Moodle
  1. Moodle
  2. MDL-14805

Add logging of activity when a user is logged in as another user

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: 1.9, 2.5.2
    • Fix Version/s: BACKEND
    • Component/s: Administration, Logging
    • Labels:
    • Affected Branches:
      MOODLE_19_STABLE, MOODLE_25_STABLE
    • Epic Link:
    • Rank:
      18205

      Description

      When a user with the moodle/user:loginas capability logs in as another user and performs any activity, this activity is not logged. It would be nice if it was logged and clearly denoted in the logs as "X user logged in as Y user".

      This would probably mean rewriting the add_to_log function in some way - currently, it prevents logging if the userids are not the same.

        Issue Links

          Activity

          Hide
          Matt Campbell added a comment -

          Discussed this concept briefly in MDL-13854, but it branches from the original intent of that issue and should be addressed seperately.

          Show
          Matt Campbell added a comment - Discussed this concept briefly in MDL-13854 , but it branches from the original intent of that issue and should be addressed seperately.
          Hide
          Teresa Gibbison added a comment -

          This is a real issue for us as we are often asked to close a Quiz or correct something for a teacher. Currently the logging stops at viewing the other user's profile and begins again on the page where you click your own name again.

          I'm wondering if at the very least we have a log item with 'Logged in as' so the logs for me logging in as StudentOne would be displayed as

            • Fullname=Teresa Gibbison - Action= user view - Information=StudentOne
            • Fullname=Teresa Gibbison - Action= log in as user - Information=StudentOne
              ..then I do stuff as this user (that isn't logged)
            • Fullname=Teresa Gibbison - Action= log out as user - Information=StudentOne

          However, ideally it would be good if we could have all actions performed as that user logged similar to

            • Fullname=Teresa Gibbison - Action= user view - Information=StudentOne
            • Fullname=Teresa Gibbison - Action= log in as user - Information=StudentOne
            • Fullname=Teresa Gibbison (as username) - Action= view - Information=Course page
              etc
            • Fullname=Teresa Gibbison - Action= log out as user - Information=StudentOne

          What are other's thoughts?
          Teresa

          Show
          Teresa Gibbison added a comment - This is a real issue for us as we are often asked to close a Quiz or correct something for a teacher. Currently the logging stops at viewing the other user's profile and begins again on the page where you click your own name again. I'm wondering if at the very least we have a log item with 'Logged in as' so the logs for me logging in as StudentOne would be displayed as Fullname=Teresa Gibbison - Action= user view - Information=StudentOne Fullname=Teresa Gibbison - Action= log in as user - Information=StudentOne ..then I do stuff as this user (that isn't logged) Fullname=Teresa Gibbison - Action= log out as user - Information=StudentOne However, ideally it would be good if we could have all actions performed as that user logged similar to Fullname=Teresa Gibbison - Action= user view - Information=StudentOne Fullname=Teresa Gibbison - Action= log in as user - Information=StudentOne Fullname=Teresa Gibbison (as username) - Action= view - Information=Course page etc Fullname=Teresa Gibbison - Action= log out as user - Information=StudentOne What are other's thoughts? Teresa
          Hide
          Eloy Lafuente (stronk7) added a comment -

          Uhm... while enabling that has some advantages... I can also see it as a feature now.

          Perhaps could be saved annotating the real user in new field as proposed... but that will cause a lot of reports/backup... to be hacked... uhm...

          ...assigning this to Martin to decide the final behaviour.

          Ciao

          Show
          Eloy Lafuente (stronk7) added a comment - Uhm... while enabling that has some advantages... I can also see it as a feature now. Perhaps could be saved annotating the real user in new field as proposed... but that will cause a lot of reports/backup... to be hacked... uhm... ...assigning this to Martin to decide the final behaviour. Ciao
          Hide
          David Blackwell added a comment -

          The code specifically seems to not want to log the loginas function as displayed in the add_to_log function : if (!empty($USER->realuser))

          { // Don't log return; }

          I suggest changing the code to log the "loginas" feature as well as any tasks performed under loginas using this little tweak:

          if (!empty($USER->realuser))

          { // special log as acting as someone else $info .= " (loginas) > ".fullname($USER,true); $userid=$USER->realuser; }


          else

          { $userid = empty($USER->id) ? '0' : $USER->id; }

          Show
          David Blackwell added a comment - The code specifically seems to not want to log the loginas function as displayed in the add_to_log function : if (!empty($USER->realuser)) { // Don't log return; } I suggest changing the code to log the "loginas" feature as well as any tasks performed under loginas using this little tweak: if (!empty($USER->realuser)) { // special log as acting as someone else $info .= " (loginas) > ".fullname($USER,true); $userid=$USER->realuser; } else { $userid = empty($USER->id) ? '0' : $USER->id; }
          Hide
          Johan Reinalda added a comment -

          This is huge issue for us, and it seems hard to believe that this is not auditable.
          At the minimum, when "Login as" is clicked, this should trigger a log entry that the user entering as someone else...

