Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-61939

The plugin lets you accept site policies when you logged in as someone else

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.4.2
    • Fix Version/s: 3.5
    • Component/s: Privacy
    • Labels:
    • Testing Instructions:
      Hide
      1. Login as an admin.
      2. Go to "Site administration / Privacy and policies / Policy settings"
      3. Set "Site policy handler" to "Policies (tool_policy)"
      4. Save changes.
      5. Go to "Site administration / Privacy and policies / Manage policies"
      6. Create a new policy and make this active.
      7. Open some user's profile
      8. Use the LOGIN AS functionality to log in as this user
      9. Accept the site policy agreement on behalf of the user
      10. View "Policies and agreements" in this user's profile.
      11. Confirm that it is indicated that the admin agreed on behalf of this user
      Show
      Login as an admin. Go to " Site administration / Privacy and policies / Policy settings " Set " Site policy handler " to "Policies (tool_policy)" Save changes. Go to " Site administration / Privacy and policies / Manage policies " Create a new policy and make this active. Open some user's profile Use the LOGIN AS functionality to log in as this user Accept the site policy agreement on behalf of the user View "Policies and agreements" in this user's profile. Confirm that it is indicated that the admin agreed on behalf of this user
    • Affected Branches:
      MOODLE_34_STABLE
    • Fixed Branches:
      MOODLE_35_STABLE
    • Pull Master Branch:
      wip-MDL-61939-master

      Description

      Hi All,

      I was playing with this new feature as we need to implement it soon. We keep logging in as our students, tutor, etc.

      Try this one:

      1. policies are ON
      2. create at least one user (student)
      3. login as admin
      4. find the student
      5. use the LOGIN AS functionality to log in as the student
      6. accept the site policy agreement on behalf of the student

      EXPECTED Behavior

      in the mdl_tool_policy_acceptances table

      userid = student/user id (the pretended one)

      usermodified = admin id (or whoever originally logged in)

      so later it looks like it was accepted ON BEHALF OF the student

      REALITY

      userid and usermodified are both the student's id, so it looks like the student logged in and accepted the policies which is not true at all

      nothing goes to the logs, so no one can tell if it was the real student or someone else, who had permission to log in as the student

      The other way would be even more accurate:

      if I logged in as someone else, I should not be able to accept the policy at all.

      I am sorry but I think this is a serious issue.

      Thanks

      Frank

        Attachments

          Activity

            People

            Assignee:
            marina Marina Glancy
            Reporter:
            lengyelke Ferenc Lengyel
            Peer reviewer:
            Sara Arjona (@sarjona)
            Integrator:
            Jun Pataleta
            Tester:
            Janelle Barcega
            Participants:
            Component watchers:
            Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              17/May/18

                Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 24 minutes
                24m