Difference between revisions of "Risks"

Jump to: navigation, search

Note: You are currently viewing documentation for Moodle 3.1. Up-to-date documentation for the latest stable version of Moodle is probably available here: Risks.

m
(re-wording)
Line 1: Line 1:
 
{{Roles}}
 
{{Roles}}
{{Moodle 1.7}}
+
 
This page describes the different types of risks that different capabilities can raise. (This page is incomplete and needs more information.)
+
Careful consideration should be given to the risks involved in allowing different capabilities.
 +
 
  
 
==Configuration==
 
==Configuration==
Users could change site configuration and behaviour
+
Certain capabilities, such as [[Capabilities/moodle/site:doanything|moodle/site:doanything]] are intended for administrators only, as they enable users to change the site configuration and behaviour.
  
 
==XSS (Cross-Site Scripting)==
 
==XSS (Cross-Site Scripting)==
Line 10: Line 11:
  
 
==Privacy==
 
==Privacy==
Users could gain access to private information of other users
+
Certain capabilities enable users to gain access to private information of other users, for example non-public information in a user's profile. These capabilities are intended for administrators and teachers only.
  
 
==Spam==
 
==Spam==
Users could send spam to site users or others
+
Certain capabilities enable users to add content to site, for example forum posts, and send messages to other users. These capabilities may be misused for spamming purposes. The role of Guest should have none of these capabilities set.
 
 
 
 
{{stub}}
 
  
 
[[Category:Administrator]]
 
[[Category:Administrator]]

Revision as of 15:47, 8 May 2007


Careful consideration should be given to the risks involved in allowing different capabilities.


Configuration

Certain capabilities, such as moodle/site:doanything are intended for administrators only, as they enable users to change the site configuration and behaviour.

XSS (Cross-Site Scripting)

Users could add files and texts that allow cross-site scripting.

Privacy

Certain capabilities enable users to gain access to private information of other users, for example non-public information in a user's profile. These capabilities are intended for administrators and teachers only.

Spam

Certain capabilities enable users to add content to site, for example forum posts, and send messages to other users. These capabilities may be misused for spamming purposes. The role of Guest should have none of these capabilities set.