mahara-contributors team mailing list archive
-
mahara-contributors team
-
Mailing list archive
-
Message #32872
[Bug 1546769] [NEW] The 'None' auth needs to be locked down more to avoid troubles with multi institutions
Public bug reported:
When there are multiple institutions/tenants on a mahara and one of the
tenants decides to add the 'None' auth method to their institution it
causes havoc for users on all institutions as if they accidentally enter
their login details wrong they get logged in to institution with 'None'
set as a new user rather than their normal institution/account.
Things that need to be changed to avoid this problem:
1) When an institution tries to add the 'None' auth option it needs to
check to see if there are any other institutions present and only allow
it if institution count = 1
2) Conversely if the only institution uses 'None' auth then you
shouldn't be allowed to add a new institution until that auth is removed
3) And when you are able to add "None" you should probably get some
prominent message with "Do you really want to do this? You know, it
means that anybody will be able to log in without any authorization"
Also as part of this change it would be very good to add a ctime (and
maybe userid) field to the auth_instance table to record when one
adds/edits auth details to see when things changed as this human error
can cause big problems for users.
** Affects: mahara
Importance: High
Assignee: Robert Lyon (robertl-9)
Status: In Progress
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1546769
Title:
The 'None' auth needs to be locked down more to avoid troubles with
multi institutions
Status in Mahara:
In Progress
Bug description:
When there are multiple institutions/tenants on a mahara and one of
the tenants decides to add the 'None' auth method to their institution
it causes havoc for users on all institutions as if they accidentally
enter their login details wrong they get logged in to institution with
'None' set as a new user rather than their normal institution/account.
Things that need to be changed to avoid this problem:
1) When an institution tries to add the 'None' auth option it needs to
check to see if there are any other institutions present and only
allow it if institution count = 1
2) Conversely if the only institution uses 'None' auth then you
shouldn't be allowed to add a new institution until that auth is
removed
3) And when you are able to add "None" you should probably get some
prominent message with "Do you really want to do this? You know, it
means that anybody will be able to log in without any authorization"
Also as part of this change it would be very good to add a ctime (and
maybe userid) field to the auth_instance table to record when one
adds/edits auth details to see when things changed as this human error
can cause big problems for users.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1546769/+subscriptions
Follow ups
-
[Bug 1546769] Re: The 'None' auth needs to be locked down or removed to avoid troubles with multi institutions
From: Robert Lyon, 2017-10-30
-
[Bug 1546769] Re: The 'None' auth needs to be locked down or removed to avoid troubles with multi institutions
From: Robert Lyon, 2017-10-30
-
[Bug 1546769] Re: The 'None' auth needs to be locked down or removed to avoid troubles with multi institutions
From: Robert Lyon, 2017-10-30
-
[Bug 1546769] Re: The 'None' auth needs to be locked down or removed to avoid troubles with multi institutions
From: Robert Lyon, 2017-10-30
-
[Bug 1546769] A change has been merged
From: Mahara Bot, 2017-10-23
-
[Bug 1546769] A patch has been submitted for review
From: Mahara Bot, 2017-10-23
-
[Bug 1546769] A change has been merged
From: Mahara Bot, 2017-10-23
-
[Bug 1546769] A patch has been submitted for review
From: Mahara Bot, 2017-10-23
-
[Bug 1546769] A patch has been submitted for review
From: Mahara Bot, 2017-10-23
-
[Bug 1546769] A change has been merged
From: Mahara Bot, 2017-10-23
-
[Bug 1546769] A change has been merged
From: Mahara Bot, 2017-10-23
-
[Bug 1546769] A patch has been submitted for review
From: Mahara Bot, 2017-10-23
-
[Bug 1546769] A change has been merged
From: Mahara Bot, 2017-10-23
-
[Bug 1546769] A patch has been submitted for review
From: Mahara Bot, 2017-10-23
-
[Bug 1546769] Re: The 'None' auth needs to be locked down or removed to avoid troubles with multi institutions
From: Kristina Hoeppner, 2017-10-22
-
[Bug 1546769] A change has been merged
From: Mahara Bot, 2017-09-20
-
[Bug 1546769] Re: The 'None' auth needs to be locked down or removed to avoid troubles with multi institutions
From: Robert Lyon, 2017-09-20
-
[Bug 1546769] A change has been merged
From: Mahara Bot, 2017-09-20
-
[Bug 1546769] A change has been merged
From: Mahara Bot, 2017-09-20
-
[Bug 1546769] A patch has been submitted for review
From: Mahara Bot, 2017-09-20
-
[Bug 1546769] A patch has been submitted for review
From: Mahara Bot, 2017-09-20
-
[Bug 1546769] A patch has been submitted for review
From: Mahara Bot, 2017-09-20
-
[Bug 1546769] A change has been merged
From: Mahara Bot, 2017-09-20
-
[Bug 1546769] Re: The 'None' auth needs to be locked down or removed to avoid troubles with multi institutions
From: Robert Lyon, 2017-09-20
-
[Bug 1546769] A patch has been submitted for review
From: Mahara Bot, 2017-09-18
-
[Bug 1546769] A patch has been submitted for review
From: Mahara Bot, 2017-09-18
-
[Bug 1546769] Re: The 'None' auth needs to be locked down or removed to avoid troubles with multi institutions
From: Robert Lyon, 2017-09-18
-
[Bug 1546769] Re: The 'None' auth needs to be locked down or removed to avoid troubles with multi institutions
From: Robert Lyon, 2017-09-04
-
[Bug 1546769] Re: The 'None' auth needs to be locked down or removed to avoid troubles with multi institutions
From: Kristina Hoeppner, 2017-03-20
-
[Bug 1546769] Re: The 'None' auth needs to be locked down or removed to avoid troubles with multi institutions
From: Robert Lyon, 2016-11-07
-
[Bug 1546769] Re: The 'None' auth needs to be locked down more to avoid troubles with multi institutions
From: Aaron Wells, 2016-02-18
-
[Bug 1546769] Re: The 'None' auth needs to be locked down more to avoid troubles with multi institutions
From: Aaron Wells, 2016-02-18