Note:

If you want to create a new page for developers, you should create it on the Moodle Developer Resource site.

Hardening new Roles system

From MoodleDocs
Revision as of 05:48, 17 June 2022 by Dev Docs Bot (talk | contribs) (Protected "Hardening new Roles system": Developer Docs Migration ([Edit=Allow only administrators] (indefinite)))
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Important:

This content of this page has been updated and migrated to the new Moodle Developer Resources. The information contained on the page should no longer be seen up-to-date.

Why not view this page on the new site and help us to migrate more content to the new site!

Hardening a role, refers to limiting the ability of a role to assign or to aquire permissions.

New roles add great freedom when assigning capabilities to students. The problem might arise when students are assigned permission that allows adding of content that is not cleaned before display - such as editting Resources, adding activities, etc. They could then use any type of XSS attack to gain full administrative access quite easily.

The solution has two parts: educate admins and teachers about the risks associated with each capability and optionally allow central management of risks.

Risk bitmask in capabilities

Add risk bitmask field to each capability. Each bit indicates presence of different risk associated with given capability.

Basic risks

  • RISK_SPAM - user can add visible content to site, send messages to other users; originally protected by !isguest()
  • RISK_PERSONAL - access to private personal information - ex: backups with user details, non public information in profile (hidden email), etc.; originally protected by isteacher()
  • RISK_XSS - user can submit content that is not cleaned (both HTML with active content and unprotected files); originally protected by isteacher()
  • RISK_CONFIG - user can change global configuration, actions are missing sanity checks
  • RISK_MANAGETRUST - manage trust bitmasks of other users
  • RISK_DATALOSS - can destroy large amounts of information that cannot easily be recovered.

In default configuration Guest role should have only capabilities without risks, Student roles also SPAM, Teacher roles PERSONAL and XSS too. Admins have all capabilitites by default.

Implementation

  • add new LONGINT column riskbitmask to table capabilities (DONE)
  • define risks and assign them to capabilities in mod/xxx/db/access.php and lib/db/access.php (DONE)
  • link wiki pages with explanation to each risk from capabilities page
  • allow risk based filtering of capabilities admin/roles/manage.php (optional)

The user interface will be minimal, icons and maybe colors indicating each risk together with description links which we need anyway. Developers are deciding about the risks, the risk assignment is hardcoded in access.php description file, no GUI needed to change risks.

Benefits

  1. proper documentation of risks associated with capabilities, easy to explain
  2. solid foundation for regular code audits (mainly XSS prevention and personal information disclosure)

User trust bitmask

Indicate what kind of trust each user has. Match the risk bitmask of capability and user trust bitmask in both has_capability() and require_capability().

Implementation

  • add new LONGINT column trustbitmask to user table
  • add capability moodle/site:managetrustbitmasks with RISK_MANAGETRUST risk
  • add trust checks to has_capability() and require_capability()
  • add GUI
    • switch in global configuration to enable trust bitmask checking
    • preseting of trust bitmask for new users
    • changing of trust bitmasks
    • add trust bitmask setting to user/edit.php
    • request trust level change form - something like new course request (optional)
  • fix upgrade to assign trust bitmaps based on original teacher or administrator rights
  • patch user import script and synchronizations (optional)

Benefits

  1. This part is optional and can be implemented later.
  2. Trust manager or admin has full control over potentially dangerous capabilities - it is necessary for large sites (or connected sites in the future).
  3. Trust bitmask mechanism can be turned off by single configuration switch (both GUI and checks) - needed for small insecure workshop sites.
  4. General protection against future bugs in role and capability framework or user errors when configuring roles.


Note: trusttext moved to its own page at Trusttext cleaning bypass