Prevent LMS admin continue masquerading when using LTI
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
Based on https:/
When we used MNet, a Moodle admin could not masquerade as a learner in Moodle and be taken through to Mahara. Now with LTI, an LMS admin can stay masquerading and see the portfolios of the person they are masquerading at.
Is there a possibility to prevent that masquerading admins can gain access to the portfolio account? Could this be done on the Mahara end as we do not control the LMS?
This is an investigation into the possibilities at this stage to determine what - if any - we can change the behavior.
To replicate:
1. Connect Moodle / Totara / Canvas with Mahara via LTI.
2. Create 2 accounts in the LMS (1 admin, 1 learner) and log in to Mahara via both.
3. As admin set up an activity to log in to the LMS.
4. Log in as admin on the LMS and masquerade as learner and click the activity link to go to Mahara.
Desired result: Masquerading admin gets warning saying that they can't masquerade and enter Mahara.
Actual result: Masquerading admin can enter the portfolio account.
Changed in mahara: | |
importance: | Undecided → Wishlist |
status: | New → Confirmed |