Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-14805

Add logging of activity when a user is logged in as another user

    Details

      Description

      When a user with the moodle/user:loginas capability logs in as another user and performs any activity, this activity is not logged. It would be nice if it was logged and clearly denoted in the logs as "X user logged in as Y user".

      This would probably mean rewriting the add_to_log function in some way - currently, it prevents logging if the userids are not the same.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

              Hide
              mcampbell Matt Campbell added a comment -

              Discussed this concept briefly in MDL-13854, but it branches from the original intent of that issue and should be addressed seperately.

              Show
              mcampbell Matt Campbell added a comment - Discussed this concept briefly in MDL-13854 , but it branches from the original intent of that issue and should be addressed seperately.
              Hide
              cttxg Teresa Gibbison added a comment -

              This is a real issue for us as we are often asked to close a Quiz or correct something for a teacher. Currently the logging stops at viewing the other user's profile and begins again on the page where you click your own name again.

              I'm wondering if at the very least we have a log item with 'Logged in as' so the logs for me logging in as StudentOne would be displayed as

                • Fullname=Teresa Gibbison - Action= user view - Information=StudentOne
                • Fullname=Teresa Gibbison - Action= log in as user - Information=StudentOne
                  ..then I do stuff as this user (that isn't logged)
                • Fullname=Teresa Gibbison - Action= log out as user - Information=StudentOne

              However, ideally it would be good if we could have all actions performed as that user logged similar to

                • Fullname=Teresa Gibbison - Action= user view - Information=StudentOne
                • Fullname=Teresa Gibbison - Action= log in as user - Information=StudentOne
                • Fullname=Teresa Gibbison (as username) - Action= view - Information=Course page
                  etc
                • Fullname=Teresa Gibbison - Action= log out as user - Information=StudentOne

              What are other's thoughts?
              Teresa

              Show
              cttxg Teresa Gibbison added a comment - This is a real issue for us as we are often asked to close a Quiz or correct something for a teacher. Currently the logging stops at viewing the other user's profile and begins again on the page where you click your own name again. I'm wondering if at the very least we have a log item with 'Logged in as' so the logs for me logging in as StudentOne would be displayed as Fullname=Teresa Gibbison - Action= user view - Information=StudentOne Fullname=Teresa Gibbison - Action= log in as user - Information=StudentOne ..then I do stuff as this user (that isn't logged) Fullname=Teresa Gibbison - Action= log out as user - Information=StudentOne However, ideally it would be good if we could have all actions performed as that user logged similar to Fullname=Teresa Gibbison - Action= user view - Information=StudentOne Fullname=Teresa Gibbison - Action= log in as user - Information=StudentOne Fullname=Teresa Gibbison (as username) - Action= view - Information=Course page etc Fullname=Teresa Gibbison - Action= log out as user - Information=StudentOne What are other's thoughts? Teresa
              Hide
              stronk7 Eloy Lafuente (stronk7) added a comment -

              Uhm... while enabling that has some advantages... I can also see it as a feature now.

              Perhaps could be saved annotating the real user in new field as proposed... but that will cause a lot of reports/backup... to be hacked... uhm...

              ...assigning this to Martin to decide the final behaviour.

              Ciao

              Show
              stronk7 Eloy Lafuente (stronk7) added a comment - Uhm... while enabling that has some advantages... I can also see it as a feature now. Perhaps could be saved annotating the real user in new field as proposed... but that will cause a lot of reports/backup... to be hacked... uhm... ...assigning this to Martin to decide the final behaviour. Ciao
              Hide
              dblackw David Blackwell added a comment -

              The code specifically seems to not want to log the loginas function as displayed in the add_to_log function : if (!empty($USER->realuser))

              { // Don't log return; }

              I suggest changing the code to log the "loginas" feature as well as any tasks performed under loginas using this little tweak:

              if (!empty($USER->realuser))

              { // special log as acting as someone else $info .= " (loginas) > ".fullname($USER,true); $userid=$USER->realuser; }


              else

              { $userid = empty($USER->id) ? '0' : $USER->id; }

              Show
              dblackw David Blackwell added a comment - The code specifically seems to not want to log the loginas function as displayed in the add_to_log function : if (!empty($USER->realuser)) { // Don't log return; } I suggest changing the code to log the "loginas" feature as well as any tasks performed under loginas using this little tweak: if (!empty($USER->realuser)) { // special log as acting as someone else $info .= " (loginas) > ".fullname($USER,true); $userid=$USER->realuser; } else { $userid = empty($USER->id) ? '0' : $USER->id; }
              Hide
              johanr Johan Reinalda added a comment -

              This is huge issue for us, and it seems hard to believe that this is not auditable.
              At the minimum, when "Login as" is clicked, this should trigger a log entry that the user entering as someone else...

              I hope this makes it into 2.0

              Johan
              Thunderbird School of Global Management
              www.thunderbird.edu
              Moodle site: learning.thunderbird.edu

              Show
              johanr Johan Reinalda added a comment - This is huge issue for us, and it seems hard to believe that this is not auditable. At the minimum, when "Login as" is clicked, this should trigger a log entry that the user entering as someone else... I hope this makes it into 2.0 Johan Thunderbird School of Global Management www.thunderbird.edu Moodle site: learning.thunderbird.edu
              Hide
              cttxg Teresa Gibbison added a comment -

              We tweaked David's code a little and have this logging on our site now. The changes in lib/datalib.php are below (sorry I can't remember how to make a patch file!!). the screenshot of how this looks is attached.

