users can stay logged into suspended institution
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Robert Lyon | ||
1.10 |
Fix Released
|
Medium
|
Unassigned | ||
1.8 |
Fix Released
|
Medium
|
Unassigned | ||
1.9 |
Fix Released
|
Medium
|
Unassigned | ||
15.04 |
Fix Released
|
Medium
|
Robert Lyon | ||
15.10 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
If a user does not use their own institution's auth method then user only belonging to a suspended institution can still log in.
Scenario:
- Create an institution called 'testone' with the auth method internal mahara
- Add a user to it (so that the user is only in this institution and no others)
- Update the user auth method to be another internal one
- suspend the institution
- log out and then in as user - can get in because the auth method is paired to 'mahara' institution
Another problem:
Same as above but have the user using the institutions auth method
- this time one gets a warning about the institution being suspended, which is good
but also gets the top menu and is actually logged in/can navigate about.
What needs to be done:
1) when an institution is suspended make sure all users that only belong to this institution have a valid usr.authinstance value and if they don't give them one.
2) when they are trying to log in to their suspended institution actually deny them properly.
CVE References
Changed in mahara: | |
status: | Confirmed → In Progress |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
tags: | added: behat needs-behat |
https:/ /reviews. mahara. org/#/c/ 3508/