RISK_SPAM,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_SYSTEM,
        'legacy' => array(
@ -774,6 +822,8 @@ $moodle_capabilities = array(
    
    'moodle/calendar:manageentries' => array(

+        'riskbitmask' => RISK_SPAM,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_SYSTEM,
        'legacy' => array(
@ -828,6 +878,9 @@ $moodle_capabilities = array(
    ),
    
    'moodle/user:editprofile' => array(
+
+        'riskbitmask' => RISK_SPAM,
+
        'captype' => 'read',
        'contextlevel' => CONTEXT_USER,
        'legacy' => array(
@ -841,6 +894,9 @@ $moodle_capabilities = array(
    ),
    
    'moodle/question:import' => array(
+
+        'riskbitmask' => RISK_XSS,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_COURSE,
        'legacy' => array(
@ -880,6 +936,9 @@ $moodle_capabilities = array(
    ),
    
    'moodle/question:manage' => array(
+
+        'riskbitmask' => RISK_XSS,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_COURSE,
        'legacy' => array(
--- a/mod/chat/db/access.php
+++ b/mod/chat/db/access.php
@ -35,6 +35,8 @@ $mod_chat_capabilities = array(
    
    'mod/chat:chat' => array(
    
+        'riskbitmask' => RISK_SPAM,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_MODULE,
        'legacy' => array(
--- a/mod/chat/version.php
+++ b/mod/chat/version.php
@ -5,7 +5,7 @@
 ///  This fragment is called by moodle_needs_upgrading() and /admin/index.php
 /////////////////////////////////////////////////////////////////////////////////

-$module->version  = 2006091201;   // The (date) version of this module
+$module->version  = 2006091800;   // The (date) version of this module
 $module->requires = 2006080900;  // Requires this Moodle version
 $module->cron     = 300;          // How often should cron check this module (seconds)?

--- a/mod/data/db/access.php
+++ b/mod/data/db/access.php
@ -63,6 +63,8 @@ $mod_data_capabilities = array(
    
    'mod/data:writeentry' => array(
    
+        'riskbitmask' => RISK_SPAM,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_MODULE,
        'legacy' => array(
@ -77,6 +79,8 @@ $mod_data_capabilities = array(
    
    'mod/data:comment' => array(
    
+        'riskbitmask' => RISK_SPAM,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_MODULE,
        'legacy' => array(
@ -161,6 +165,8 @@ $mod_data_capabilities = array(
    
    'mod/data:managetemplates' => array(
    
+        'riskbitmask' => RISK_SPAM,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_MODULE,
        'legacy' => array(
--- a/mod/data/version.php
+++ b/mod/data/version.php
@ -5,7 +5,7 @@
 //  This fragment is called by /admin/index.php
 ////////////////////////////////////////////////////////////////////////////////

-$module->version  = 2006091201;
+$module->version  = 2006091800;
 $module->requires = 2006080900;  // Requires this Moodle version
 $module->cron     = 60;

--- a/mod/forum/db/access.php
+++ b/mod/forum/db/access.php
@ -77,7 +77,9 @@ $mod_forum_capabilities = array(
    
    'mod/forum:startdiscussion' => array(
    
-        'captype' => 'read',
+        'riskbitmask' => RISK_SPAM,
+
+        'captype' => 'write',
        'contextlevel' => CONTEXT_MODULE,
        'legacy' => array(
            'guest' => CAP_PREVENT,
@ -91,7 +93,9 @@ $mod_forum_capabilities = array(
    
    'mod/forum:replypost' => array(
    
-        'captype' => 'read',
+        'riskbitmask' => RISK_SPAM,
+
+        'captype' => 'write',
        'contextlevel' => CONTEXT_MODULE,
        'legacy' => array(
            'guest' => CAP_PREVENT,
@ -133,7 +137,7 @@ $mod_forum_capabilities = array(
    
    'mod/forum:rate' => array(
    
-        'captype' => 'read',
+        'captype' => 'write',
        'contextlevel' => CONTEXT_MODULE,
        'legacy' => array(
            'guest' => CAP_PREVENT,
@ -147,7 +151,9 @@ $mod_forum_capabilities = array(
    
    'mod/forum:createattachment' => array(
    
-        'captype' => 'read',
+        'riskbitmask' => RISK_SPAM,
+
+        'captype' => 'write',
        'contextlevel' => CONTEXT_MODULE,
        'legacy' => array(
            'guest' => CAP_PREVENT,
@ -217,7 +223,9 @@ $mod_forum_capabilities = array(
    
    'mod/forum:editanypost' => array(
    
-        'captype' => 'read',
+        'riskbitmask' => RISK_SPAM,
+
+        'captype' => 'write',
        'contextlevel' => CONTEXT_MODULE,
        'legacy' => array(
            'guest' => CAP_PREVENT,
--- a/mod/forum/version.php
+++ b/mod/forum/version.php
@ -5,7 +5,7 @@
 //  This fragment is called by /admin/index.php
 ////////////////////////////////////////////////////////////////////////////////