              @@ -1873,8 +1873,16 @@ function add_to_log($courseid, $module, $action, $url='', $info='', $cm=0, $user
              if ($user)

              { $userid = $user; }

              else {

              • if (!empty($USER->realuser)) { // Don't log
              • return;
                + if (!empty($USER->realuser))
                Unknown macro: { // user is loggedinas another user+ if ($module && $action && is_numeric($info)) { + // calls to add_to_log generally pass object id only, we want full name tho so work out what field that is and fetch it + $ld = get_record('log_display', 'module', $module, 'action', $action); + $info = get_field($ld->mtable, $ld->field, 'id', $info); + }+ $info = '[loggedinas}

                else

                { + $userid = empty($USER->id) ? '0' : $USER->id; }

                $userid = empty($USER->id) ? '0' : $USER->id;
                }

              Show
              cttxg Teresa Gibbison added a comment - We tweaked David's code a little and have this logging on our site now. The changes in lib/datalib.php are below (sorry I can't remember how to make a patch file!!). the screenshot of how this looks is attached. @@ -1873,8 +1873,16 @@ function add_to_log($courseid, $module, $action, $url='', $info='', $cm=0, $user if ($user) { $userid = $user; } else { if (!empty($USER->realuser)) { // Don't log return; + if (!empty($USER->realuser)) Unknown macro: { // user is loggedinas another user+ if ($module && $action && is_numeric($info)) { + // calls to add_to_log generally pass object id only, we want full name tho so work out what field that is and fetch it + $ld = get_record('log_display', 'module', $module, 'action', $action); + $info = get_field($ld->mtable, $ld->field, 'id', $info); + }+ $info = '[loggedinas} else { + $userid = empty($USER->id) ? '0' : $USER->id; } $userid = empty($USER->id) ? '0' : $USER->id; }
              Hide
              cttxg Teresa Gibbison added a comment -

              Screenshot relating to the code changes I posted in the comments 09/Apr/09

              Show
              cttxg Teresa Gibbison added a comment - Screenshot relating to the code changes I posted in the comments 09/Apr/09
              Hide
              krajewsk Scott Krajewski added a comment -

              I noticed if I change the add_to_log line in loginas.php to the following
              add_to_log($course->id, "course", "loginas", "../user/view.php?id=$course->id&user=$userid", "$oldfullname -> $newfullname","",$olduserid);

              It shows up in my log that I did the loginas act. I just added $olduserid in the last field. Wouldn't this be a start?

              Show
              krajewsk Scott Krajewski added a comment - I noticed if I change the add_to_log line in loginas.php to the following add_to_log($course->id, "course", "loginas", "../user/view.php?id=$course->id&user=$userid", "$oldfullname -> $newfullname","",$olduserid); It shows up in my log that I did the loginas act. I just added $olduserid in the last field. Wouldn't this be a start?
              Hide
              nebgor Aparup Banerjee added a comment -

              Added logging component (based on title containing 'logging' and some very quick human filtering).

              Show
              nebgor Aparup Banerjee added a comment - Added logging component (based on title containing 'logging' and some very quick human filtering).
              Hide
              mikehas mikehas added a comment -

              One big vote here. Odd this hasn't been added. Based on the code in /course/loginas.php the intention was obviously to log this action. Indications of this action are available in the http logs, but it's inconvenient to pull from two sources for this info.

              Show
              mikehas mikehas added a comment - One big vote here. Odd this hasn't been added. Based on the code in /course/loginas.php the intention was obviously to log this action. Indications of this action are available in the http logs, but it's inconvenient to pull from two sources for this info.
              Hide
              mikehas mikehas added a comment -

              Affects MOODLE_23_STABLE, 2.3.3

              Show
              mikehas mikehas added a comment - Affects MOODLE_23_STABLE, 2.3.3
              Hide
              cdipe Peter Diedrichs added a comment -

              Agree, this is a big issue! "Log in as" is absolutely brilliant when working with support, but it MUST be logged, as well as all actions done in another users name!

              Show
              cdipe Peter Diedrichs added a comment - Agree, this is a big issue! "Log in as" is absolutely brilliant when working with support, but it MUST be logged, as well as all actions done in another users name!
              Hide
              mhughes2k Michael Hughes added a comment -

              We are starting to discover more issues like this and we need to be able to audit Moodle to find out what's going on!

              Show
              mhughes2k Michael Hughes added a comment - We are starting to discover more issues like this and we need to be able to audit Moodle to find out what's going on!
              Hide
              markn Mark Nelson added a comment -

              Hi guys, this should no longer be an issue because of MDL-40043.

              Show
              markn Mark Nelson added a comment - Hi guys, this should no longer be an issue because of MDL-40043 .
              Hide
              markn Mark Nelson added a comment -

              This has been resolved in 2.6 and master. I am going to close this issue as 2.5 is for security fixes only.

              Show
              markn Mark Nelson added a comment - This has been resolved in 2.6 and master. I am going to close this issue as 2.5 is for security fixes only.

                People

                • Votes:
                  9 Vote for this issue
                  Watchers:
                  15 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: