Mahara

users can stay logged into suspended institution

Bug #1348024 reported by Robert Lyon on 2014-07-24

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	Medium	Robert Lyon	Mahara 15.04.0
1.10	Fix Released	Medium	Unassigned	Mahara 1.10.3
1.8	Fix Released	Medium	Unassigned	Mahara 1.8.7
1.9	Fix Released	Medium	Unassigned	Mahara 1.9.5
15.04	Fix Released	Medium	Robert Lyon	Mahara 15.04.0
15.10	Fix Released	Medium	Unassigned	Mahara 15.10.0

Bug Description

If a user does not use their own institution's auth method then user only belonging to a suspended institution can still log in.

Scenario:
- Create an institution called 'testone' with the auth method internal mahara
- Add a user to it (so that the user is only in this institution and no others)
- Update the user auth method to be another internal one
- suspend the institution
- log out and then in as user - can get in because the auth method is paired to 'mahara' institution

Another problem:

Same as above but have the user using the institutions auth method
- this time one gets a warning about the institution being suspended, which is good
but also gets the top menu and is actually logged in/can navigate about.

What needs to be done:

1) when an institution is suspended make sure all users that only belong to this institution have a valid usr.authinstance value and if they don't give them one.

2) when they are trying to log in to their suspended institution actually deny them properly.

Tags:

CVE References

2017-1000135

Revision history for this message

Robert Lyon (robertl-9) wrote on 2014-07-24:

https://reviews.mahara.org/#/c/3508/

Robert Lyon (robertl-9) on 2014-07-28

Changed in mahara:
status:	Confirmed → In Progress

Revision history for this message

Robert Lyon (robertl-9) wrote on 2014-11-23:

Ignore earlier comments - the only problem here is when an institution is suspended it doesn't log out the logged in users.

I've updated the patch to make sure that any users that are using an auth method for the institution being suspended are logged out automatically - and if they try to login again they are greeted by a ' your institution is suspended' message.

summary:

- users can log into suspended institution
+ users can stay logged into suspended institution

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2015-01-12:

Since the issue is only that a user can *stay* logged in to a suspended institution, I'm dropping the priority from High to Medium.

information type:

Private Security → Public Security

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-04-16: A change has been merged

Reviewed: https://reviews.mahara.org/3508
Committed: http://gitorious.org/mahara/mahara/commit/de21ad32e9dc795caed654f27e1bc9a92e37cc3b
Submitter: Aaron Wells (<email address hidden>)
Branch: master

commit de21ad32e9dc795caed654f27e1bc9a92e37cc3b
Author: Robert Lyon <email address hidden>
Date: Fri Jul 25 10:21:48 2014 +1200

Getting suspended institutions to keep their user out. (Bug 1348024)

Users who are logged in on the suspended institution's auth method
are logged out.

Change-Id: I10e1dec465a4363a076e92f4d90ec663ff8a822e
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-04-16: A patch has been submitted for review

Patch for "15.04_STABLE" branch: https://reviews.mahara.org/4643

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-04-16:

Patch for "1.10_STABLE" branch: https://reviews.mahara.org/4644

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-04-16:

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/4645

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-04-16:

Patch for "1.8_STABLE" branch: https://reviews.mahara.org/4646

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-04-16: A change has been merged

Reviewed: https://reviews.mahara.org/4644
Committed: http://gitorious.org/mahara/mahara/commit/ed686cadbbb6eb574bf788732008e7f21be2d669
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.10_STABLE

commit ed686cadbbb6eb574bf788732008e7f21be2d669
Author: Robert Lyon <email address hidden>
Date: Fri Jul 25 10:21:48 2014 +1200

Getting suspended institutions to keep their user out. (Bug 1348024)

Users who are logged in on the suspended institution's auth method
are logged out.

Change-Id: I10e1dec465a4363a076e92f4d90ec663ff8a822e
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-04-16:

#10

Reviewed: https://reviews.mahara.org/4645
Committed: http://gitorious.org/mahara/mahara/commit/847f49ef9a33e7200b4f2b0408c773c700b08f91
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.9_STABLE

commit 847f49ef9a33e7200b4f2b0408c773c700b08f91
Author: Robert Lyon <email address hidden>
Date: Fri Jul 25 10:21:48 2014 +1200

Getting suspended institutions to keep their user out. (Bug 1348024)

Users who are logged in on the suspended institution's auth method
are logged out.

Change-Id: I10e1dec465a4363a076e92f4d90ec663ff8a822e
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-04-16:

#11

Reviewed: https://reviews.mahara.org/4646
Committed: http://gitorious.org/mahara/mahara/commit/a8ec085adca536f4af54a2061866cb8a00ac510f
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.8_STABLE

commit a8ec085adca536f4af54a2061866cb8a00ac510f
Author: Robert Lyon <email address hidden>
Date: Fri Jul 25 10:21:48 2014 +1200

Getting suspended institutions to keep their user out. (Bug 1348024)

Users who are logged in on the suspended institution's auth method
are logged out.

Change-Id: I10e1dec465a4363a076e92f4d90ec663ff8a822e
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-04-16:

#12

Reviewed: https://reviews.mahara.org/4643
Committed: http://gitorious.org/mahara/mahara/commit/5f435f01fce1e31316c1e36c6a283f58de278e5f
Submitter: Aaron Wells (<email address hidden>)
Branch: 15.04_STABLE

commit 5f435f01fce1e31316c1e36c6a283f58de278e5f
Author: Robert Lyon <email address hidden>
Date: Fri Jul 25 10:21:48 2014 +1200

Getting suspended institutions to keep their user out. (Bug 1348024)

Users who are logged in on the suspended institution's auth method
are logged out.

Change-Id: I10e1dec465a4363a076e92f4d90ec663ff8a822e
Signed-off-by: Robert Lyon <email address hidden>

Robert Lyon (robertl-9) on 2015-04-17

Changed in mahara:
status:	Fix Committed → Fix Released

Jinelle Foley-Barnes (jinelleb) on 2015-04-20

tags:

added: behat needs-behat

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.