          I hope this makes it into 2.0

          Johan
          Thunderbird School of Global Management
          www.thunderbird.edu
          Moodle site: learning.thunderbird.edu

          Show
          Johan Reinalda added a comment - This is huge issue for us, and it seems hard to believe that this is not auditable. At the minimum, when "Login as" is clicked, this should trigger a log entry that the user entering as someone else... I hope this makes it into 2.0 Johan Thunderbird School of Global Management www.thunderbird.edu Moodle site: learning.thunderbird.edu
          Hide
          Teresa Gibbison added a comment -

          We tweaked David's code a little and have this logging on our site now. The changes in lib/datalib.php are below (sorry I can't remember how to make a patch file!!). the screenshot of how this looks is attached.

          @@ -1873,8 +1873,16 @@ function add_to_log($courseid, $module, $action, $url='', $info='', $cm=0, $user
          if ($user)

          { $userid = $user; }

          else {

          • if (!empty($USER->realuser)) { // Don't log
          • return;
            + if (!empty($USER->realuser))
            Unknown macro: { // user is loggedinas another user+ if ($module && $action && is_numeric($info)) { + // calls to add_to_log generally pass object id only, we want full name tho so work out what field that is and fetch it + $ld = get_record('log_display', 'module', $module, 'action', $action); + $info = get_field($ld->mtable, $ld->field, 'id', $info); + }+ $info = '[loggedinas}

            else

            { + $userid = empty($USER->id) ? '0' : $USER->id; }

            $userid = empty($USER->id) ? '0' : $USER->id;
            }

          Show
          Teresa Gibbison added a comment - We tweaked David's code a little and have this logging on our site now. The changes in lib/datalib.php are below (sorry I can't remember how to make a patch file!!). the screenshot of how this looks is attached. @@ -1873,8 +1873,16 @@ function add_to_log($courseid, $module, $action, $url='', $info='', $cm=0, $user if ($user) { $userid = $user; } else { if (!empty($USER->realuser)) { // Don't log return; + if (!empty($USER->realuser)) Unknown macro: { // user is loggedinas another user+ if ($module && $action && is_numeric($info)) { + // calls to add_to_log generally pass object id only, we want full name tho so work out what field that is and fetch it + $ld = get_record('log_display', 'module', $module, 'action', $action); + $info = get_field($ld->mtable, $ld->field, 'id', $info); + }+ $info = '[loggedinas} else { + $userid = empty($USER->id) ? '0' : $USER->id; } $userid = empty($USER->id) ? '0' : $USER->id; }
          Hide
          Teresa Gibbison added a comment -

          Screenshot relating to the code changes I posted in the comments 09/Apr/09

          Show
          Teresa Gibbison added a comment - Screenshot relating to the code changes I posted in the comments 09/Apr/09
          Hide
          Scott Krajewski added a comment -

          I noticed if I change the add_to_log line in loginas.php to the following
          add_to_log($course->id, "course", "loginas", "../user/view.php?id=$course->id&user=$userid", "$oldfullname -> $newfullname","",$olduserid);

          It shows up in my log that I did the loginas act. I just added $olduserid in the last field. Wouldn't this be a start?

          Show
          Scott Krajewski added a comment - I noticed if I change the add_to_log line in loginas.php to the following add_to_log($course->id, "course", "loginas", "../user/view.php?id=$course->id&user=$userid", "$oldfullname -> $newfullname","",$olduserid); It shows up in my log that I did the loginas act. I just added $olduserid in the last field. Wouldn't this be a start?
          Hide
          Aparup Banerjee added a comment -

          Added logging component (based on title containing 'logging' and some very quick human filtering).

          Show
          Aparup Banerjee added a comment - Added logging component (based on title containing 'logging' and some very quick human filtering).
          Hide
          mikehas added a comment -

          One big vote here. Odd this hasn't been added. Based on the code in /course/loginas.php the intention was obviously to log this action. Indications of this action are available in the http logs, but it's inconvenient to pull from two sources for this info.

          Show
          mikehas added a comment - One big vote here. Odd this hasn't been added. Based on the code in /course/loginas.php the intention was obviously to log this action. Indications of this action are available in the http logs, but it's inconvenient to pull from two sources for this info.
          Hide
          mikehas added a comment -

          Affects MOODLE_23_STABLE, 2.3.3

          Show
          mikehas added a comment - Affects MOODLE_23_STABLE, 2.3.3
          Hide
          Peter Diedrichs added a comment -

          Agree, this is a big issue! "Log in as" is absolutely brilliant when working with support, but it MUST be logged, as well as all actions done in another users name!

          Show
          Peter Diedrichs added a comment - Agree, this is a big issue! "Log in as" is absolutely brilliant when working with support, but it MUST be logged, as well as all actions done in another users name!
          Hide
          Michael Hughes added a comment -

          We are starting to discover more issues like this and we need to be able to audit Moodle to find out what's going on!

          Show
          Michael Hughes added a comment - We are starting to discover more issues like this and we need to be able to audit Moodle to find out what's going on!

            People

            • Votes:
              9 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

              • Created:
                Updated: