From 41ecd3e717b38ff823ed1b7895d344dcd3be4faf Mon Sep 17 00:00:00 2001
From: Andrew Robert Nicols <andrew.nicols@luns.net.uk>
Date: Mon, 31 Oct 2011 13:55:45 +0000
Subject: [PATCH 1/1] Prevent masquerading users from jumping as others

As described in bug #884223, if an administator is masquerading as another
user, they should be prevented from jumping as that other user.

This patch checks if a user has a parentuser in the LiveUser object and, if
so, loads the parent user and jumps as that user instead.

Change-Id: Ie07f3b807a61bbbb94c9051fb7c4b8df03d19f24
Signed-off-by: Andrew Robert Nicols <andrew.nicols@luns.net.uk>
---
 htdocs/api/xmlrpc/lib.php |   17 +++++++++++++----
 1 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/htdocs/api/xmlrpc/lib.php b/htdocs/api/xmlrpc/lib.php
index 20df596..a62c5e8 100644
--- a/htdocs/api/xmlrpc/lib.php
+++ b/htdocs/api/xmlrpc/lib.php
@@ -64,6 +64,15 @@ function generate_token() {
 function start_jump_session($peer, $instanceid, $wantsurl="") {
     global $USER;
 
+    // We should only allow a masquerading user to jump as themselves
+    if ($parentuser = $USER->get('parentuser')) {
+        $user = new User;
+        $user->find_by_id($parentuser->id);
+    }
+    else {
+        $user = $USER;
+    }
+
     $rpc_negotiation_timeout = 15;
     $providers = get_service_providers($USER->authinstance);
 
@@ -83,12 +92,12 @@ function start_jump_session($peer, $instanceid, $wantsurl="") {
 
     // set up the session
     $sso_session = get_record('sso_session',
-                              'userid',     $USER->id);
+                              'userid',     $user->id);
     if ($sso_session == false) {
         $sso_session = new stdClass();
         $sso_session->instanceid = $instanceid;
-        $sso_session->userid = $USER->id;
-        $sso_session->username = $USER->username;
+        $sso_session->userid = $user->id;
+        $sso_session->username = $user->username;
         $sso_session->useragent = sha1($_SERVER['HTTP_USER_AGENT']);
         $sso_session->token = generate_token();
         $sso_session->confirmtimeout = time() + $rpc_negotiation_timeout;
@@ -105,7 +114,7 @@ function start_jump_session($peer, $instanceid, $wantsurl="") {
         $sso_session->expires = time() + (integer)ini_get('session.gc_maxlifetime');
         $sso_session->useragent = sha1($_SERVER['HTTP_USER_AGENT']);
         $sso_session->sessionid = session_id();
-        if (false == update_record('sso_session', $sso_session, array('userid' => $USER->id))) {
+        if (false == update_record('sso_session', $sso_session, array('userid' => $user->id))) {
             throw new SQLException("database error");
         }
     }
-- 
1.7.2.5