mahara-contributors team mailing list archive

Thread
Date

[Bug 800032] Re: Session key not checked in admin/users/addtoinstitution.php

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: François Marier <francois@xxxxxxxxxx>
Date: Thu, 03 Nov 2011 22:16:17 -0000
Reply-to: Bug 800032 <800032@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: mahara/1.3
       Status: In Progress => Fix Released

** Visibility changed to: Public

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/800032

Title:
  Session key not checked in admin/users/addtoinstitution.php

Status in Mahara ePortfolio:
  Fix Released
Status in Mahara 1.3 series:
  Fix Released

Bug description:
  The addtoinstitution.php script, for adding users to institutions,
  doesn't check the user session key, & could be used to trick an admin
  into granting institution membership.

  Easiest fix is probably to remove the script and move its contents
  into a pieform submit function.  The script is linked to from the
  admin user search page when viewed by an institutional admin for users
  who have requested institution membership.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/800032/+subscriptions