-$module->version  = 2006091201;
+$module->version  = 2006091800;
 $module->requires = 2006082600;  // Requires this Moodle version
 $module->cron     = 60;

--- a/mod/glossary/db/access.php
+++ b/mod/glossary/db/access.php
@ -49,6 +49,8 @@ $mod_glossary_capabilities = array(
    
    'mod/glossary:write' => array(
    
+        'riskbitmask' => RISK_SPAM,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_MODULE,
        'legacy' => array(
@ -91,6 +93,8 @@ $mod_glossary_capabilities = array(
    
    'mod/glossary:comment' => array(
    
+        'riskbitmask' => RISK_SPAM,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_MODULE,
        'legacy' => array(
@ -119,6 +123,8 @@ $mod_glossary_capabilities = array(
    
    'mod/glossary:import' => array(
    
+        'riskbitmask' => RISK_SPAM,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_MODULE,
        'legacy' => array(
--- a/mod/glossary/version.php
+++ b/mod/glossary/version.php
@ -5,7 +5,7 @@
 ///  This fragment is called by moodle_needs_upgrading() and /admin/index.php
 /////////////////////////////////////////////////////////////////////////////////

-$module->version  = 2006091201;
+$module->version  = 2006091800;
 $module->requires = 2006082600;  // Requires this Moodle version
 $module->cron     = 0;           // Period for cron to check this module (secs)

--- a/mod/lesson/db/access.php
+++ b/mod/lesson/db/access.php
@ -22,6 +22,8 @@ $mod_lesson_capabilities = array(

    'mod/lesson:edit' => array(
    
+        'riskbitmask' => RISK_XSS,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_MODULE,
        'legacy' => array(
--- a/mod/lesson/version.php
+++ b/mod/lesson/version.php
@ -5,7 +5,7 @@
 ///  This fragment is called by moodle_needs_upgrading() and /admin/index.php
 /////////////////////////////////////////////////////////////////////////////////

-$module->version  = 2006091202;  // The current module version (Date: YYYYMMDDXX)
+$module->version  = 2006091801;  // The current module version (Date: YYYYMMDDXX)
 $module->requires = 2006080900;  // Requires this Moodle version
 $module->cron     = 0;           // Period for cron to check this module (secs)

--- a/mod/wiki/db/access.php
+++ b/mod/wiki/db/access.php
@ -22,6 +22,8 @@ $mod_wiki_capabilities = array(

    'mod/wiki:participate' => array(

+        'riskbitmask' => RISK_SPAM,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_MODULE,
        'legacy' => array(
@ -36,6 +38,8 @@ $mod_wiki_capabilities = array(

    'mod/wiki:manage' => array(

+        'riskbitmask' => RISK_SPAM,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_MODULE,
        'legacy' => array(
--- a/mod/wiki/version.php
+++ b/mod/wiki/version.php
@ -5,7 +5,7 @@
 ///  This fragment is called by moodle_needs_upgrading() and /admin/index.php
 /////////////////////////////////////////////////////////////////////////////////

-$module->version  = 2006091202;  // The current module version (Date: YYYYMMDDXX)
+$module->version  = 2006091800;  // The current module version (Date: YYYYMMDDXX)
 $module->requires = 2006080900;  // The current module version (Date: YYYYMMDDXX)
 $module->cron     = 0;           // Period for cron to check this module (secs)

--- a/mod/workshop/db/access.php
+++ b/mod/workshop/db/access.php
@ -22,6 +22,8 @@ $mod_workshop_capabilities = array(

    'mod/workshop:participate' => array(
    
+        'riskbitmask' => RISK_SPAM,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_MODULE,
        'legacy' => array(
@ -36,6 +38,8 @@ $mod_workshop_capabilities = array(

    'mod/workshop:manage' => array(
    
+        'riskbitmask' => RISK_SPAM,
+
        'captype' => 'write',
        'contextlevel' => CONTEXT_MODULE,
        'legacy' => array(
--- a/mod/workshop/version.php
+++ b/mod/workshop/version.php
@ -5,7 +5,7 @@
 //  This fragment is called by /admin/index.php
 ////////////////////////////////////////////////////////////////////////////////

-$module->version  = 2006091201;
+$module->version  = 2006091800;
 $module->requires = 2006080900;  // Requires this Moodle version
 $module->cron     = 60;

--- a/version.php
+++ b/version.php
@ -6,7 +6,7 @@
 // This is compared against the values stored in the database to determine
 // whether upgrades should be performed (see lib/db/*.php)

-   $version = 2006091804;  // YYYYMMDD = date
+   $version = 2006091807;  // YYYYMMDD = date
                           //       XY = increments within a single day

   $release = '1.7 dev';    // Human-friendly version name