From c21145ea166047cebecda4cc61f04ca97d31c086 Mon Sep 17 00:00:00 2001 From: Andrew Robert Nicols Date: Mon, 31 Oct 2011 13:55:45 +0000 Subject: [PATCH 1/1] Prevent masquerading users from jumping as others As described in bug #884223, if an administator is masquerading as another user, they should be prevented from jumping to any XMLRPC application. Change-Id: Ie07f3b807a61bbbb94c9051fb7c4b8df03d19f24 Signed-off-by: Andrew Robert Nicols --- htdocs/api/xmlrpc/lib.php | 5 +++++ htdocs/lang/en.utf8/auth.php | 1 + 2 files changed, 6 insertions(+), 0 deletions(-) diff --git a/htdocs/api/xmlrpc/lib.php b/htdocs/api/xmlrpc/lib.php index 20df596..de0fa44 100644 --- a/htdocs/api/xmlrpc/lib.php +++ b/htdocs/api/xmlrpc/lib.php @@ -64,6 +64,11 @@ function generate_token() { function start_jump_session($peer, $instanceid, $wantsurl="") { global $USER; + if ($parentuser = $USER->get('parentuser')) { + // Prevent masquerading users from jumping + throw new AccessTotallyDeniedException(get_string('cannotjumpasmasqueradeduser', 'auth')); + } + $rpc_negotiation_timeout = 15; $providers = get_service_providers($USER->authinstance); diff --git a/htdocs/lang/en.utf8/auth.php b/htdocs/lang/en.utf8/auth.php index 97fdaa5..53b53a6 100644 --- a/htdocs/lang/en.utf8/auth.php +++ b/htdocs/lang/en.utf8/auth.php @@ -86,3 +86,4 @@ $string['hostwwwrootinuse'] = 'WWW root already in use by another institution (% // Error messages for external authentication usernames $string['duplicateremoteusername'] = 'This external authentication username is already in use by the user %s. External authentication usernames must be unique within an authentication method.'; $string['duplicateremoteusernameformerror'] = 'External authentication usernames must be unique within an authentication method.'; +$string['cannotjumpasmasqueradeduser'] = 'You cannot jump to another application whilst masquerading as another user.'; -- 1.7.2.5