Difference between revisions of "Risks"
|Line 33:||Line 33:|
Revision as of 09:01, 15 October 2007
Careful consideration should be given to the risks involved in allowing different capabilities.
Certain capabilities, such as moodle/site:doanything are intended for administrators only, as they enable users to change the site configuration and behaviour.
XSS (Cross-Site Scripting)
Certain capabilities enable users to gain access to private information of other users, for example non-public information in a user's profile. These capabilities are intended for administrators and teachers only.
Certain capabilities enable users to add content to site, for example forum posts, and send messages to other users. These capabilities may be misused for spamming purposes.
Risks for predefined roles
- Guest - only capabilities without any risks are allowed
- Student - certain capabilities with spam risks are allowed
- Teacher - certain capabilities with XSS and privacy risks are allowed
- Administrator - all capabilities are allowed