← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #57100

[Bug 1857275] [NEW] Prevent LMS admin continue masquerading when using LTI

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Based on
https://mahara.org/interaction/forum/topic.php?id=8560&post=34143

When we used MNet, a Moodle admin could not masquerade as a learner in
Moodle and be taken through to Mahara. Now with LTI, an LMS admin can
stay masquerading and see the portfolios of the person they are
masquerading at.

Is there a possibility to prevent that masquerading admins can gain
access to the portfolio account? Could this be done on the Mahara end as
we do not control the LMS?

This is an investigation into the possibilities at this stage to
determine what - if any - we can change the behavior.

To replicate:

1. Connect Moodle / Totara / Canvas with Mahara via LTI.
2. Create 2 accounts in the LMS (1 admin, 1 learner) and log in to Mahara via both.
3. As admin set up an activity to log in to the LMS.
4. Log in as admin on the LMS and masquerade as learner and click the activity link to go to Mahara.
Desired result: Masquerading admin gets warning saying that they can't masquerade and enter Mahara.
Actual result: Masquerading admin can enter the portfolio account.

** Affects: mahara
     Importance: Undecided
         Status: New


** Tags: privacy

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1857275

Title:
  Prevent LMS admin continue masquerading when using LTI

Status in Mahara:
  New

Bug description:
  Based on
  https://mahara.org/interaction/forum/topic.php?id=8560&post=34143

  When we used MNet, a Moodle admin could not masquerade as a learner in
  Moodle and be taken through to Mahara. Now with LTI, an LMS admin can
  stay masquerading and see the portfolios of the person they are
  masquerading at.

  Is there a possibility to prevent that masquerading admins can gain
  access to the portfolio account? Could this be done on the Mahara end
  as we do not control the LMS?

  This is an investigation into the possibilities at this stage to
  determine what - if any - we can change the behavior.

  To replicate:

  1. Connect Moodle / Totara / Canvas with Mahara via LTI.
  2. Create 2 accounts in the LMS (1 admin, 1 learner) and log in to Mahara via both.
  3. As admin set up an activity to log in to the LMS.
  4. Log in as admin on the LMS and masquerade as learner and click the activity link to go to Mahara.
  Desired result: Masquerading admin gets warning saying that they can't masquerade and enter Mahara.
  Actual result: Masquerading admin can enter the portfolio account.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1857275/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next