Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-13854

To login as another user could be assignable in User context too

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Minor
    • Resolution: Inactive
    • Affects Version/s: 1.9
    • Fix Version/s: None
    • Component/s: Roles / Access
    • Labels:
      None
    • Affected Branches:
      MOODLE_19_STABLE

      Description

      edit: not a security bug, changed to feature request

      This is a huge wormhole in the capabilities system. If I am a Teacher in a course context and Teacher has been edited or overridden to have moodle/user:loginas = Allow, I can login as any participant in my course and I can do all the horrible things enumerated under "Risks."

      IMO enumerating the risks is not the solution. The underlying model is wrong. To login as another user should require moodle/user:loginas permission in the user's personal User context.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              jisner John Isner
              Participants:
              Component watchers:
              Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona)
              Votes:
              3 Vote for this issue
              Watchers:
              12 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: