Security report on default user role
Note: You are currently viewing documentation for Moodle 2.9. Up-to-date documentation for the latest stable version of Moodle may be available here: Security report on default user role.
Default role for all users
In general the default role for all users should be set to authenticated user. Normally all permissions for the role of authenticated user should be left as default.
Default user role is incorrectly defined
If the security overview report shows the default role for all users with status 'Critical' and states that 'The default user role "Authenticated user" is incorrectly defined!' it means that one or more risky capabilities are allowed for the role.
In Moodle 2.9 - 2.9.2, if your site is enabled for Moodle Mobile app access, then mobile web services are enabled and the capabilities webservice/xmlrpc:use and webservice/rest:use are allowed for the authenticated user role. The security overview report will show the default role for all users with status 'Critical' in this case. This erroneous message is no longer displayed in Moodle 2.9.3 onwards.
Reviewing authenticated user role permissions
The permissions for the role of authenticated user can be reviewed as follows:
- Go to Administration > Site administration > Users > Permissions > Define roles
- In the role column, click the link 'Authenticated user'
- Browse the permissions column
If there is no reason for changing permissions from default, for example if nobody is using the Moodle Mobile app to access your site, then the role can be reset by clicking the reset button at the top of the page.
After resetting the authenticated user role, the security overview report will show the default role for all users with status OK.
- Using Moodle Security and Privacy forum