Mahara

Admin edits of user account details can be overwritten by open session

Bug #634580 reported by Richard Mansfield
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Low
Eugene
Mahara 1.4.0

Bug Description

If an admin edits a user on the admin edit user page, and that user is currently logged in, then the changes made by the admin can be overwritten the next time that user browses around on the site and their session details are saved to the database.

Perhaps, saving the form on the edit user page should call remove_user_sessions for the edited user (like when suspending a user). It would be nice if the admin was given a warning ("if you submit this form then <username> will be logged out") whenever the edited user has a session that hasn't expired.

Revision history for this message
Eugene (eugenev) wrote :

Hi Richard,

Would the attached patch do the trick. I have added a warning note to the top of the form and added the functionality that will remove the edited user's session upon form submit.

Cheers!

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :

Looks good to me

Richard Mansfield (richard-mansfield)
Changed in mahara:
status: New → In Progress
importance: Undecided → Low
milestone: none → 1.4.0
assignee: nobody → Eugene (eugene-catalyst)
Eugene (eugenev)
Changed in mahara:
status: In Progress → Fix Committed
François Marier (fmarier)
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.