mahara-contributors team mailing list archive

[Robert Lyon <robertl@xxxxxxxxxxxxxxx>]

** Changed in: mahara/18.10
       Status: Fix Committed => Fix Released

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1817221

Title:
  A site admin can access Mahara 'root' user and break the site

Status in Mahara:
  Fix Released
Status in Mahara 17.10 series:
  Fix Released
Status in Mahara 18.04 series:
  Fix Released
Status in Mahara 18.10 series:
  Fix Released
Status in Mahara 19.04 series:
  Fix Released

Bug description:
  A site admin can break the site by suspending the 'root' user

  To replicate:

  1) Login in as a site admin
  2) Go to Administration -> Users -> User search  (admin/users/search.php)
  3) Click on the 'username' link of any user
  4) Change the url and make the id= part equal to 0 (eg admin/users/edit.php?id=0)

  You now can see information for the hidden 'root' user

  5) Suspend the user
  6) Logout
  7) Login again and you get something like

  Mahara: Site unavailable
  Something in the way you're interacting with Mahara is causing an error.
  Details if any, follow:

  Your account has been suspended as of 2019-02-22 10:56:34.<br />The
  reason for your suspension is: Bad mojo

  Things to fix:
  1) Not allow anyone see the the mahara 'root' user via the admin/users/edit.php page
  2) Make sure systems that suspend a user, eg rejecting consent to privacy statement can't suspend 'root' user

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1817221/+subscriptions