mahara-contributors team mailing list archive

Thread
Date

[Bug 1930469] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1930469@xxxxxxxxxxxxxxxxxx>
Date: Thu, 28 Oct 2021 22:30:53 -0000
Reply-to: Bug 1930469 <1930469@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/12188
Committed: https://git.mahara.org/mahara/mahara/commit/2209dbdaf1754347884f7b4bfac055b666eec368
Submitter: Robert Lyon (robertl@xxxxxxxxxxxxxxx)
Branch:    20.10_STABLE

commit 2209dbdaf1754347884f7b4bfac055b666eec368
Author: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
Date:   Wed Jun 2 14:26:55 2021 +1200

Security Bug 1930469: Forcing the authenticated user to be logged out

If there is an error in webservice

Change-Id: Ic827da3a385aa14f0a342aaf67b509efac154ad4
Signed-off-by: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
(cherry picked from commit 9e405b25c718bbfbb03e4d30b50cc5e71b34da48)
(cherry picked from commit e85a2fedbbd3c825dc73cf903e641b9a117bd9e4)

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1930469

Title:
  Need to kill web service authentication session at end of process

Status in Mahara:
  Fix Released
Status in Mahara 20.04 series:
  Fix Released
Status in Mahara 20.10 series:
  Fix Released
Status in Mahara 21.04 series:
  Fix Released

Bug description:
  Currently when a token based websesrvice is called it authenticates
  the owner of the token on the Mahara end so that any functions called
  by the service can only be executed if the authenticated token owner
  can run those functions.

  One of the problems with the current setup is we don't then kill the
  session of this token owner when the webservice call is completed.

  This means if one hits a site with a crafted URL containing a valid
  token but no webservice function they will get an error message page,
  but if they then go to the home page of the site they will find they
  are logged in as the token owner.

  In the webservice_base_server class there is the run() method that
  goes through the steps to do a webservice call and the last part is
  calling $this->session_cleanup();

  And in that method is nothing to actually handle the logging out of
  that session

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1930469/+subscriptions