-
Improvement
-
Resolution: Fixed
-
Major
-
2.0.6, 2.1, 2.2, 3.1.1, 3.4
-
MOODLE_20_STABLE, MOODLE_21_STABLE, MOODLE_22_STABLE, MOODLE_31_STABLE, MOODLE_34_STABLE
-
MOODLE_34_STABLE
-
MDL-28574-master -
-
3.4 Sprint 2, 3.4 Sprint 3
original description:
------------------
Admins should see webservice tokens for all users, regardless of who created the token. Currently the list is filtered by 'creatorid' == $USER->id in adminlib.php:admin_setting_managewebservicetokens->output_html()
I'm marking this as a security issue as it obscures external access routes from admin accounts.
------------------
correction to the description from skodak:
------------------
I think that nobody should see others keys, it is like password. If you use loginas the system knows it is not the user, but if you steal the key or password nobody would know. My -10 for disclosing other normal user keys and to prevent disclosure when logged-in-as. Resetting does not make sense either if you can not gain access to the keys. There is one notable exception though, the webservice users can not login, so there must be a way for admin to setup and use the keys. My +1 to add capability to generate/reset/read keys for webservice users (because they can not use normal login/UI).