users can stay logged into suspended institution

Bug #1348024 reported by Robert Lyon on 2014-07-24
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Medium
Robert Lyon
1.10
Medium
Unassigned
1.8
Medium
Unassigned
1.9
Medium
Unassigned
15.04
Medium
Robert Lyon
15.10
Medium
Unassigned

Bug Description

If a user does not use their own institution's auth method then user only belonging to a suspended institution can still log in.

Scenario:
- Create an institution called 'testone' with the auth method internal mahara
- Add a user to it (so that the user is only in this institution and no others)
- Update the user auth method to be another internal one
- suspend the institution
- log out and then in as user - can get in because the auth method is paired to 'mahara' institution

Another problem:

Same as above but have the user using the institutions auth method
- this time one gets a warning about the institution being suspended, which is good
but also gets the top menu and is actually logged in/can navigate about.

What needs to be done:

1) when an institution is suspended make sure all users that only belong to this institution have a valid usr.authinstance value and if they don't give them one.

2) when they are trying to log in to their suspended institution actually deny them properly.

CVE References

Robert Lyon (robertl-9) on 2014-07-28
Changed in mahara:
status: Confirmed → In Progress
Robert Lyon (robertl-9) wrote :

Ignore earlier comments - the only problem here is when an institution is suspended it doesn't log out the logged in users.

I've updated the patch to make sure that any users that are using an auth method for the institution being suspended are logged out automatically - and if they try to login again they are greeted by a ' your institution is suspended' message.

summary: - users can log into suspended institution
+ users can stay logged into suspended institution
Aaron Wells (u-aaronw) wrote :

Since the issue is only that a user can *stay* logged in to a suspended institution, I'm dropping the priority from High to Medium.

information type: Private Security → Public Security

Reviewed: https://reviews.mahara.org/3508
Committed: http://gitorious.org/mahara/mahara/commit/de21ad32e9dc795caed654f27e1bc9a92e37cc3b
Submitter: Aaron Wells (<email address hidden>)
Branch: master

commit de21ad32e9dc795caed654f27e1bc9a92e37cc3b
Author: Robert Lyon <email address hidden>
Date: Fri Jul 25 10:21:48 2014 +1200

Getting suspended institutions to keep their user out. (Bug 1348024)

Users who are logged in on the suspended institution's auth method
are logged out.

Change-Id: I10e1dec465a4363a076e92f4d90ec663ff8a822e
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Patch for "1.10_STABLE" branch: https://reviews.mahara.org/4644

Mahara Bot (dev-mahara) wrote :

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/4645

Mahara Bot (dev-mahara) wrote :

Patch for "1.8_STABLE" branch: https://reviews.mahara.org/4646

Reviewed: https://reviews.mahara.org/4644
Committed: http://gitorious.org/mahara/mahara/commit/ed686cadbbb6eb574bf788732008e7f21be2d669
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.10_STABLE

commit ed686cadbbb6eb574bf788732008e7f21be2d669
Author: Robert Lyon <email address hidden>
Date: Fri Jul 25 10:21:48 2014 +1200

Getting suspended institutions to keep their user out. (Bug 1348024)

Users who are logged in on the suspended institution's auth method
are logged out.

Change-Id: I10e1dec465a4363a076e92f4d90ec663ff8a822e
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/4645
Committed: http://gitorious.org/mahara/mahara/commit/847f49ef9a33e7200b4f2b0408c773c700b08f91
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.9_STABLE

commit 847f49ef9a33e7200b4f2b0408c773c700b08f91
Author: Robert Lyon <email address hidden>
Date: Fri Jul 25 10:21:48 2014 +1200

Getting suspended institutions to keep their user out. (Bug 1348024)

Users who are logged in on the suspended institution's auth method
are logged out.

Change-Id: I10e1dec465a4363a076e92f4d90ec663ff8a822e
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/4646
Committed: http://gitorious.org/mahara/mahara/commit/a8ec085adca536f4af54a2061866cb8a00ac510f
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.8_STABLE

commit a8ec085adca536f4af54a2061866cb8a00ac510f
Author: Robert Lyon <email address hidden>
Date: Fri Jul 25 10:21:48 2014 +1200

Getting suspended institutions to keep their user out. (Bug 1348024)

Users who are logged in on the suspended institution's auth method
are logged out.

Change-Id: I10e1dec465a4363a076e92f4d90ec663ff8a822e
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/4643
Committed: http://gitorious.org/mahara/mahara/commit/5f435f01fce1e31316c1e36c6a283f58de278e5f
Submitter: Aaron Wells (<email address hidden>)
Branch: 15.04_STABLE

commit 5f435f01fce1e31316c1e36c6a283f58de278e5f
Author: Robert Lyon <email address hidden>
Date: Fri Jul 25 10:21:48 2014 +1200

Getting suspended institutions to keep their user out. (Bug 1348024)

Users who are logged in on the suspended institution's auth method
are logged out.

Change-Id: I10e1dec465a4363a076e92f4d90ec663ff8a822e
Signed-off-by: Robert Lyon <email address hidden>

Robert Lyon (robertl-9) on 2015-04-17
Changed in mahara:
status: Fix Committed → Fix Released
tags: added: behat needs-behat
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers